CN113407940B

CN113407940B - Script detection method, script detection device, storage medium and computer equipment

Info

Publication number: CN113407940B
Application number: CN202110689583.3A
Authority: CN
Inventors: 李科; 卢先锋
Original assignee: Chengdu Oppo Communication Technology Co ltd
Current assignee: Chengdu Oppo Communication Technology Co ltd
Priority date: 2021-06-21
Filing date: 2021-06-21
Publication date: 2024-08-06
Anticipated expiration: 2041-06-21
Also published as: CN113407940A

Abstract

The application discloses a script detection method, a script detection device, a storage medium and computer equipment, wherein the method comprises the following steps: acquiring a first main body type of a first main body for calling a current process, and acquiring a first authority of a parent process of the current process; determining whether the current process is in a legal state or not based on the first main body type and the first authority; if the current process is not in the legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process. When the script is executed, the method and the device determine whether the corresponding script is a malicious script according to the calling main body of the current process, the process authority of the parent process of the current process and the process authority of the current process, which correspond to the executed script, so that when the malicious script is identified, the continued execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

Description

Script detection method, script detection device, storage medium and computer equipment

Technical Field

The present application relates to the field of computer technologies, and in particular, to a script detection method, a device, a storage medium, and a computer apparatus.

Background

Script (Script), which is an executable file written in a certain format using a specific descriptive language, more specifically, script is a program that does not need to be compiled and executed by interpretation at runtime. In the Linux system framework, as long as the file format of the script is not abnormal, the script can be directly executed, in the dark gray industry chain, a hacker can damage the security of the terminal equipment by executing the malicious script, such as downloading and installing Trojan horse viruses, monitoring user data, encroaching on system resources and the like, so that the security of the terminal equipment (such as the terminal equipment of which the Linux system framework is applied as a Linux system, an android system and a hong system) is poor.

Disclosure of Invention

The application provides a script detection method, a terminal device, a storage medium and a computer device, which can solve the technical problem of how to improve the safety of the terminal device.

In a first aspect, an embodiment of the present application provides a script detection method, where the method includes:

Acquiring a first main body type of a first main body for calling a current process, and acquiring a first authority of a parent process of the current process;

determining whether the current process is in a legal state or not based on the first main body type and the first authority;

If the current process is not in the legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process.

In a second aspect, an embodiment of the present application provides a script detection method, including:

acquiring a first main body type of a first main body for calling a current process and acquiring a second main body type of a second main body for calling a father process of the current process;

Acquiring a first authority of a parent process;

And determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first authority.

In a third aspect, an embodiment of the present application provides a script detecting apparatus, including:

the type acquisition module is used for acquiring a first main body type of a first main body for calling the current process and acquiring a first authority of a parent process of the current process;

The state acquisition module is used for determining whether the current process is in a legal state or not based on the first main body type and the first authority;

And the determining module is used for determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process if the current process is not in a legal state.

In a fourth aspect, an embodiment of the present application provides a script detecting apparatus, including:

The type acquisition module is used for acquiring a first main body type of a first main body for calling the current process and acquiring a second main body type of a second main body for calling a father process of the current process;

the permission acquisition module is used for acquiring the first permission of the parent process;

The determining module is used for determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first authority.

In a fifth aspect, embodiments of the present application provide a storage medium storing a computer program adapted to be loaded by a processor and to perform the steps of the above method.

In a sixth aspect, an embodiment of the present application provides a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method described above when the processor executes the program.

In the embodiment of the application, when the script is executed, the calling main bodies of the current process and the parent process of the current process corresponding to the executed script are obtained, and whether the corresponding script is a malicious script is determined according to the calling main bodies of the current process and the parent process, so that when the malicious script is identified, the continuous execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application and that other drawings may be obtained from them without inventive effort for a person skilled in the art.

FIG. 1 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 3 is a schematic flow chart for identifying malicious scripts according to an embodiment of the present application;

FIG. 4 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 5 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 6 is a schematic flow chart for identifying malicious scripts according to an embodiment of the present application;

FIG. 7 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 8 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 9 is a schematic flow chart of a script detection method according to an embodiment of the present application;

FIG. 10 is a schematic structural diagram of a script detecting device according to an embodiment of the present application;

FIG. 11 is a schematic structural diagram of a script detecting device according to an embodiment of the present application;

FIG. 12 is a schematic structural diagram of a script detecting device according to an embodiment of the present application;

Fig. 13 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

In order to make the features and advantages of the present application more comprehensible, embodiments accompanied with figures in the present application are described in detail below, wherein the embodiments are described only in some but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application as detailed in the accompanying claims. The flow diagrams depicted in the figures are exemplary only and are not necessarily to be taken in the order shown. For example, some steps are juxtaposed and there is no strict order of logic, so the actual order of execution is variable. In addition, the terms "first," "second," "third," "fourth," "fifth," "sixth," "seventh," "eighth" are used for distinguishing purposes only and should not be taken as a limitation of the present disclosure.

The script detection method and the terminal equipment disclosed by the embodiment of the application can be applied to the field of information security, such as a malicious script detection process of a smart phone, and the like, and can also be applied to a malicious script detection process of a Linux operating system. The terminal device may include, but is not limited to, an intelligent terminal using a Linux operating system, such as an intelligent interactive tablet, a mobile phone, a personal computer, a notebook computer, or an intelligent terminal using a Linux architecture as an operating system framework.

In the embodiment of the application, when the script is executed, the terminal equipment can determine whether the corresponding script is a malicious script according to the calling main body of the current process and the calling main body of the parent process by acquiring the current process corresponding to the executed script and the calling main body of the parent process of the current process, so that when the malicious script is identified, the continuous execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

The script detection method provided by the embodiment of the present application will be described in detail with reference to fig. 1 to 9.

