CN103677769B - Instruction recombination method and device - Google Patents
Instruction recombination method and device Download PDFInfo
- Publication number
- CN103677769B CN103677769B CN201210325951.7A CN201210325951A CN103677769B CN 103677769 B CN103677769 B CN 103677769B CN 201210325951 A CN201210325951 A CN 201210325951A CN 103677769 B CN103677769 B CN 103677769B
- Authority
- CN
- China
- Prior art keywords
- instruction
- address
- fragment
- jump
- machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Advance Control (AREA)
Abstract
The present invention provides a kind of instruction recombination method when running, including: step 1, cache instruction running environment;Step 2, the address obtaining the jump instruction preserved in stack and parameter, calculate next instruction address that will run, and this address is the first address;Step 3, according to the first address acquisition machine instruction to be dispatched fragment;Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;Step 4, to replace the first jump instruction be pop down instruction, records address and the operand of the first jump instruction in pop down instructs;Step 5, after pop down instructs, add the second jump instruction, generate and there is two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform;With step 6, recover described instruction operation environment, and jump to the second address and continue executing with.
Description
Technical field
The present invention relates to computer safety field, particularly relate to a kind of instruction recombination method and device.
Background technology
Existing electronic information security field includes security of system, data safety and three son necks of equipment safety
Territory.
In data security arts, general employing following three technology guarantees data safety: in (1) data
Hold safe practice, including data ciphering and deciphering technology and end-to-end data encryption technology, ensure that data are being deposited
In storage and transmitting procedure, content is not illegally read;(2) data safe transfer technology, illegal including preventing
Copy, printing or other output, ensure that data are in the safety used and in transfer process;(3) network resistance
Disconnected technology, blocks including network physical and arranges the technology such as network barrier.
According to correlation analysis, all harm currently for computer the most effectively detect ability at most 50%
Left and right;Owing to above-mentioned technology is after reply computer inner core virus, wooden horse, Loopholes of OS, system
Door and scarce capacity, the most any calculating equipment (such as computer, handheld communication when artificially divulging a secret
Equipment etc.) all there may be malicious code.Once malicious code enters terminal system, and above-mentioned adds secret skill
Art, anti-copy technology and network interrupter technique are in this case by ineffective.Existing hacker's skill
Art can utilize system vulnerability or system backdoor penetrate above-mentioned safe practice and implant malicious code, and utilizes
Malicious code obtains user data.Above-mentioned technology more cannot take precautions against actively or passively divulging a secret of concerning security matters personnel,
Such as, internal staff can carry storage device, downloads required data also from internal network or terminal
Take away storage device, cause inside to be divulged a secret;The most such as, calculating equipment can directly be taken away by internal staff.
To sum up, anti-copy technology cannot ensure that classified information is not illegally stored in terminal.Based on network mistake
Filter cannot guarantee that classified information is not lost.Concerning security matters personnel can be caused let out by malicious code or malice instrument
Close, it is also possible to because secrecy-involved apparatus or out of control the causing of storage medium are divulged a secret.
Summary of the invention
The present invention provides a kind of instruction recombination method and device, it is achieved the capture instructed during operation and weight
Group.
According to one aspect of the invention, it is provided that a kind of instruction recombination method during operation, including:
Step 1, cache instruction running environment;
Step 2, the address obtaining the jump instruction preserved in stack and parameter, calculating next will transport
The instruction address of row, this address is the first address;
Step 3, according to the first address acquisition machine instruction to be dispatched fragment;Wherein, machine to be dispatched refers to
The last item instruction making fragment is the first jump instruction;
Step 4, to replace the first jump instruction be pop down instruction, records and first redirect finger in pop down instructs
The address of order and operand;
Step 5, after pop down instructs, add the second jump instruction, generate and there is two address restructuring
Instruction fragment;The entry address of described second jump instruction directional order restructuring platform;With
Step 6, recover described instruction operation environment, and jump to the second address and continue executing with.
Optionally, in step 3, include according to the first address acquisition machine instruction to be dispatched fragment:
From the beginning of the first address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out instead
Compilation;
Checking in dis-assembling result and whether comprise jump instruction, if do not comprised, continuing to obtain one section below
Machine instruction to be scheduled, until matching jump instruction, this jump instruction is the first jump instruction;
Wherein, the first jump instruction and all instruction compositions before treat dispatch command fragment.
Optionally, between step 5 and step 6, also include:
Assembly code after the restructuring that will generate generates corresponding machine code by assembler.
Optionally, between step 2 and step 3, also include:
Utilize described first address search address correspondence table;Described address correspondence table is used for representing to be waited to dispatch
Machine instruction fragment whether have preserved restructuring instruction fragment;
If finding corresponding record, recovering described instruction operation environment, and jumping to the guarantor in record
Deposit address to continue executing with.
Optionally, if not finding corresponding record in the correspondence table of address, after step 5,
Also include:
The address utilizing restructuring instruction fragment sets up one with described first address in the corresponding table in address
Record.
Optionally, after step 3, before step 5, also include:
Machine instruction fragment to be dispatched described in parsing, utilizes instruction set to mate described machine instruction fragment,
Obtain pending target machine instructions;
In a predetermined manner, described target machine instructions is revised.
Optionally, described target instruction target word is storage/reading instruction;
In a predetermined manner, revise described target machine instructions to include: revise storage therein and reading
Taking address is the address on safety storage apparatus.
Optionally, described target instruction target word is I/O instruction;
In a predetermined manner, revise described target machine instructions to include: in being instructed by described I/0
Input instruction all stops.
Optionally, described target instruction target word is network transmission instruction;
In a predetermined manner, revise described target machine instructions to include: check the transmission of described network to refer to
Whether remote computing devices corresponding to destination address in order is secure address (i.e. allowing reference address);
If it is not, stop the transmission instruction of described network.
According to a further aspect of the present invention, it is provided that a kind of computer-readable medium, in described computer-readable recording medium
Storage has the executable program code of computer, and described program code is for performing the step of said method
Suddenly.
According to another aspect of the present invention, it is provided that instruction recombination device during a kind of operation, including:
Instruction operation environment caching and recovery unit, be suitable to caching and recover instruction operation environment;
Instruction acquiring unit, couples with instruction operation environment caching and recovery unit, is suitable to obtain in stack
The address of the jump instruction preserved and parameter, calculate next instruction address that will run, and this address is
First address;It is further adapted for treating the machine instruction fragment of scheduling/execution according to the first address acquisition;Wherein,
The last item instruction of machine instruction fragment to be dispatched is the first jump instruction;With
Instruction recombination unit, couples with instruction operation environment caching and recovery unit, is suitable to replace first
Jump instruction is pop down instruction, records address and the operand of the first jump instruction in pop down instructs;Also
Be suitable to add the second jump instruction after pop down instructs, generate and there is two address restructuring instruction sheet
Section;The entry address of instruction recombination device when running is pointed in described second jump instruction.
Optionally, during described operation, instruction recombination device also includes:
Instruction retrieval unit, is suitable to utilize described first address search address correspondence table;Described address pair
Answer the restructuring instruction fragment that table has preserved for representing machine instruction fragment to be dispatched whether to have;
If finding corresponding record, instruction retrieval unit be further adapted for call instruction running environment caching and
Recovery unit, recovers described instruction operation environment, and the preservation address jumped in record continues executing with;
Without finding corresponding record, instruction retrieval unit is further adapted for utilizing restructuring instruction fragment
A record is set up with described first address in the corresponding table in address in address.
Optionally, described instruction recombination unit also includes:
Instruction resolution unit, is suitable to utilize instruction set to mate described machine instruction fragment to be scheduled,
To pending target machine instructions;
Instruction modification unit, is suitable in a predetermined manner, revises described target machine instructions.
Optionally, described target instruction target word is storage/reading instruction;
Described instruction modification unit is suitably modified to storage therein and reading address is safety storage apparatus
On address.
Optionally, described target instruction target word is I/0 instruction;
The input instruction that described instruction modification unit is suitable in being instructed by described I/0 all stops.
Optionally, described target instruction target word is network transmission instruction;
Described instruction modification unit is suitable to check the destination address in the transmission instruction of described network corresponding
Whether remote computing devices is secure address;If it is not, described instruction modification unit is suitable to stop institute
State network transmission instruction.
Optionally, described instruction recombination unit also includes:
Dis-assembling unit, be suitable to instruction resolution unit resolve described machine instruction fragment to be scheduled it
Before, machine instruction fragment to be scheduled described in dis-assembling, generate assembly instruction fragment to be scheduled;
Assembly unit, is suitable to the assembly instruction fragment after compilation restructuring, obtains the restructuring that machine code represents
Instruction fragment.
The method and apparatus that the present invention provides can realize capture and the restructuring instructed when running, and,
Getting after dispatch command fragment, it is also possible to machine instruction therein is analyzed and processes,
Thus instruction capture, restructuring when being possible not only to realize running, it is also possible to realize predetermined target instruction target word
Management.
Accompanying drawing explanation
Fig. 1 is the system level schematic diagram calculating equipment in prior art;
The flow chart of instruction recombination method when Fig. 2 is the operation provided in one embodiment of the invention;
Fig. 3 is the generation process schematic of the restructuring instruction fragment provided in one embodiment of the invention;
Fig. 4 is the flow chart of step S102 in the Fig. 2 provided in another embodiment of the present invention;
The flow chart of instruction recombination method when Fig. 5 is the operation provided in another embodiment of the present invention, profit
The instruction fragment recombinated is preserved with address correspondence table;
The flow chart of instruction recombination method when Fig. 6 is the operation provided in another embodiment of the present invention, single
Solely open up storage position and preserve the destination address of the first jump instruction;
The flow chart of instruction recombination method, pin when Fig. 7 is the operation provided in another embodiment of the present invention
On-fixed length instruction collection is carried out dis-assembling and compilation process;
The flow chart of instruction recombination method when Fig. 8 is the operation provided in another embodiment of the present invention, with
Pop down instruction substitutes or record the first jump instruction;
The flow chart of instruction recombination method when Fig. 9 a is the operation provided in another embodiment of the present invention,
Feature in multiple embodiments before instruction recombination method is comprehensive during operation therein;
When Fig. 9 b-9d is the operation in Fig. 9 a, instruction recombination method is run on X86 system processor
Operating process schematic diagram;
Instruction recombination apparatus structure schematic diagram when Figure 10 is the operation provided in one embodiment of the invention;
Instruction recombination apparatus structure signal when Figure 11 is the operation provided in another embodiment of the present invention
Figure;
Figure 12 is the instruction recombination cellular construction schematic diagram provided in another embodiment of the present invention;
Instruction recombination apparatus structure signal when Figure 13 is the operation provided in another embodiment of the present invention
Figure;
Instruction recombination apparatus structure signal when Figure 14 is the operation provided in another embodiment of the present invention
Figure.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing,
The present invention is described in more detail.Should be appreciated that specific embodiment described herein only in order to
Explain the present invention, be not intended to limit the present invention.
Analyze
It is illustrated in figure 1 in prior art the system level schematic diagram of the equipment that calculates, from top to bottom, calculates
Equipment includes: user interface layer 101, application layer 102, operating system nucleus layer 103, hardware mapping layer
104 and hardware layer 105.
Wherein, user interface layer 101 is the interface between user and equipment, and user passes through this layer and equipment
(i.e. other levels of equipment, such as application layer 102) interact.Application layer 102 refers to application software
Layer.
Operating system nucleus layer 103 is a kind of logical layer based on software, is by software data in general
Form with software code, compared to boundary layer 101 and application layer 102, operating system nucleus layer 103
Code has higher authority, the various software and hardware resources in computer system can be carried out complete behaviour
Make.
Hardware mapping layer 104 is a kind of logical layer based on software, and it is generally operational in operating system nucleus
Layer, has the authority identical with inner nuclear layer.Hardware mapping layer primarily to solve by different types of firmly
The operator scheme of part is mapped as a kind of unified high-level interface, upwards shields the particularity of hardware.General next
Saying, hardware mapping layer is mainly used by operating system nucleus layer 103, completes the operation to various hardware.
Hardware layer 105 refers to constitute all hardware parts of computer system.
User passes through user interface layer 101 (being i.e. in the user interface of user interface layer 101) to this meter
Calculation equipment carries out operating and obtain graphical or non-patterned feedback.As a example by the operation preserving data, its
Process includes:
(1) user interface 101 that user is provided by certain application program, selects " preservation " function;
(2) application layer 102 calls corresponding code, and above-mentioned user operation is converted into one or more behaviour
Make the interface function that system provides, i.e. " preserve " operation and transform into sequence of operations system kernel layer
Calling of 103 interface functions provided;
(3) each operating system interface function is converted into one or many by operating system nucleus layer 103
The interface function that individual hardware mapping layer 104 provides;I.e. " preserve " to operate to transform into and a series of hardware are reflected
Penetrate the calling of interface function that layer 104 provides;
(4) each interface function oneself provided is converted into one or more by hardware mapping layer 104
Hardware instruction is called;Finally,
(5) hardware layer 105 (such as CPU) receives above-mentioned hardware instruction and calls and perform hardware instruction.
For this calculating equipment, after it is invaded by malicious code, malicious code can be from calculating equipment
Obtaining desired data, after stealing data, its behavioral pattern includes:
(1) storage behavior: target data content is saved in certain storage position;
(2) transport behavior: the data stolen directly are transferred to by network the destination address specified.
It addition, use the personnel of above-mentioned calculating equipment or information equipment to carry out the behavioral pattern bag divulged a secret inside
Include:
(1) actively divulge a secret: concerning security matters personnel by actively copy, penetrated by maliciously instrument security system,
Insert the means such as wooden horse and directly obtain confidential data, and divulge a secret;
(2) passively divulge a secret: the computer of concerning security matters librarian use or storage medium are because loss is not good in keeping or makes
With divulging a secret that improper (such as concerning security matters equipment being directly accessed Internet) causes.
The above-mentioned multiple mode of divulging a secret makes the data of this calculating equipment cannot ensure safely.
Inventor it has been investigated that, in computer running, cpu address depositor preserve next will
The address of machine instruction to be run, such as pc (program counter, program counter) points to
Address;Obtain the data in this depositor, and the address pointed to according to these data, read next or
The a plurality of machine instruction that will run, it is possible to achieve capture the purpose of machine instruction during operation.
Further, dispatch command fragment (example is treated by what described one or more machine instruction of amendment formed
As inserted extra jump instruction, herein referred as instruction recombination wherein) so that at this section of instruction operation
Regain CPU right of execution before complete, and the capture next one treats dispatch command fragment again, permissible
Realize capturing continuously when running the purpose of machine instruction.
Further, getting after dispatch command fragment, it is also possible to machine instruction therein is analyzed
And processing, thus instruction capture, restructuring when being possible not only to realize running, it is also possible to realize predetermined
The management of target instruction target word.
Instruction recombination or instruction tracing
Based on above-mentioned analysis and discovery, instruction weight when providing a kind of operation in one embodiment of the present of invention
Prescription method, the method is referred to as instruction recombination platform when running.As in figure 2 it is shown, the method S100 includes:
S101, cache instruction running environment;Described instruction operation environment includes that address register, address are posted
Storage preserves the address of next machine instruction that will run, and this address is the first address;
S102, obtains machine instruction fragment to be scheduled;Wherein, machine instruction fragment to be scheduled is
A rear instruction is the first jump instruction;
S103, before described first jump instruction, inserts the second jump instruction, generates and have the second address
Restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform, i.e. performs
After this second jump instruction, perform step S101;
S104, is revised as the second address by the first address in described address register;With
S105, recovers described instruction operation environment.
In the present embodiment, during above-mentioned operation, instruction recombination method performs on the CPU of X86-based;
In other embodiments of the invention, during above-mentioned operation, instruction recombination method can also be at MIPS processor
Or perform on processor of based on ARM framework.It will appreciated by the skilled person that above-mentioned side
Method can perform in the instruction process unit of any other type in calculating equipment.