Referring to fig. 1, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 1, the method may include the following steps S101 to S103.

S101, acquiring a first main body type of a first main body calling the current process, and acquiring a first authority of a parent process of the current process.

In particular, a script is a program that can be interpreted for execution, a process is the basic execution entity of the program, i.e., a process is an instance of the running program, it will be appreciated that the entire script is executed by at least one process. The calling main body of the calling process can be a common user and other main bodies, and it is required to be noted that the common user can be a shell user, namely a user with shell rights, wherein the shell rights are rights automatically acquired when the user logs in; other main bodies can be applications, and the like, and the application in the terminal equipment can directly call the script, or when a common user calls the script, a parent process corresponding to the script calls an application program outside the parent process, the application program can call another process, and the call main body of the process called by the application program is the other main body, namely the application program.

When the mobile terminal detects that a process is created, the created process is used as a current process, namely an executing process, and then a process structure body of the current process is obtained, wherein the process structure body at least comprises a process name, a PID, a UID of the process and a PID of a father process, PID (Process Identification) is a process identifier and has uniqueness, and it is required to be noted that when the whole process is terminated, the PID can be recovered by an operating system; UID (User Identification) is a user identifier, illustratively, if UID is 0, the user is a super administrator, and if UID is 2000, the user is a shell user. If UID is 0, the authority of the process corresponding to the UID is root authority, that is, root authority; if the UID is 2000, the authority of the process corresponding to the UID is the ordinary user authority, namely the shell authority.

The main body type of the calling main body of the current process is determined according to the process name of the current process, and it is required to be noted that if the main body of the calling process is a common user, the process name of the process has corresponding labeling information, such as sh. It can be understood that when the main body type of the calling main body for calling the current process is obtained, the current process name is obtained first, then whether corresponding annotation information exists in the process name is determined, if the annotation information corresponding to the common user exists in the process name, the first main body type of the first main body for calling the current process is the common user, and if the annotation information corresponding to the common user does not exist in the process name, the first main body type of the first main body for calling the current process is other main bodies. And then determining the parent process of the current process according to the PID of the parent process, acquiring a process structure body of the parent process, and acquiring the first authority of the parent process according to the UID of the parent process.

S102, determining whether the current process is in a legal state or not based on the first main body type and the first authority.

Specifically, if the current process is in a legal state, the current process does not have malicious behaviors, namely, if the current process is in a legal process, the script corresponding to the current process is not a malicious script.

And S103, if the current process is not in a legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process.

Specifically, if the current process is not in a legal state, malicious behaviors may exist in the current process, that is, whether the current process is in a legal process is unknown, whether the calling process of the current process is legal or not is unknown, so that whether the script corresponding to the current process is a malicious script cannot be judged based on the malicious behaviors, the second authority of the current process needs to be further acquired at this time to serve as a new judgment basis, whether the current process is in a legal process or not is determined based on the second authority, and whether the script corresponding to the current process is a malicious script or not is determined based on the second authority.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the calling main body of the current process corresponding to the executed script, the process authority of the parent process of the current process and the process authority of the current process, so that when the malicious script is identified, the continued execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

Referring to fig. 2, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 2, the method may include the following steps S201 to S211.

S201, if an execution instruction of the script is received, detecting the file format of the script.

Specifically, the mobile terminal receives an execution instruction, acquires an executed file corresponding to the execution instruction, and checks a file header of the executed file through a preset function to determine whether the file meets a preset format, and meanwhile, can determine a file type corresponding to the file through the preset function, wherein the preset function can be do_exec ().

S202, if the file format meets the preset format, the script is interpreted and executed through a script interpreter.

Specifically, if the executed file meets the preset format, and the executed file is determined to be a script file, the script file is interpreted and executed by a script interpreter. For example, when the executed file satisfies the preset format, the head of the header of the executed file is obtained, if the header of the file is marked with "#)! "beginning with header" the executed file is a script file.

In the embodiment of the application, whether the file is a script or not is determined by detecting the file format of the file corresponding to the execution instruction, that is, whether the file corresponding to the execution instruction needs to be subjected to security detection or not is determined, so that an error detection result caused by an unsuitable detection method when other files, namely, non-script files, are detected is avoided.

S203, acquiring the device state of the terminal device executing the script.

Specifically, the device states are a locked state, which may be understood as the terminal device being in a secure state, and an unlocked state, which may be understood as the terminal device not being in a secure state. When the terminal equipment is in a locked state, the script detection program is in a protected state, and the program code of the script detection program cannot be modified; when the terminal equipment is in an unlocked state, the script detection program is not in a protected state, and the program code of the script detection program can be modified at will, so that the script correction program is unsafe at the moment, and whether the script is malicious cannot be judged based on the script correction program.

S204, if the equipment state is the locking state, acquiring a first main body type of a first main body for calling the current process, and acquiring a first authority of a parent process of the current process.

Specifically, if the device state of the terminal device is a locked state, then a first body type of a first body calling the current process is obtained, and a first authority of a parent process of the current process is obtained. See step S101, which is not described herein.

In the embodiment of the application, whether to continue detecting the script is determined by acquiring the equipment state of the terminal equipment so as to reduce useless detection processes.

S205, if the first main body type is a common user, the first authority is a root authority, and the current process is determined to be in a legal state.

Specifically, if the first main body type is a common user, the first authority of the father process of the current process is the root authority, and the current process is judged to be in a legal state, then the current process has no malicious behavior, namely, the current process is a legal process, then the script corresponding to the current process is not a malicious script.

S206, if the first main body type is the common user, the first authority is not the root authority, and the current process is determined to be not legal.

Specifically, if the first main body type is a common user, the first authority of the parent process of the current process is not the root authority, then the current process is judged to be in a legal state, that is, whether the current process has malicious behaviors cannot be judged based on the first authority, whether the calling process is legal or not is judged, and then further detection information needs to be acquired.

S207, if the first subject type is not the common user, acquiring a second subject type of a second subject calling the parent process.

Specifically, if the first main body type is not a common user, determining a father process of the current process according to the PID of the father process, and acquiring a process structure body of the father process, thereby acquiring a process name of the father process according to the process structure body of the father process, determining whether corresponding annotation information exists in the process name, if the annotation information corresponding to the common user exists in the process name, calling a second main body type of a second main body of the father process as the common user, and if the annotation information corresponding to the common user does not exist in the process name, calling the second main body type of the second main body of the current process as other main bodies.

S208, determining that the second main body type is not a common user, determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body of the group leader process.

Specifically, the process structure body at least comprises a process name, PID, UID of the process, PID of a parent process and TGID of a group leader process, wherein the group leader process is a first created process when executing a script, meanwhile, a process group is created, then the first created process is added into the process group, and each process created based on the group leader process belongs to the process group corresponding to the group leader process. TGID (Thread Group Identification) is the process identifier of the group leader process.

If the second main body type is not the ordinary user, determining a group leader process of the current process according to the TGID of the group leader process, then obtaining a process structure body of the group leader process, obtaining a process name of the group leader process, then determining whether corresponding annotation information exists in the process name, if the annotation information corresponding to the ordinary user exists in the process name, calling the third main body type of the third main body of the group leader process to be the ordinary user, and if the annotation information corresponding to the ordinary user does not exist in the process name, calling the third main body type of the third main body of the group leader process to be other main bodies.

S209, if the third main body type is the common user, determining that the current process is not in a legal state.

Specifically, if the calling subject of the calling group leader process is a common user, it is determined that the current process is not in a legal state, that is, whether the current process has malicious behavior cannot be determined based on the current process, and whether the calling process is legal or not is not determined, so that further detection information needs to be acquired at the moment.

S210, if the current process is not in a legal state, acquiring a second authority of the current process.

Specifically, if the current process is not in a legal state, acquiring the UID in the process structure body of the current process, and determining the second authority of the current process according to the UID.

S211, if the second authority of the current process is the normal user authority or the root authority, determining that the script corresponding to the current process is a malicious script.

Specifically, if the second permission is other permission, the detection of the current process is finished, the current process is judged to be a legal process, and the script corresponding to the current process is a legal script.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the calling main body of the current process corresponding to the executed script, the process authority of the parent process of the current process and the process authority of the current process, so that when the malicious script is identified, the continued execution of the malicious script is avoided, and the safety of the terminal equipment is improved. Meanwhile, whether the current process is in a legal state or not is determined according to the current process, the father process of the current process and the call main body of the group leader process of the process group to which the current process belongs, whether the current process is continuously detected is determined, other detection information is prevented from being acquired when the current process is legal, and therefore the detection efficiency of the current process is improved.

Referring to fig. 3, a flowchart of identifying a malicious script is provided in an embodiment of the present application. As shown in fig. 3, the method may include the following steps S301 to S302.

S301, if the second permission of the current process is the ordinary user permission, marking the current process as a low-risk process, acquiring process information of the current process, generating a first security event report according to the process information, and outputting the first security event report.

Specifically, if the second permission is the root permission, determining that the script corresponding to the current process is a malicious script, intercepting the running of the malicious script, and ending executing the current process and each process corresponding to the malicious script and returning to running errors by way of example. And meanwhile, marking the current process as a high-risk process, generating a first security event report based on the process information of the high-risk process and the running condition of a malicious script corresponding to the high-risk process, and outputting the first security event report.

S302, if the second authority of the current process is the root authority, marking the current process as a high-risk process, acquiring process information of the current process, generating a second security event report according to the process information, and outputting the second security event report.

Specifically, if the second permission is the normal user permission, it is determined that the script corresponding to the current process may be a malicious script, that is, a certain security risk exists in the current process, so that although the script corresponding to the current process is still determined to be a malicious script, the running of the script corresponding to the current process is not directly intercepted, the execution of the current process is not finished, the current process is only required to be marked as a low-risk process, then a second security event report is generated based on the process information of the low-risk process and the running condition of the script corresponding to the low-risk process, and the second security event report is output, so that related detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is a malicious script.

In the embodiment of the application, whether the corresponding script is a malicious script is determined by the process authority of the current process, so that when the malicious script is identified, the continuous execution of the malicious script is avoided, a security event report is output, and the security of the terminal equipment is improved.

Referring to fig. 4, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 4, the method may include the following steps S401 to S403.

S401, acquiring a first body type of a first body calling the current process and acquiring a second body type of a second body calling the parent process of the current process.

Specifically, when the terminal equipment detects that a process is created, the created process is used as a current process, then whether a calling main body of the current process is a common user is determined based on a process name in a process structure body of the current process, if the calling main body of the current process is the common user, a father process of the current process is determined based on a PID of a father process in a process structure body of the current process, the process name in the process structure body of the father process is obtained, and whether the calling main body of the father process is the common user is determined based on the process name of the father process.

S402, acquiring a first authority of a parent process.

Specifically, if the calling subject of the parent process is a common user, determining the process authority of the parent process based on the UID in the process structure of the parent process.

S403, determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first authority.

Specifically, whether the script corresponding to the current process is a malicious script or not is determined based on the process authority of the parent process, and meanwhile, whether the parent process has malicious behaviors or not can also be determined, so that whether the parent process is a malicious process or not is determined.

In the embodiment of the application, when executing the script, whether the corresponding script is a malicious script is determined according to the calling main body of the current process, the calling main body of the father process and the process authority of the father process, so that when the malicious script is identified, the continued execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

Referring to fig. 5, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 5, the method may include the following steps S501 to S506.