Wherein, in step S101, described cache instruction running environment may include that
In caching stack, it is pressed into CPU machine instruction runs relevant register data.
In other embodiments of the invention, cache or preserve instruction operation environment can also that specify,
Other caching data structure of acquiescence and address are carried out.
In step S101, described address register can be cpu address depositor.
In step s 102, in machine instruction fragment to be scheduled, the last item instruction is first to redirect finger
Order, an only jump instruction, machine instruction fragment bag to be scheduled in machine instruction fragment to be scheduled
Include described first jump instruction and the machine instruction all to be scheduled before it.
In step s 103, the last item in described machine instruction fragment to be scheduled instructs (i.e. the
One jump instruction JP1) front, insert the second jump instruction JP2, described JP2 directional order restructuring platform
Entry address, generate there is the second address A " restructuring instruction fragment.
Insert the second jump instruction be in order to CPU run described machine instruction fragment to be scheduled time,
Before JP1 runs, restarting to run described instruction recombination platform, so, instruction recombination platform just may be used
To continue to analyze next section of machine instruction fragment to be scheduled, thus complete institute by repeating this method
The restructuring of instruction when having operation.
In step S105, recover described instruction operation environment and may include that
Eject, from caching stack, the register data that instruction operation is relevant;The jumping that wherein address register preserves
The destination address turning instruction has been modified to the second address A " the new machine instruction sheet as entry address
Section.
After step S105 performs, having recovered described instruction operation environment, instruction recombination platform completes once
Running, CPU performs described restructuring instruction fragment, i.e. CPU and will perform with the second address A " for entrance ground
The machine instruction fragment of location.When restructuring instruction fragment goes to the second jump instruction JP2, described instruction weight
Group platform retrieves CPU control (i.e. performing step S101), the now target of the first jump instruction
Address has obtained, and this destination address is the first new address, then re-executes step S101~step
Rapid S105.
Below in conjunction with Fig. 3, further illustrate instruction recombination process and the generation process of restructuring instruction fragment.
Fig. 3 includes that machine instruction set to be scheduled 401 is (such as already loaded into certain program in internal memory
Machine instruction), wherein instruction 4012 is the first jump instruction, if the destination address of instruction 4012
For variable, then assume initially that instruction 4012 sensing machine instruction 4013;From the first jump instruction 4012
The machine instruction all to be scheduled including the first jump instruction 4012 in the past constitutes machine instruction sheet
Section 4011.
(instruction recombination platform 411), first cache instruction running environment after instruction recombination method is run;
Then (such as copy) machine instruction fragment 4011 is obtained;Instruction recombination platform is in the first jump instruction 4
The second jump instruction 4113, the second jump instruction 4113 directional order restructuring platform 41 is inserted before 012
1 is own, thus generates restructuring instruction fragment 4111, and the address of restructuring instruction fragment is A ";By institute
Value A stating the address register in the instruction operation environment of caching is revised as address A ";Finally recover institute
State instruction operation environment.
After instruction recombination platform 411 terminates to run, CPU performs with A " the restructuring instruction fragment as address,
When going to the second jump instruction 4113, instruction recombination platform 411 can regain CPU control.
Now, the destination address 4013 of the first jump instruction 4012 has generated, and this destination address is new
One address, instruction recombination platform restarts to perform step S101~step S105 according to this destination address,
The machine instruction to be scheduled that continuation analysis is follow-up, thus the method for instruction recombination when completing operation.
According to a further embodiment of the invention, as shown in Figure 4, in step s 102, obtain and wait to dispatch
Machine instruction fragment may include that
S1021, reads machine instruction to be scheduled from address register (such as cpu address depositor)
Address;
S1022, with jump instruction as searched targets, the machine retrieving the sensing of described machines instruction address refers to
Order and subsequent instructions thereof, until finding first jump instruction (the referred to as first jump instruction);Described jumping
Turn the machine instruction referring to change machine instruction order execution flow process, including Jump instruction, Call
Instruction, Return instruction etc.;
S1023, using described first jump instruction and the machine instruction all to be scheduled before it as
One machine instruction fragment to be scheduled;This machine instruction fragment is saved in instruction recombination platform, or
The storage position that other instruction recombination platforms can read.
In other embodiments of the invention, obtain machine instruction fragment to be scheduled to redirect with non-
Instruction (such as write instruction, reading instruction etc.) is searched targets, further cutting machine instruction fragment.
Due in such embodiments, it is also desirable to ensure instruction recombination platform after performing until scheduling jump instruction
It still is able to obtain CPU control or right of execution, so jump instruction needs as the second searched targets,
Thus obtain the machine instruction fragment that granularity is less.
According to a further embodiment of the invention, between step S102 and S103, instruction during described operation
Recombination method can also include:
Utilize instruction set to mate described machine instruction fragment to be scheduled, obtain target machine instructions;Described
Instruction set includes X86, MIPS and ARM instruction set;With
In a predetermined manner, described target machine instructions is revised.
Instruction monitoring when being possible not only to run, it is also possible to carry out other processing procedures, related embodiment
Will be described in detail below.
Further, in order to improve the efficiency of instruction recombination method, can be by fixing address jump instruction institute
That points to treats that dispatch command obtains the most in the lump.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method during operation, the method S300
Including:
S301, cache instruction running environment;Described instruction operation environment includes that address register, address are posted
Storage preserves the address of next machine instruction that will run, and this address is the first address;
S302, obtains machine instruction fragment to be scheduled;Wherein, machine instruction fragment to be scheduled is
A rear instruction is the first jump instruction;
S303, before described first jump instruction, inserts the second jump instruction, generates and have the second address
Restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform, i.e. performs
After this second jump instruction, perform step S301;
S304, is revised as the second address by the first address in described address register;
S305, recovers described instruction operation environment.
Compared with the method provided in embodiment before, difference is: in step s 302, treats
The machine instruction fragment of scheduling can include a plurality of jump instruction;Only one parameter ground in jump instruction
Location jump instruction, the referred to as first jump instruction.
It should be noted that jump instruction can include two classes, argument address jump instruction and constant address
Jump instruction, wherein, the jump address of constant address jump instruction is constant (i.e. immediate), and joins
Count in the machine instruction typically before jump instruction of the argument address in the jump instruction of address and calculate
Obtain.
Similarly, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Wait to adjust
The machine instruction fragment of degree includes described first jump instruction and the machine all to be scheduled before it
Instruction.
Further, owing to the machine instruction generated in program operation process has the highest repeatability,
In order to improve the efficiency of instruction recombination method, save the calculating resource (cpu resource) of calculating equipment, can
To utilize a small amount of memory space to preserve restructuring instruction fragment.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method during operation.As it is shown in figure 5,
The method S200 includes:
S201, cache instruction running environment;Described instruction operation environment includes that address register is (such as
Cpu address depositor) (in general, instruction operation environment refers to all depositors of CPU, including
General register, status register, address register etc.), address register preserves next and will transport
The address of the machine instruction of row, this address is the first address;
S202, utilizes described first address search address correspondence table;Described address correspondence table is for expression the
What one address A pointed to treats whether dispatch command fragment has the restructuring instruction fragment preserved, and address is corresponding
The data of table are address pair;
S203, if finding corresponding record, by described first address A (i.e. value A of address register)
It is revised as the address A ' of the restructuring instruction fragment preserved;
S204, without finding corresponding record, obtains machine instruction fragment to be scheduled;Wherein,
The last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
S205, before described first jump instruction, inserts the second jump instruction, generates and have second
The restructuring instruction fragment of address;The entrance of described second jump instruction directional order restructuring platform
Address, after i.e. performing this second jump instruction, performs step S201;
S206, is revised as the second address by the first address in described address register;
S207, recovers described instruction operation environment.
Further, step S206 also includes: utilize the second address A " with the first address A described
Location correspondence table is set up address to (or a record).There is address A " restructuring instruction fragment be saved
In restructuring instruction platform, for reusing.