S501, if an execution instruction of the script is received, the file format of the script is detected.

See step S201, and will not be described in detail herein.

S502, if the file format meets the preset format, the script is interpreted and executed through a script interpreter.

See step S202, which is not described herein.

S503, acquiring the device state of the terminal device executing the script.

See step S203, which is not described herein.

S504, if the device state is the locking state, acquiring a first body type of a first body calling the current process and acquiring a second body type of a second body calling the parent process of the current process.

Specifically, if the device state of the terminal device is a locked state, then a first body type of a first body calling the current process is obtained, and a second body type of a second body calling the parent process of the current process is obtained. See step S401, and will not be described in detail herein.

S505, obtaining the first authority of the parent process.

See step S402, which is not described herein.

S506, if the first main body type is not the normal user, the second main body type is the normal user, the first authority is the normal user authority or the root authority, determining that the script corresponding to the current process is a malicious script.

If the first permission is other permission, the detection of the current process is finished, the father process is judged to be a legal process, and the script corresponding to the current process is a legal script.

Referring to fig. 6, a flowchart of identifying a malicious script is provided in an embodiment of the present application. As shown in fig. 6, the method may include the following steps S601 to S602.

S601, if the first main body type is not the normal user, the second main body type is the normal user, and the first authority is the normal user authority, marking the father process as a low-risk process, acquiring the process information of the father process, generating a first security event report according to the process information, and outputting the first security event report.

Specifically, if the first authority is the root authority, determining that the script corresponding to the current process is a malicious script, intercepting the running of the malicious script, and ending executing each process corresponding to the current process, the parent process and the malicious script and returning a running error by way of example. Meanwhile, marking a father process as a high-risk process, generating a first security event report based on the process information of the high-risk process and the running condition of a malicious script corresponding to the high-risk process, and outputting the first security event report.

S602, if the first main body type is not the normal user, the second main body type is the normal user, and the first authority is the root authority, marking the father process as a high-risk process, acquiring the process information of the father process, generating a second security event report according to the process information, and outputting the second security event report.

Specifically, if the first permission is the normal user permission, it is determined that the script corresponding to the current process may be a malicious script, that is, a certain security risk exists in the current process, so that although the script corresponding to the current process is still determined to be a malicious script, the running of the script corresponding to the current process is not directly intercepted, the execution of the current process is not finished, only the parent process is required to be marked as a low-risk process, then a second security event report is generated based on the process information of the low-risk process and the running condition of the script corresponding to the low-risk process, and the second security event report is output, so that related detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is a malicious script.

In the embodiment of the application, whether the corresponding script is a malicious script is determined through the process authority of the parent process, so that when the malicious script is identified, the continuous execution of the malicious script is avoided, a security event report is output, and the security of the terminal equipment is improved.

Referring to fig. 7, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 7, the method may include the following steps S701 to S702.

S701, a first body type of a first body calling a current process is obtained, and a second body type of a second body calling a parent process of the current process is obtained.

When the mobile terminal detects that the process is created, the created process is used as a current process, namely an executing process, and then a process structure body of the current process is obtained, wherein the process structure body at least comprises a process name, a PID (proportion integration differentiation) of the process and a PID of a parent process, PID (Process Identification) is a process identifier and has uniqueness, and it is required to be noted that when the whole process is terminated, the PID can be recovered by an operating system.

The main body type of the calling main body of the current process is determined according to the process name of the current process, and it is required to be noted that if the main body of the calling process is a common user, the process name of the process has corresponding labeling information, such as sh. It can be understood that when the main body type of the calling main body for calling the current process is obtained, the current process name is obtained first, then whether corresponding annotation information exists in the process name is determined, if the annotation information corresponding to the common user exists in the process name, the first main body type of the first main body for calling the current process is the common user, and if the annotation information corresponding to the common user does not exist in the process name, the first main body type of the first main body for calling the current process is other main bodies. And then determining the parent process of the current process according to the PID of the parent process, acquiring a process structure body of the parent process, and acquiring a second main body type of a second main body calling the parent process according to the same mode.

S702, determining whether the script corresponding to the current process is a malicious script or not based on the first main body type and the second main body type.

Specifically, if the first main body type for calling the current process and the second main body type for calling the parent process are not common users, the current process does not detect malicious behaviors, namely legal calling processes of the current process, and whether the script corresponding to the current process is a malicious script is judged. Further, since the execution process of the script corresponds to at least one process, if the first main body type of the current process and the second main body type of the parent process are not the common user, the current process is judged to be a legal process, and when the execution of the whole script is finished, if no illegal process exists in the execution process of the script, the script is not a malicious script, namely a legal script. It can be understood that if the current process is an illegal process, the script corresponding to the current process is a malicious script. When the script is determined to be a malicious script, execution of the malicious script is immediately stopped, so as to avoid further damage to the terminal device.

Referring to fig. 8, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 8, the method may include the following steps S801 to S808.

S801, if an execution instruction of the script is received, detecting a file format of the script.

S802, if the file format meets the preset format, the script is interpreted and executed through a script interpreter.

S803, the device state of the terminal device executing the script is acquired.

S804, if the device state is the locking state, acquiring a first body type of a first body calling the current process and acquiring a second body type of a second body calling the parent process of the current process.

Specifically, if the device state of the terminal device is the locked state, then the first body type of the first body calling the current process is obtained, and the second body type of the second body calling the parent process of the current process is obtained, which can be specifically referred to step S701, and will not be described herein.

S805, obtaining the first authority of the parent process of the current process.

Specifically, the process structure body at least includes a process name, PID, UID of the process and PID of the parent process, where UID (User Identification) is a user identifier, and if UID is 0, the user is a super administrator, and if UID is 2000, the user is a shell user. If UID is 0, the authority of the process corresponding to the UID is root authority, that is, root authority; if the UID is 2000, the authority of the process corresponding to the UID is the ordinary user authority, namely the shell authority.

And determining the parent process of the current process according to the PID of the parent process, then acquiring a process structure body of the parent process, and acquiring the UID of the parent process so as to acquire the authority of the parent process according to the UID of the parent process.

S806, based on the first main body type, the second main body type and the first authority, determining whether the script corresponding to the current process is a malicious script.

Specifically, whether the authority of the user calling the script file corresponding to the process is higher than the authority actually used by the process or the same as the authority actually used by the process is determined based on the first main body type calling the current process, the second main body type calling the parent process and the first authority of the parent process. It can be understood that when the user is a normal user, if the process uses the administrator authority, it means that the script corresponding to the process is a malicious script, that is, means that the authority of the process is improved by illegal means when the process is executed. The method includes the steps that a section of right-raising code exists in a script, the right-raising code is executed through a process in the executing process of the script, so that the authority of the process is improved through the right-raising code, malicious operations corresponding to the authority are executed, such as malicious operations of remotely downloading malicious files (such as Trojan horses and worm viruses), executing abnormal services to encroach on equipment resources, setting a backdoor in the terminal equipment and the like. It should be noted that, the right of the super administrator (i.e. the root right) is higher than the right of the normal user (i.e. the shell right) than the other rights.

S807, determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body of the calling group leader process;

If the first main body type of the calling current process is not the common user, the second main body type of the calling father process is not the common user, the group leader process of the current process is determined according to the TGID of the group leader process, then the process structure body of the group leader process is obtained, the process name of the group leader process is obtained, then whether corresponding labeling information exists in the process name is determined, if the labeling information corresponding to the common user exists in the process name, the third main body type of the third main body of the group leader process is called, if the labeling information corresponding to the common user does not exist in the process name, the third main body type of the third main body of the group leader process is called, and the third main body type of the third main body of the group leader process is called.

S808, determining whether the script corresponding to the current process is a malicious script based on the first subject type, the second subject type and the third subject type.

Specifically, if the third main body type of the main body of the calling group leader process is not the common user, the current process does not detect malicious behaviors, namely legal calling process of the current process, and judging that the script corresponding to the current process is not a malicious script. Further, since the execution process of the script corresponds to at least one process, if the first main body type of the current process and the second main body type of the parent process are not the common user, the current process is judged to be a legal process, and when the execution of the whole script is finished, if no illegal process exists in the execution process of the script, the script is not a malicious script, namely a legal script. It can be understood that if the current process is an illegal process, the script corresponding to the current process is a malicious script. When the script is judged to be a malicious script, the execution of the malicious script is immediately stopped so as to avoid further damage to the terminal equipment, and meanwhile, the malicious script can be marked out so as to identify the malicious script and directly intercept the execution of the malicious script when the malicious script is executed again.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the current process corresponding to the executed script, the calling main body of the parent process of the current process, the calling main body of the group leader process of the current process and the process authority of the parent process, so that when the malicious script is identified, the continued execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

Referring to fig. 9, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 9, the method may include the following steps S901 to S908.

S901, acquiring a first body type of a first body calling the current process and acquiring a second body type of a second body calling the parent process of the current process.

See step S701, which is not described herein.

S902, acquiring the first authority of the parent process of the current process.

See step S805, which is not described herein.

It should be noted that, if the first main body type is a common user, a first authority of a parent process of the current process is obtained; if the first main body type is not the common user, the second main body type is the common user, and the first authority of the parent process of the current process is obtained.

S903, if the first main body type is the common user and the first authority is not the root authority, acquiring a second authority of the current process.

Specifically, if the first authority of the parent process of the current process is the root authority, the detection of the current process is ended, that is, since the authority of the parent process is already the highest-level authority, the current process is legal no matter what kind of authority, and even if the authority of the current process is higher than the authority owned by the user calling the process, the process is legal.

And if the first authority of the parent process of the current process is not the root authority, acquiring the second authority of the current process.

S904, if the second authority is the normal user authority or the root authority, determining that the script corresponding to the current process is a malicious script.

Specifically, if the second permission is the root permission, determining that the script corresponding to the current process is a malicious script, intercepting the running of the malicious script, and ending executing the current process and each process corresponding to the malicious script and returning to running errors by way of example. And meanwhile, marking the current process as a high-risk process, generating a security event report based on the high-risk process and the running condition of a malicious script corresponding to the high-risk process, and outputting the security event report.

If the second permission is the ordinary user permission, it is determined that the script corresponding to the current process may be a malicious script, that is, a certain security risk exists in the current process, so that although the script corresponding to the current process is still determined to be a malicious script, the running of the script corresponding to the current process is not directly intercepted, the execution of the current process is not finished, the current process is only required to be marked as a low-risk process, then a security event report is generated based on the low-risk process and the running condition of the script corresponding to the low-risk process, and the security event report is output, so that related detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is a malicious script.

If the second permission is the other permission, the detection of the current process is finished, and the current process is judged to be a legal process.

S905, if the first main body type is not the normal user, the second main body type is the normal user, the first authority is the root authority or the normal user authority, and the script corresponding to the current process is determined to be a malicious script.

Specifically, if the first main body type is not the normal user, the second main body type is the normal user, and whether the current process and the script corresponding to the current process are legal or not is determined according to the first authority.

If the first permission of the parent process is the root permission, judging that the script corresponding to the current process is a malicious script, intercepting the running of the malicious script, and ending executing the current process and each process corresponding to the malicious script and returning running errors by way of example. Meanwhile, the father process of the current process is marked as a high-risk process, then a security event report is generated based on the high-risk process and the running condition of the malicious script corresponding to the high-risk process, and the security event report is output.