This method utilizes address correspondence table, saves and calculates resource, improves the efficiency of instruction recombination when running.
Above-mentioned recombination method is typically completed by jump instruction needed for treating to insert among dispatch command fragment,
In other embodiments of the present invention, it is also possible to complete the generation of restructuring instruction fragment by other means.Under
Face will be discussed in detail in conjunction with the embodiments.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, storage position is individually opened up
Preserve the destination address of the first jump instruction.As shown in Figure 6, the method S110 includes:
S111, cache instruction running environment;
S112, reads destination address from the first storage position, obtains according to destination address and treat that scheduling (is i.e. treated
Perform) machine instruction fragment;Wherein, the last item instruction of machine instruction fragment to be dispatched is first
Jump instruction;
S113, preserves the destination address of the first jump instruction in the first storage position;
S114, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring
Instruction fragment;Described second jump instruction directional order restructuring platform entry address, i.e. perform this second
After jump instruction, perform step S111;
S115, recovers described instruction operation environment, and jumps to the second address and continue executing with.
Wherein, in step S112, obtain machine instruction fragment to be scheduled and may include that
S1121, with jump instruction as searched targets, retrieve described machines instruction address point to machine refer to
Order and subsequent instructions thereof, until finding first jump instruction (the referred to as first jump instruction);
Described jump instruction refers to change machine instruction order and performs the machine instruction of flow process, including Jum
P instruction, Call instruction, Return instruction etc.;
S1122, using described first jump instruction and the machine instruction all to be scheduled before it as
One machine instruction fragment to be scheduled;This machine instruction fragment is saved in instruction recombination platform, or
The storage position that other instruction recombination platforms can read.
In step S113, the destination address parameter of the i.e. jump instruction of destination address, it can be immediately
Number or variable parameter, preserve its value for immediate, preserves its address/quote for variable parameter.Work as place
When reason device will perform certain jump instruction, its jump target addresses has been computed complete.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, refer to for on-fixed length
Collection is made to carry out dis-assembling and compilation process.As it is shown in fig. 7, the method includes:
S121, cache instruction running environment;
S122, reads destination address from the first storage position, obtains according to destination address and treat dispatch command sheet
Section:
From the beginning of destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out instead
Compilation, and carry out processing and mating wherein comprising jumping by a lexical analyzer by dis-assembling result
Turn instruction, if not comprising, continuing to obtain next section of machine instruction to be scheduled and repeating aforesaid operations, directly
To matching jump instruction, this jump instruction is the first jump instruction;First jump instruction and it
Front all instruction compositions treat dispatch command fragment;
S123, preserves the destination address of the first jump instruction in the first storage position;
S124, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring
Instruction fragment;The entry address of described second jump instruction directional order restructuring platform;In the present embodiment,
This first jump instruction and the second jump instruction are all assembly instruction;
S125, the assembly code after the restructuring that will generate generates corresponding machine code by assembler;With
S126, recovers described instruction operation environment, and jumps to the second address and continue executing with.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, substitute with pop down instruction or
Record the first jump instruction.As shown in Figure 8, the method S130 includes:
S131, cache instruction running environment;
S132, obtains address and the parameter of the jump instruction preserved in stack, calculates what next will run
Instruction address, this address is the first address;
S133, treats the machine instruction fragment of scheduling/execution according to the first address acquisition;Wherein, wait to dispatch
The last item instruction of machine instruction fragment is the first jump instruction;
S134, replacing the first jump instruction is pop down instruction, records the first jump instruction in pop down instructs
Address and operand;
S135, adds the second jump instruction after pop down instructs, and generation has two address restructuring and refers to
Make fragment;The entry address of described second jump instruction directional order restructuring platform;With
S136, recovers described instruction operation environment, and jumps to the second address and continue executing with.
It will appreciated by the skilled person that the function provided in each embodiment above-mentioned or feature can
To be superimposed upon according to the actual needs in same embodiment, combination is given the most one by one, below
Only give one example illustrative.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, as illustrated in fig. 9, bag
Include:
(1) cache instruction running environment, described instruction operation environment includes whole CPU environment and interior
Dis environment;Obtain address and the parameter of the jump instruction preserved in stack, calculate next finger that will run
Make address (zero-address), the first address is set to zero-address;
(2) utilize the first address to search address correspondence table (also referred to as address search table), if found
Record, recovers the instruction operation environment cached, and the corresponding address jumping to find is (corresponding in address
Address in table is internal) continue executing with;
(3) without finding record, start from the first address to obtain pending machine instruction fragment,
The ending of instruction fragment is jump instruction (jump instruction address is the 3rd address);
(4) from the beginning of the first address, machine code is carried out dis-assembling, and by dis-assembling result by one
Individual lexical analyzer processes, and generates the assembly code after restructuring, until the 3rd address;
(5) judge whether the code at the 3rd address can process further, the jumping at the i.e. the 3rd address
The destination address turning instruction is known quantity (such as, immediate), if it can, arranged the first address
It is the 3rd address (or destination address of the 3rd address), restarts to perform (3);
(6) if it is not possible, the assembly code after the restructuring generated is last, pop down instruction note is added
Record original address position (value of the i.e. the 3rd address) and the operand of current 3rd address, and refer at pop down
Add after order and jump to the instruction that restructuring platform starts, step (1) i.e. can be made to start again at execution;
(7) assembly code after the restructuring that will generate generates corresponding machine code by assembler, and deposits
It is stored in restructuring address space the address (the second address) distributed, and by the second address and zero-address
It is stored in the correspondence table of address with the form of corresponding address pair;
(8) recover environment, and jump to the second address and continue executing with.
Understanding for convenience, the method that now running this embodiment with X86 system processor provides is said
Bright, with reference to Fig. 9 b-9d, an instantiation procedure of instruction recombination is as follows:
(1) after restructuring platform is started working, first caching present instruction running environment;Obtain in stack and protect
The address of the jump instruction deposited and parameter, calculate next instruction address that will run, and this address is
One address.
(2) utilizing the first address to search address correspondence table, if finding record, recovery is cached
Instruction operation environment, and the corresponding address jumping to find continues executing with (Fig. 9 b);Without finding
Record, proceeds as follows (Fig. 9 c).
(3) machine code, from the beginning of the first address, is carried out dis-assembling by-(6), and by dis-assembling result
Processed by a lexical analyzer, generate restructuring code;
This paragraph assembly code is retrieved, checks whether and comprise jump instruction;
First jump instruction is analyzed, it is judged that whether its jump target addresses is known quantity, if
Being known quantity, then continually look for, until finding Article 1 argument address jump instruction, referred to as first redirects
Instruction, the address of this instruction is the 3rd address;
(from the first address to the machine instruction of the 3rd address, the first jumping is not included at the assembly code generated
Turn instruction) be eventually adding pop down instruction record current 3rd address the first original address position redirected and
Operand;
Add after pop down instructs and jump to the instruction (the second jump instruction) that restructuring platform starts.
(7) assembly code generated is generated corresponding machine code by assembler, and be stored in restructuring
The address (the second address) distributed in address space;
Second address is stored in the corresponding table in address with the form of corresponding address pair with zero-address.
(8) recover environment, and jump to the second address and continue executing with.
(Fig. 9 d) processor starts to perform two address instruction, in instruction fragment to be reorganized before
Jump instruction has replaced with pop down instruction and has redirected the instruction of duplicate removal group platform, the mesh that pop down instruction is main
Be to restructuring platform provide input parameter.(Fig. 9 d), when going to the second jump instruction, restructuring is flat
Platform retrieves execution, carries out above-mentioned step (1), by checking that preserve in pop down instruction redirects finger
The address of order and parameter, calculate next instruction address that will run, and this address is the first address.
The process afterwards i.e. circulation of said process.
Further, in order to i.e. perform instruction monitoring when running after system start-up, it is achieved calculate and set
Instruction full monitoring during the operation of standby operation phase, in another embodiment of the present invention, amendment computer opens
Load instruction time dynamic, calls, before load instruction performs, the instruction recombination platform that the present invention provides,
Perform instruction recombination method during above-mentioned operation, due to load instruction jump address be known regularly
Location, instruction recombination platform can establish address correspondence table and this Article 1 record in advance, and establish
First restructuring instruction fragment.
Further, according to a further embodiment of the invention, it is provided that a kind of computer-readable medium, its
In, in described computer-readable recording medium, storage has the executable program code of computer, and described program code is used for
The step of instruction recombination method during the operation provided in above-described embodiment is provided.
Further, according to a further embodiment of the invention, it is provided that a kind of computer program, wherein,
The step of instruction recombination method when described computer program comprises the operation provided in above-described embodiment.
Instruction recombination for data safety
During above-mentioned operation, instruction recombination method provides the foundation for further application.The following examples
In provide various instruction recombination method when carrying out, for different machines instruction, the operation processed, including
Storage/read instruction, I/O instructs, and network transmission instruction:
(1) storage/read instruction refers to all in computer system External memory equipment (is included but do not limited
In disk, mobile storage, optical storage) carry out the instruction or the instruction combination that store/read.
(2) instruction of the address space of all operations peripheral hardware during I/O refers to computer system, these refer to
Order eventually affects peripheral hardware input/output state, data, signal etc..Here I/O Address space
Include but not limited to (I/O address space, memory-mapped I/O device address space).
(3) network transmission refers to the instruction of the had an impact network equipment in computer system, and these refer to
Order eventually affects all relevant spies such as the transmission of computer system network equipment, state, data, signal
Property.
Wherein, storage/common factor can be there is between reading instruction with I/O instruction.
According to one embodiment of the invention, it is provided that a kind of for instruction recombination when storing/read the operation instructed
Method S400, including:
S401, cache instruction running environment;Described instruction operation environment includes that address register, address are posted
Storage preserves the address of next machine instruction that will run, and this address is the first address;
S402, utilizes described first address search address correspondence table;
S403, if finding corresponding record, refers to the restructuring that described first address A is revised as having preserved
Make the address A ' of fragment;
S404, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S4041, obtains machine instruction fragment to be dispatched;Wherein, machine instruction fragment to be scheduled
The last item instruction be the first jump instruction;Identical with step S102;
S4042, machine instruction fragment to be dispatched described in dis-assembling, obtain assembly instruction fragment;
S4043, searched targets assembly instruction, described target assembly instruction is storage/reading instruction;
S4044, if retrieval obtains the storage in described assembly instruction fragment/reading instruction, repaiies
Change storage therein and reading address is the address on safety storage apparatus;Amendment mode can
Think the direct mapping between home address space and safety storage apparatus address space;
S4045, before described first jump instruction JP1, inserts the second jump instruction JP2, institute
State the entry address of JP2 directional order restructuring platform;
S4046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine
Device instruction fragment;
S4047, utilizes restructuring machine instruction fragment address A " with the first address A in described address
Corresponding table is set up a record (or address to), there is address A " restructuring instruct sheet
Section is stored in restructuring instruction platform;
S4048, is revised as the second address A by the first address A ";
S405, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is possible to
To omit dis-assembling and corresponding compilation step, direct handling machine instructs.
In step S4044, operate for storage and reading instruction, revise target therein and source
Address, to realize storage reorientation/redirection, it is ensured that data safety.More specifically safety storage/read
The following examples that will provide in the present invention of method in introduce.
According to one embodiment of the invention, it is provided that a kind of for I/O instruction operation time instruction recombination method
S500, including:
S501, cache instruction running environment;Described instruction operation environment includes that address register, address are posted
Storage preserves the address of next machine instruction that will run, and this address is the first address;
S502, utilizes described first address search address correspondence table;
S503, if finding corresponding record, refers to the restructuring that described first address A is revised as having preserved
Make the address A ' of fragment;
S504, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S5041, obtains machine instruction fragment to be dispatched;Wherein, machine instruction fragment to be scheduled
The last item instruction be the first jump instruction;Identical with step S102;
S5042, machine instruction fragment described in dis-assembling, obtain assembly instruction fragment;
S5043, searched targets assembly instruction, described target assembly instruction is I/O instruction;
S5044, if retrieval obtains the I/O instruction in described assembly instruction fragment, by described I/
Input instruction in O instruction all stops;
S5045, before described first jump instruction JP1, inserts the second jump instruction JP2, institute
State the entry address of JP2 directional order restructuring platform;
S5046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine
Device instruction fragment;
S5047, utilizes restructuring machine instruction fragment address A " with the first address A in described address
Corresponding table is set up a record (or address to), there is address A " restructuring instruct sheet
Section is stored in restructuring instruction platform;
S5048, is revised as the second address A by the first address A ";
S505, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is possible to
To omit dis-assembling and corresponding compilation step, direct handling machine instructs.
In step S5044, operating for I/O instruction, the input in being instructed by described I/O refers to
Order all stops, to realize thoroughly blocking the write operation to local hardware device;In conjunction with a upper embodiment
In storage instruction processing procedure, it is also possible to realize to except storage instruction in addition to input instruct prevention,
The Information Security in calculating equipment can be improved.
According to one embodiment of the invention, it is provided that a kind of for network transmission instruction operation time instruction recombination
Method S600, including:
S601, cache instruction running environment;Described instruction operation environment includes that address register, address are posted
Storage preserves the address of next machine instruction that will run, and this address is the first address;
S602, utilizes described first address search address correspondence table;
S603, if finding corresponding record, refers to the restructuring that described first address A is revised as having preserved
Make the address A ' of fragment;
S604, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S6041, obtains machine instruction fragment to be dispatched;Wherein, machine instruction fragment to be scheduled
The last item instruction be the first jump instruction;Identical with step S102;
S6042, machine instruction fragment to be dispatched described in dis-assembling, obtain assembly instruction fragment;
S6043, searched targets assembly instruction, described target assembly instruction is network transmission instruction;
S6044, if retrieval obtains the network transmission instruction in described assembly instruction fragment, inspection
Whether the remote computing devices that described network transmits the destination address in instruction corresponding is safety
Address, if it is not, stop the transmission instruction of described network;
S6045, before described first jump instruction JP1, inserts the second jump instruction JP2, institute
State the entry address of JP2 directional order restructuring platform;
S6046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine
Device instruction fragment;
S6047, utilizes restructuring machine instruction fragment address A " with the first address A in described address
Corresponding table is set up a record (or address to), there is address A " restructuring instruct sheet
Section is stored in restructuring instruction platform;
S6048, is revised as the second address A by the first address A ";
S605, recovers described instruction operation environment.
In step S6044, stop/refusal network transmission instruction can be by code in the reassembled
Insert one, to a plurality of instruction, the transmission instruction of itself is replaced with " instruction cancelling current operation " or straight
Take over and be changed to illegal command, depending on the difference of hardware to be regarded.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is possible to
To omit dis-assembling and corresponding compilation step, direct handling machine instructs.
In step S6044, operate for network transmission instruction, check the transmission instruction of described network
In remote computing devices corresponding to destination address whether be secure address;If it is not, stop described net
Network transmission instruction, to realize Security Data Transmission.
Address correspondence table in above-mentioned multiple embodiment is set up by instruction recombination platform and safeguards, permissible
It is the structure of arrays of regular length, it is also possible to be the list structure of variable-length, it is also possible to be other storages
The suitable data structure of binary data.Preferably, its adjustable in length, and it takes up room and can release
Put.The operation of release address correspondence table can be carried out at random, it is also possible to the cycle is carried out.In some embodiments
In, described address correspondence table can also include that time field set up in record, for deleting at Free up Memory
During record, according to the length deletion record of the time of setting up.In certain embodiments, described address is corresponding
Table can also include recording access times field, in searching address correspondence table step, if it is found, will
Change the value of this field;Described record access times field is also used for, when Free up Memory deletion record, pressing
How many deletion records according to access times.