If the second permission of the parent process is the normal user permission, judging that the script corresponding to the current process is possibly a malicious script, namely that the current process has a certain security risk, so that although the script corresponding to the current process is judged to be the malicious script, the running of the script corresponding to the current process is not directly intercepted, the current process is not ended, the parent process of the current process is only required to be marked as a low-risk process, then a security event report is generated based on the low-risk process and the running condition of the script corresponding to the low-risk process, and the security event report is output, so that related detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is the malicious script.

If the first permission is other permission, the detection of the current process is finished, the current process is judged to be a legal process, and the script corresponding to the current process is a legal script.

S906, determining a group leader process of a process group to which the current process belongs, and acquiring a third body type of a third body of the calling group leader process.

See step S807 for details, which are not described here.

It should be noted that, if the first body type is not the normal user, the second body type is not the normal user, and the third body type of the third body of the call group leader process is obtained.

S907, if the first main body type is not the normal user, the second main body type is not the normal user, and the third main body type is the normal user, the third authority of the current process is obtained.

Specifically, if the third main body type is not the normal user, the detection of the current process is ended, and the current process is judged to be a legal process.

And if the third main body type is the common user, acquiring a third authority of the current process.

S908, if the third authority is the root authority or the normal user authority, determining that the script corresponding to the current process is a malicious script.

Specifically, if the third authority is the root authority, determining that the script corresponding to the current process is a malicious script, intercepting the running of the malicious script, and ending executing the current process and each process corresponding to the malicious script and returning to running errors by way of example. And meanwhile, marking the current process as a high-risk process, generating a security event report based on the high-risk process and the running condition of a malicious script corresponding to the high-risk process, and outputting the security event report.

If the third authority is the normal user authority, judging that the script corresponding to the current process is possibly a malicious script, namely that the current process has a certain security risk, so that although the script corresponding to the current process is judged to be the malicious script, the running of the script corresponding to the current process is not directly intercepted at the moment, the execution of the current process is not ended, the current process is only required to be marked as a low-risk process, then a security event report is generated based on the low-risk process and the running condition of the script corresponding to the low-risk process, and the security event report is output, so that related detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is the malicious script.

If the third authority is other authorities, the detection of the current process is finished, and the current process is judged to be a legal process.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is further determined according to the current process corresponding to the executed script, the calling main body of the parent process of the current process, the calling main body of the group leader process of the current process, the process authority of the parent process and the process authority of the current process, so that when the malicious script is identified, the continued execution of the malicious script is avoided, and the safety of the terminal equipment is improved.

Optionally, when detecting the execution script, the terminal device may further obtain script operation data stored in a preset folder, where it needs to be described that, when the third party application invokes the script, the script operation data is stored in the preset folder, and the operation data may include process information, such as process permission, of each process corresponding to the execution script. And when the current process corresponding to the execution script is created, storing the process information of the current process in a preset folder. When detecting that newly added process information exists in a preset folder, the terminal equipment acquires process rights in the process information, if the process rights are root rights, judges that malicious behaviors exist in a process corresponding to the root rights, the script corresponding to the process is a malicious script, intercepts the operation of the malicious script, and exemplarily, ends executing the process and each process corresponding to the malicious script and returns an operation error. Meanwhile, the process is marked as a high-risk process, then a security event report is generated based on the process information of the high-risk process and the running condition of a malicious script corresponding to the high-risk process, and the security event report is output.

The terminal device provided in the embodiment of the present application will be described in detail with reference to fig. 10 to 12. It should be noted that, the terminal devices of fig. 10 to fig. 12 are used to execute the method of the embodiment of fig. 1 to fig. 9, and for convenience of explanation, only the portions relevant to the embodiment of the present application are shown, and specific technical details are not disclosed, please refer to the embodiment of fig. 1 to fig. 9 of the present application.

Referring to fig. 10, a schematic structural diagram of a terminal device is provided in an embodiment of the present application. As shown in fig. 10, the terminal device 1 of the embodiment of the present application may include: an acquisition module 110, a determination module 120.

An obtaining module 110, configured to obtain a first body type of a first body that invokes a current process, and obtain a second body type of a second body that invokes a parent process of the current process;

the determining module 120 is configured to determine, based on the first subject type and the second subject type, whether the script corresponding to the current process is a malicious script.

Optionally, the determining module 120 is specifically configured to:

acquiring a first authority of a parent process of a current process;

Optionally, the determining module 120 is specifically configured to:

if the first main body type is a common user, the first authority is not the root authority, and a second authority of the current process is obtained;

if the second authority is the normal user authority or the root authority, determining that the script corresponding to the current process is a malicious script;

If the first main body type is not the normal user, the second main body type is the normal user, the first authority is the root authority or the normal user authority, and the script corresponding to the current process is determined to be a malicious script.

Optionally, the determining module 120 is specifically configured to:

determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body of the group leader process;

And determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the third main body type.

Optionally, the determining module 120 is specifically configured to:

If the first main body type is not the common user, the second main body type is not the common user, and the third main body type is the common user, acquiring a third authority of the current process;

If the third authority is the root authority or the common user authority, determining that the script corresponding to the current process is a malicious script.

Optionally, the terminal device 1 may further include: the detection module 130, the interpretation module 140, the status determination module 150.

The detection module 130 is configured to detect a file format of the script if an execution instruction of the script is received;

and the interpretation module 140 is used for interpreting the execution script through the script interpreter if the file format meets the preset format.

A state determining module 150, configured to obtain a device state of a terminal device that executes the script;

The obtaining module 110 is further configured to perform a step of obtaining a first body type of a first body calling the current process if the device state is a locked state.