It addition, it will be understood to those skilled in the art that above-mentioned instruction recombination method (refers to when i.e. running
Make recombination method) method of software or hardware can be used to realize:
(1) if implemented in software, then the step that said method is corresponding is deposited with the form of software code
Storage on a computer-readable medium, becomes software product;
(2) if realized with hardware, then the step that said method is corresponding is with hardware identification code (such as
Verilog) describe, and solidify (through processes such as physical Design/placement-and-routing/fab flows)
For chip product (such as processor products).It is described in detail below.
Instruction recombination device
Corresponding with instruction recombination method S100 during above-mentioned operation, according to one embodiment of the invention,
Instruction recombination device when providing one to run.As shown in Figure 10, instruction recombination device 500 includes:
Instruction operation environment caching and recovery unit 501, be suitable to caching and recover instruction operation environment;
Described instruction operation environment includes address register, and this address register preserves what next will run
The address of machine instruction, this address is the first address;
Instruction acquiring unit 502, is suitable to, after unit 501 cache instruction running environment, obtain and wait to adjust
The machine instruction fragment of degree;Wherein, the last item instruction of machine instruction fragment to be scheduled is first
Jump instruction;
Instruction recombination unit 503, is suitable to resolve, revise described machine instruction fragment to be scheduled, bag
Include: before the first jump instruction, insert the second jump instruction, generate and there is the second address A " restructuring
Instruction fragment;Described second jump instruction indicator device 500, after i.e. performing this second jump instruction, dress
Put 500 instruction operation environment caching and recovery unit 501 process next time;With
Address replacement unit 504, is suitable to the address register in the instruction operation environment of described caching
Value be revised as restructuring instruction fragment address.
Described instruction operation environment caching and recovery unit 501 respectively with instruction acquiring unit 502 and
Address replacement unit 504 couples, described instruction acquiring unit 502, instruction recombination unit 503 and ground
Location replacement unit 504 couples successively.
It is as follows that device 500 performs process:
First, instruction operation environment caching and recovery unit 501 cache instruction running environment, such as to
Caching stack is pressed into the register data that instruction operation is relevant;
Then, described instruction acquiring unit 502 reads to be scheduled from cpu address depositor 511
Machines instruction address, and instruct fragment, described machine instruction from described machines instruction address read machine
The instruction of fragment the last item is jump instruction;
Such as, instruction acquiring unit 502 reads machine to be scheduled from cpu address depositor 511
Instruction address;With jump instruction as searched targets, the machine retrieving described machines instruction address corresponding refers to
Order, until finding first jump instruction;Described jump instruction includes such as Jump instruction and Call
Instruction etc.;Wait to dispatch as one using described first jump instruction and all machine instructions before thereof
Machine instruction fragment;This machine instruction fragment is saved in device 500, or other device 500
The storage position that can read;
Then, instruction recombination unit 503 instructs at the last item of the machine instruction fragment of described acquisition
Before, insert the second jump instruction, the entry address of described second jump instruction indicator device 500, life
Become there is address A " restructuring instruction fragment;
Then, address replacement unit 504 is by the address register in the instruction operation environment of described caching
Value A be revised as address A ";
Finally, instruction operation environment caching and recovery unit 501 recover described instruction operation environment, example
As ejected, from caching stack, the register data that instruction operation is relevant.
Corresponding with instruction recombination method S300 during above-mentioned operation, described instruction acquiring unit 502 can
Using by first non-constant address jump instruction as the first jump instruction.To improve holding of reconstruction unit
Line efficiency.
Corresponding with instruction recombination method S200 during above-mentioned operation, according to a further embodiment of the invention,
Instruction recombination device when providing one to run, it is possible to instruction repeatability when making full use of operation, improves effect
Rate, saves and calculates resource.
As shown in figure 11, instruction recombination device 600 includes:
Instruction operation environment caching and recovery unit 601, be suitable to caching and recover instruction operation environment;
Described instruction operation environment includes that address register, address register preserve next machine that will run
The address of device instruction, this address is the first address;
Instruction acquiring unit 602, is suitable to obtain machine instruction fragment to be scheduled;Wherein, wait to dispatch
Machine instruction fragment the last item instruction be the first jump instruction;
Instruction recombination unit 603, is suitable to machine instruction fragment to be dispatched described in parsing, amendment, including:
Before the first jump instruction, insert the second jump instruction, to generate, there is two address restructuring instruction sheet
Section;Described second jump instruction indicator device 600, after i.e. performing this second jump instruction, device 600
Instruction operation environment caching and recovery unit 601 process next time;
Address replacement unit 604, is suitable to the address register in the instruction operation environment of described caching
Value be revised as restructuring instruction fragment address;With
Instruction retrieval unit 605, is suitable to utilize described first address search address correspondence table;Describedly
Location correspondence table is treated whether dispatch command fragment has preserved for is represented that the first address A points to
Restructuring instruction fragment, the data of address correspondence table are address pair;
If finding corresponding record, instruction retrieval unit 605 is suitable to call address replacement unit 604,
Described first address A (i.e. value A of address register) is revised as the restructuring instruction fragment preserved
Address A ';Without finding corresponding record, instruction retrieval unit is suitable to utilize the second address
A " sets up a record with address A in the corresponding table in described address.
Described instruction operation environment caching and recovery unit 601 respectively with instruction retrieval unit 605 and
Address replacement unit 604 couples, described instruction retrieval unit 605 respectively with instruction acquiring unit 602,
Instruction recombination unit 603 and address replacement unit 604 couple, and described instruction acquiring unit 602, refer to
Recomposition unit 603 and address replacement unit 604 is made to couple successively.
The execution process of device 600 is as follows:
First, instruction operation environment caching and recovery unit 601 cache instruction running environment, such as to
Caching stack is pressed into the register data that instruction operation is relevant;
Then, the address during instruction retrieval unit 605 utilizes the instruction operation environment of described caching is deposited
Value A of device searches address correspondence table;
If finding corresponding record, instruction retrieval unit 605 call address replacement unit 604, ground
Value A of described address register is revised as value A in record by location replacement unit 604 ';Address is replaced
Change unit 604 call instruction running environment caching and recovery unit 602, to recover described instruction operation
Environment, i.e. ejects, from caching stack, the register data that instruction operation is relevant, and this reorganization operation terminates;
Without finding corresponding record, described instruction acquiring unit 602 is deposited from cpu address
Device reads machines instruction address to be scheduled, and instructs sheet from described machines instruction address read machine
Section, the instruction of described machine instruction fragment the last item is jump instruction.Concrete, instruct acquiring unit
602 read machines instruction address to be scheduled from cpu address depositor;With jump instruction for retrieval mesh
Mark, retrieves the machine instruction that described machines instruction address is corresponding, until finding first jump instruction;
Described jump instruction includes Jump instruction and Call instruction etc.;By described first jump instruction and
All machine instructions before are as a machine instruction fragment to be scheduled;By this machine instruction fragment
It is saved in device 600, or the storage position that other device 600 can read;
Then, instruction recombination unit 603 instructs at the last item of the machine instruction fragment of described acquisition
Before, insert the second jump instruction, the entry address of described second jump instruction indicator device 600, life
Become there is address A " restructuring instruction fragment;
Then, instruction recombination unit 603 is by address A " is sent to instruction retrieval unit 605, instruction inspection
Cable elements 605 utilizes address A " sets up a record with the corresponding table in address A address wherein;
In case subsequent instructions is reused;
Then, address replacement unit 604 is by the address register in the instruction operation environment of described caching
Value A be revised as address A ";
Finally, instruction operation environment caching and recovery unit 601 recover described instruction operation environment, i.e.
Eject, from caching stack, the register data that instruction operation is relevant.
With continued reference to Figure 11, wherein, instruction recombination unit 603 can also include:
Instruction resolution unit 6031, is suitable to utilize instruction set to mate described machine instruction fragment, is treated
The target machine instructions (i.e. utilizing target instruction target word to retrieve machine instruction fragment to be scheduled) processed;Institute
State instruction set and include X86, MIPS and ARM instruction set;
Instruction modification unit 6032, is suitable in a predetermined manner, revises described target machine instructions.
Such as, if described target instruction target word is storage/reading instruction, described instruction resolution unit 6031
Will be responsible for the storage/reading instruction obtaining in machine instruction fragment to be scheduled, described instruction modification unit
6032 amendment storages therein and reading address are the address on safety storage apparatus.Its effect and effect
Identical with above-mentioned corresponding embodiment of the method S400, repeat no more here.
The most such as, if described target instruction target word is I/O instruction, described instruction resolution unit 6031 will be negative
Duty obtains the I/O instruction in machine instruction fragment to be scheduled, and described instruction modification unit 6032 is by institute
The input instruction stated in I/O instruction all stops.Its effect and effect are implemented with above-mentioned corresponding method
Example S500 is identical, repeats no more here.
The most such as, if described target instruction target word is network transmission instruction, described instruction resolution unit 6031
Will be responsible for the network transmission instruction obtaining in machine instruction fragment to be scheduled, described instruction modification unit
Whether 6032 remote computing devices checking the destination address in the transmission instruction of described network corresponding are peace
Full address;If it is not, described instruction modification unit is suitable to stop the transmission instruction of described network.It is made
With identical with above-mentioned corresponding embodiment of the method S600 with effect, repeat no more here.
According to a further embodiment of the invention, above-mentioned instruction recombination unit can also include dis-assembling unit
And assembly unit.As shown in figure 12, instruction recombination unit 703 includes: the dis-assembling coupled successively
Unit 7031, instructs resolution unit 7032, instruction modification unit 7033 and assembly unit 7034.
Wherein, dis-assembling unit 7031 is suitable to resolving, revising described machine instruction sheet to be scheduled
Before Duan, machine instruction fragment to be scheduled described in dis-assembling, generate assembly instruction fragment to be scheduled;
It is sent to instruct resolution unit 7032.
Assembly unit 7034 is suitable to after resolving, revising described machine instruction fragment to be scheduled,
Assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents;It is sent to refer to
Make replacement unit.
In this embodiment, described instruction resolution unit 7032 and instruction modification unit 7033 will operations
Assembly instruction fragment to be scheduled.
Corresponding with instruction recombination method S110 during above-mentioned operation, according to a further embodiment of the invention,
Instruction recombination device when providing one to run.As shown in figure 13, instruction recombination device 800 includes:
Instruction operation environment caching and recovery unit 801, be suitable to cache instruction running environment;
Instruction acquiring unit 802 and the first storage position 803, wherein, instruction acquiring unit 802 is fitted
In reading destination address from the first storage position 803, and obtain according to destination address and treat scheduling/perform
Machine instruction fragment;Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
And
Instruction recombination unit 804, is suitable to preserve the target of the first jump instruction in the first storage position 803
Address, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction
Fragment;The entry address of described second jump instruction indicator device 800.
Wherein, instruction operation environment caching and recovery unit 801 are further adapted at instruction recombination unit 804
After replacement instruction, recover described instruction operation environment, and jump to the second address and continue executing with.
The execution process of device 800 is as follows:
First, instruction operation environment caching and recovery unit 801 cache instruction running environment;
Then, instruction acquiring unit 802 reads destination address (wait to dispatch from the first storage position 803
Instruction address), obtain machine instruction fragment to be dispatched according to destination address;Wherein, machine to be dispatched refers to
The last item instruction making fragment is the first jump instruction;
Then, instruction recombination unit 804 preserves the mesh of the first jump instruction in the first storage position 803
Mark address;Its value is preserved for immediate, its address/quote is preserved for variable parameter;
Then, the first jump instruction is replaced with the second jump instruction by instruction recombination unit 804, generates
There is two address restructuring instruction fragment;
Finally, instruction operation environment caching and recovery unit 801 recover described instruction operation environment, and
Jump to the second address continue executing with.
According to a further embodiment of the invention, it is provided that instruction recombination device during a kind of operation, with above-mentioned side
Method S130 is corresponding, and comprises the feature of the device provided in some embodiment above-mentioned.Such as Figure 14
Shown in, this device 900 includes:
Instruction operation environment caching and recovery unit 901, be suitable to caching and recover instruction operation environment;
Instruction acquiring unit 902, being suitable to obtain next by the way of input parameter calculating will run
Instruction address, this address is the first address;It is further adapted for treating the machine of scheduling/execution according to the first address acquisition
Device instruction fragment;Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
Instruction recombination unit 903, being suitable to replace the first jump instruction is pop down instruction, in pop down instructs
Record address and the operand of the first jump instruction;It is further adapted for after pop down instructs adding second and redirects finger
Order, generates and has two address restructuring instruction fragment;Described second jump instruction indicator device 900
Entry address;It is further adapted in the corresponding table in address, build the second address of restructuring instruction fragment with the first address
A vertical record;
Instruction retrieval unit 904, is suitable to utilize described first address search address correspondence table;Describedly
For what expression the first address was pointed to, location correspondence table treats whether dispatch command fragment has the weight preserved
Group instruction fragment, the data of address correspondence table are address pair;
If finding corresponding record, instruction retrieval unit 904 is suitable to call instruction running environment caching
The instruction operation environment cached with recovery unit 901 recovery, and jump to the corresponding address continuation found
Perform (reorganization operation completes);
Without finding corresponding record, call instruction recomposition unit 903 carries out reorganization operation.
Wherein, instruction recombination unit 903 can also include dis-assembling unit 9031, instructs resolution unit 9
032, instruction modification unit 9033, and assembly unit 9034.
Wherein, when instruction recombination unit 902 complete restructuring after, be suitable to call instruction running environment caching and
Recovery unit 901 recovers the instruction operation environment cached, and continues in the address jumping to restructuring instruction fragment
Continuous execution (this reorganization operation completes).
According to a further embodiment of the invention, above-mentioned dis-assembling unit 9031 may be located at instruction and obtains list
Among unit 902, carried out dis-assembling when obtaining instruction fragment to be scheduled by it and operate.
It will be understood by those skilled in the art that the arrow of data stream in the accompanying drawing of said apparatus embodiment
Only to facilitate the concrete operations flow process in explanation above-described embodiment, do not limit unit in figure
Between data flow or closure, for coupling relation between unit in device.
Above with instruction recombination method and apparatus when describing operation that some embodiments are detailed, its with
Prior art is compared, and has the advantage that
By instruction recombination method, the instruction of calculating equipment can be monitored under instruction operation state;
Utilize address correspondence table, improve instruction recombination efficiency, save calculating resource;
Operate for storage and reading instruction, revise target therein and source address, to realize depositing
Storage reorientation/redirection, it is ensured that data safety;
Operating for I/O instruction, the input instruction in being instructed by described I/O all stops, with
Realize thoroughly blocking the write operation to local hardware device;Can also realize in addition to storage instruction
The prevention of input instruction, can improve the Information Security in calculating equipment;
Operate for network transmission instruction, check the destination address pair in the transmission instruction of described network
Whether the remote computing devices answered is secure address;If it is not, stop the transmission instruction of described network,
To realize Security Data Transmission.
It should be noted that and understand, in the spirit without departing from the present invention required by appended claims
In the case of scope, it is possible to the present invention of foregoing detailed description is made various modifications and improvements.Cause
This, it is desirable to the scope of the technical scheme of protection is not limited by given any specific exemplary teachings.
Claims (16)
1. instruction recombination method when running, including:
Step 1, cache instruction running environment;
Step 2, the address obtaining the jump instruction preserved in stack and parameter, calculating next will transport
The instruction address of row, this address is the first address;
Step 3, according to the first address acquisition machine instruction to be dispatched fragment;Wherein, machine to be dispatched refers to
The last item instruction making fragment is the first jump instruction;
Step 4, to replace the first jump instruction be pop down instruction, records and first redirect finger in pop down instructs
The address of order and operand;
Step 5, after pop down instructs, add the second jump instruction, generate and there is two address restructuring
Instruction fragment;The entry address of described second jump instruction directional order restructuring platform;With
Step 6, recover described instruction operation environment, and jump to the second address and continue executing with.