Referring to fig. 11, a schematic structural diagram of a terminal device is provided in an embodiment of the present application. As shown in fig. 11, the terminal device 2 of the embodiment of the present application may include: a type acquisition module 210, a state acquisition module 220, a determination module 230.

A type obtaining module 210, configured to obtain a first body type of a first body that invokes a current process, and obtain a first right of a parent process of the current process;

A state acquisition module 220, configured to determine, based on the first principal type and the first authority, whether the current process is a legal state;

The determining module 230 is configured to determine whether the script corresponding to the current process is a malicious script based on the second authority of the current process if the current process is not in a legal state.

Optionally, the determining module 230 is specifically configured to:

If the second authority of the current process is the normal user authority or the root authority, determining that the script corresponding to the current process is a malicious script.

Optionally, the terminal device 2 may further include: a first processing module 240, a second processing module 250.

The first processing module 240 is configured to mark the current process as a low-risk process if the second permission of the current process is a normal user permission, obtain process information of the current process, generate a first security event report according to the process information, and output the first security event report;

And the second processing module 250 is configured to mark the current process as a high-risk process if the second permission of the current process is a root permission, obtain process information of the current process, generate a second security event report according to the process information, and output the second security event report.

Optionally, the state acquisition module 220 is specifically configured to:

If the first main body type is a common user, the first authority is a root authority, and the current process is determined to be in a legal state;

if the first main body type is a common user, the first authority is not the root authority, and the current process is determined to be in a legal state.

Optionally, the state acquisition module 220 is specifically configured to:

If the first main body type is not the common user, acquiring a second main body type of a second main body for calling the father process;

the second main body type is not a common user, a group leader process of a process group to which the current process belongs is determined, and a third main body type of a third main body of the group leader process is acquired;

If the third subject type is a normal user, determining that the current process is not legal.

Optionally, the terminal device 2 may further include: the detection module 260, the interpretation module 270, and the state determination module 280.

The detecting module 260 is configured to detect a file format of the script if an execution instruction of the script is received;

And the interpretation module 270 is used for interpreting the execution script through the script interpreter if the file format meets the preset format.

A state determining module 280, configured to obtain a device state of a terminal device that executes the script;

The type obtaining module 210 is further configured to perform a step of obtaining a first body type of a first body calling the current process if the device state is a locked state.

Referring to fig. 12, a schematic structural diagram of a terminal device is provided in an embodiment of the present application. As shown in fig. 12, the terminal device 3 of the embodiment of the present application may include: a type acquisition module 310, a rights acquisition module 320, a determination module 330.

A type obtaining module 310, configured to obtain a first body type of a first body that invokes a current process, and obtain a second body type of a second body that invokes a parent process of the current process;

a right acquiring module 320, configured to acquire a first right of a parent process;

The determining module 330 is configured to determine whether the script corresponding to the current process is a malicious script based on the first principal type, the second principal type, and the first authority.

Optionally, the determining module 330 is specifically configured to:

If the first main body type is not the normal user, the second main body type is the normal user, the first authority is the normal user authority or the root authority, and the script corresponding to the current process is determined to be a malicious script.

Optionally, the terminal device 3 may further include: a first processing module 340, a second processing module 350.

The first processing module 340 is configured to mark the parent process as a low-risk process if the first main body type is not the normal user, the second main body type is the normal user, and the first authority is the normal user authority, obtain process information of the parent process, generate a first security event report according to the process information, and output the first security event report;

And the second processing module 350 is configured to mark the parent process as a high-risk process if the first main body type is not the normal user, the second main body type is the normal user, and the first authority is the root authority, obtain process information of the parent process, generate a second security event report according to the process information, and output the second security event report.

Optionally, the terminal device 3 may further include: the detection module 360, the interpretation module 370, and the state determination module 380.

The detecting module 360 is configured to detect a file format of the script if an execution instruction of the script is received;

And the interpretation module 370 is used for interpreting the execution script through the script interpreter if the file format meets the preset format.

A state determining module 380, configured to obtain a device state of a terminal device that executes the script;

The type obtaining module 310 is further configured to perform the step of obtaining the first right of the first main body calling the current process if the device state is the locked state.

The embodiment of the present application further provides a storage medium, where the storage medium may store a plurality of program instructions, where the program instructions are adapted to be loaded by a processor and execute the steps of the method according to the embodiment shown in fig. 1 to fig. 9, and the specific execution process may refer to the specific description of the embodiment shown in fig. 1 to fig. 9, which is not repeated herein.

Referring to fig. 13, a schematic structural diagram of a computer device is provided in an embodiment of the present application. As shown in fig. 13, the computer device 1000 may include: at least one processor 1001, at least one memory 1002, at least one network interface 1003, at least one input output interface 1004, at least one communication bus 1005, and at least one display unit 1006. Wherein the processor 1001 may include one or more processing cores. The processor 1001 connects various parts within the overall computer device 1000 using various interfaces and lines, performs various functions of the terminal 1000 and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1002, and calling data stored in the memory 1002. The memory 1002 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 1002 may also optionally be at least one storage device located remotely from the processor 1001. The network interface 1003 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others. A communication bus 1005 is used to enable connected communications between these components. As shown in fig. 13, an operating system, a network communication module, an input-output interface module, and a script detection program may be included in a memory 1002 as one type of terminal device storage medium.

In the computer device 1000 shown in fig. 13, the input/output interface 1004 is mainly used for providing an input interface for a user and an access device, and acquiring data input by the user and the access device.

In one embodiment.

The processor 1001 may be configured to call a script detection program stored in the memory 1002 and specifically perform the following operations:

And determining whether the script corresponding to the current process is a malicious script or not based on the first main body type and the second main body type.

Optionally, when executing the determination of whether the script corresponding to the current process is a malicious script based on the first principal type and the second principal type, the processor 1001 specifically executes the following operations:

acquiring a first authority of a parent process of a current process;

Optionally, when executing the determination of whether the script corresponding to the current process is a malicious script based on the first principal type, the second principal type, and the first authority, the processor 1001 specifically executes the following operations:

Optionally, when executing the determination of whether the script corresponding to the current process is a malicious script based on the first principal type, the second principal type, and the third principal type, the processor 1001 specifically executes the following operations:

Optionally, before executing the first body type of the first body that retrieves the call to the current process, the processor 1001 further performs the following operations:

If an execution instruction of the script is received, detecting a file format of the script;

If the file format meets the preset format, the script is interpreted and executed by a script interpreter.

acquiring the equipment state of terminal equipment executing the script;

And if the equipment state is the locking state, executing the step of acquiring the first body type of the first body calling the current process.

In one embodiment.

Optionally, when determining whether the script corresponding to the current process is a malicious script based on the second authority of the current process, the processor 1001 specifically performs the following operations:

Optionally, the processor 1001 may be further configured to invoke a script detection program stored in the memory 1002, and specifically perform the following operations:

if the second permission of the current process is the ordinary user permission, marking the current process as a low-risk process, acquiring process information of the current process, generating a first security event report according to the process information, and outputting the first security event report;

If the second permission of the current process is the root permission, marking the current process as a high-risk process, acquiring process information of the current process, generating a second security event report according to the process information, and outputting the second security event report.

Optionally, the processor 1001, when executing the determination of whether the current process is in a legal state based on the first principal type and the first authority, specifically performs the following operations:

acquiring the equipment state of terminal equipment executing the script;

In one embodiment.

Acquiring a first authority of a parent process;

If the first main body type is not the ordinary user, the second main body type is the ordinary user and the first authority is the ordinary user authority, marking the father process as a low-risk process, acquiring the process information of the father process, generating a first security event report according to the process information and outputting the first security event report;

If the first main body type is not the common user, the second main body type is the common user and the first authority is the root authority, marking the father process as a high-risk process, acquiring the process information of the father process, generating a second security event report according to the process information and outputting the second security event report.

acquiring the equipment state of terminal equipment executing the script;

and if the equipment state is the locking state, executing the step of acquiring the first authority of the first main body of the current process.

It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the present application.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

The foregoing describes a script detecting method, a terminal device, a storage medium and a device provided by the present application, and those skilled in the art, based on the idea of the embodiment of the present application, will change the specific implementation manner and the application scope, so that the content of the present specification should not be construed as limiting the present application.

Claims

1. A script detection method, comprising:

Determining whether the current process is in a legal state based on the first subject type and the first authority;

The second main body type is not a common user, a group leader process of a process group to which the current process belongs is determined, and a third main body type of a third main body calling the group leader process is obtained;

if the third main body type is a common user, determining that the current process is not in a legal state;

If the current process is not in a legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process.

2. The method of claim 1, wherein the determining whether the script corresponding to the current process is a malicious script based on the second permission of the current process comprises:

And if the second authority of the current process is the normal user authority or the root authority, determining that the script corresponding to the current process is a malicious script.

3. The method according to claim 2, wherein the method further comprises:

4. The method of claim 1, wherein the determining whether the current process is a legal state based on the first principal type and the first authority comprises:

if the first main body type is a common user, the first authority is not a root authority, and the current process is determined to be not in a legal state.

5. The method of claim 1, wherein the acquiring the first body type of the first body invoking the current process is preceded by:

and if the file format meets the preset format, executing the script through the script interpreter.

6. The method of claim 1, wherein the acquiring the first body type of the first body invoking the current process is preceded by:

acquiring the equipment state of the terminal equipment executing the script;

And if the equipment state is the locking state, executing the step of acquiring the first body type of the first body of the current process.

7. A script detection method, comprising:

acquiring a first authority of the parent process;

Determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first authority;

If the first main body type and the second main body type are not common users, determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body for calling the group leader process;

and if the third main body type is the common user, determining that the current process is not in a legal state.

8. The method of claim 7, wherein the determining whether the script corresponding to the current process is a malicious script based on the first subject type, the second subject type, and the first authority comprises:

9. The method of claim 8, wherein the method further comprises:

If the first main body type is not the normal user, the second main body type is the normal user, and the first authority is the normal user authority, marking the father process as a low-risk process, acquiring the process information of the father process, generating a first security event report according to the process information, and outputting the first security event report;

if the first main body type is not the common user, the second main body type is the common user, and the first authority is the root authority, marking the father process as a high-risk process, acquiring the process information of the father process, generating a second security event report according to the process information, and outputting the second security event report.

10. The method of claim 7, wherein the acquiring the first body type of the first body invoking the current process is preceded by:

11. The method of claim 7, wherein the acquiring the first body type of the first body invoking the current process is preceded by:

acquiring the equipment state of the terminal equipment executing the script;

12. A script detecting apparatus, comprising:

The state acquisition module is used for determining whether the current process is in a legal state or not based on the first main body type and the first authority; if the first main body type is not the common user, acquiring a second main body type of a second main body for calling the father process; the second main body type is not a common user, a group leader process of a process group to which the current process belongs is determined, and a third main body type of a third main body calling the group leader process is obtained; if the third main body type is a common user, determining that the current process is not in a legal state;

13. A script detecting apparatus, comprising:

The determining module is used for determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first authority; if the first main body type and the second main body type are not common users, determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body for calling the group leader process; and if the third main body type is the common user, determining that the current process is not in a legal state.

14. A storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the script detection method of any of claims 1-6 or 7-11.

15. A computer device, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the steps of the script detection method of any of claims 1-6 or 7-11.