2. instruction recombination method during operation as claimed in claim 1, in step 3, according to the first ground
Location obtains machine instruction fragment to be dispatched and includes:
From the beginning of the first address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out instead
Compilation;
Checking in dis-assembling result and whether comprise jump instruction, if do not comprised, continuing to obtain one section below
Machine instruction to be scheduled, until matching jump instruction, this jump instruction is the first jump instruction;
Wherein, the first jump instruction and all instructions before form machine instruction fragment to be dispatched.
3. instruction recombination method when running as claimed in claim 2, step 5 and step 6 it
Between, also include:
Assembly code after the restructuring that will generate generates corresponding machine code by assembler.
4. instruction recombination method when running as claimed in claim 1, step 2 and step 3 it
Between, also include:
Utilize described first address search address correspondence table;Described address correspondence table is used for representing to be waited to dispatch
Machine instruction fragment whether have preserved restructuring instruction fragment;
If finding corresponding record, recovering described instruction operation environment, and jumping to the guarantor in record
Deposit address to continue executing with.
5. instruction recombination method during operation as claimed in claim 4, if in the correspondence table of address
Do not find corresponding record, after step 5, also include:
The address utilizing restructuring instruction fragment sets up one with described first address in the corresponding table in address
Record.
6. instruction recombination method when running as claimed in claim 1, after step 3, step 5
Before, also include:
Machine instruction fragment to be dispatched described in parsing, utilizes instruction set to mate described machine instruction fragment,
Obtain pending target machine instructions;
In a predetermined manner, described target machine instructions is revised.
7. instruction recombination method during operation as claimed in claim 6, wherein, described target machine
Instruction is storage/reading instruction;
In a predetermined manner, revise described target machine instructions to include: revise storage therein and reading
Taking address is the address on safety storage apparatus.
8. instruction recombination method during operation as claimed in claim 6, wherein, described target machine
Instruct and instruct for I/O;
In a predetermined manner, revise described target machine instructions to include: in being instructed by described I/O
Input instruction all stops.
9. instruction recombination method during operation as claimed in claim 6, wherein, described target machine
Instruct as network transmission instruction;
In a predetermined manner, revise described target machine instructions to include: check the transmission of described network to refer to
Whether remote computing devices corresponding to destination address in order is secure address;If it is not, stop institute
State network transmission instruction.
10. instruction recombination device when running, including:
Instruction operation environment caching and recovery unit, be suitable to caching and recover instruction operation environment;
Instruction acquiring unit, couples with instruction operation environment caching and recovery unit, is suitable to obtain in stack
The address of the jump instruction preserved and parameter, calculate next instruction address that will run, and this address is
First address;It is further adapted for according to the first address acquisition machine instruction to be scheduled fragment;Wherein, wait to dispatch
The last item instruction of machine instruction fragment is the first jump instruction;With
Instruction recombination unit, couples with instruction operation environment caching and recovery unit, is suitable to replace first
Jump instruction is pop down instruction, records address and the operand of the first jump instruction in pop down instructs;Also
Be suitable to add the second jump instruction after pop down instructs, generate and there is two address restructuring instruction sheet
Section;The entry address of instruction recombination device when running is pointed in described second jump instruction.
Instruction recombination device during 11. operation as claimed in claim 10, also includes:
Instruction retrieval unit, is suitable to utilize described first address search address correspondence table;Described address pair
Answer the restructuring instruction fragment that table has preserved for representing machine instruction fragment to be dispatched whether to have;
If finding corresponding record, instruction retrieval unit be further adapted for call instruction running environment caching and
Recovery unit, recovers described instruction operation environment, and the preservation address jumped in record continues executing with;
Without finding corresponding record, instruction retrieval unit is further adapted for utilizing restructuring instruction fragment
A record is set up with described first address in the corresponding table in address in address.
Instruction recombination device during 12. operation as claimed in claim 10, described instruction recombination unit
Also include:
Instruction resolution unit, is suitable to utilize instruction set to mate described machine instruction fragment to be scheduled,
To pending target machine instructions;
Instruction modification unit, is suitable in a predetermined manner, revises described target machine instructions.
Instruction recombination device during 13. operation as claimed in claim 12, wherein, described target machine
Device instruction is storage/reading instruction;
Described instruction modification unit is suitably modified to storage therein and reading address is safety storage apparatus
On address.
Instruction recombination device during 14. operation as claimed in claim 12, wherein, described target machine
Device instruction instructs for I/O;
The input instruction that described instruction modification unit is suitable in being instructed by described I/O all stops.
Instruction recombination device during 15. operation as claimed in claim 12, wherein, described target machine
Device instruction is network transmission instruction;
Described instruction modification unit is suitable to check the destination address in the transmission instruction of described network corresponding
Whether remote computing devices is secure address;If it is not, described instruction modification unit is suitable to stop institute
State network transmission instruction.
Instruction recombination device during 16. operation as claimed in claim 12, described instruction recombination unit
Also include:
Dis-assembling unit, be suitable to instruction resolution unit resolve described machine instruction fragment to be scheduled it
Before, machine instruction fragment to be scheduled described in dis-assembling, generate assembly instruction fragment to be scheduled;
Assembly unit, is suitable to the assembly instruction fragment after compilation restructuring, obtains the restructuring that machine code represents
Instruction fragment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210325951.7A CN103677769B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210325951.7A CN103677769B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103677769A CN103677769A (en) | 2014-03-26 |
| CN103677769B true CN103677769B (en) | 2016-09-14 |
Family
ID=50315447
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210325951.7A Expired - Fee Related CN103677769B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103677769B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103942499B (en) * | 2014-03-04 | 2017-01-11 | 中天安泰(北京)信息技术有限公司 | Data black hole processing method based on mobile storer and mobile storer |
| CN112395594B (en) * | 2019-08-15 | 2023-12-12 | 奇安信安全技术(珠海)有限公司 | Method, device and equipment for processing instruction execution sequence |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607503A (en) * | 2003-10-14 | 2005-04-20 | 微软公司 | Systems and methods for using synthetic instruction in a virtual machine |
| US7886287B1 (en) * | 2003-08-27 | 2011-02-08 | Avaya Inc. | Method and apparatus for hot updating of running processes |
| CN102508637A (en) * | 2011-11-22 | 2012-06-20 | 中国科学院软件研究所 | Method for generating energy consumption information of instruction level password equipment |
-
2012
- 2012-09-06 CN CN201210325951.7A patent/CN103677769B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7886287B1 (en) * | 2003-08-27 | 2011-02-08 | Avaya Inc. | Method and apparatus for hot updating of running processes |
| CN1607503A (en) * | 2003-10-14 | 2005-04-20 | 微软公司 | Systems and methods for using synthetic instruction in a virtual machine |
| CN102508637A (en) * | 2011-11-22 | 2012-06-20 | 中国科学院软件研究所 | Method for generating energy consumption information of instruction level password equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103677769A (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103679039B (en) | Secure storage method of data and device | |
| CN103942499B (en) | Data black hole processing method based on mobile storer and mobile storer | |
| CN102012987B (en) | Automatic behavior analysis system for binary malicious codes | |
| CN103559446B (en) | Dynamic virus detection method and device for equipment based on Android system | |
| US11151252B2 (en) | Just in time memory analysis for malware detection | |
| CN103473501B (en) | A kind of Malware method for tracing based on cloud security | |
| CN103299270B (en) | Instruction recombination method and device during operation | |
| CN103299284A (en) | Method and apparatus for data security reading | |
| CN104461912B (en) | RDMA resource leakages are detected and reported | |
| CN103679040B (en) | Data safe reading method and device | |
| CN103329141B (en) | Safe data storage method and device | |
| CN103677746B (en) | Instruction recombination method and device | |
| CN103927493B (en) | Data black hole processing method | |
| CN103729598B (en) | The safe interacted system of data and method for building up thereof | |
| Javaheri et al. | A framework for recognition and confronting of obfuscated malwares based on memory dumping and filter drivers | |
| CN103677769B (en) | Instruction recombination method and device | |
| CN103677770B (en) | Instruction recombination method and device | |
| CN103942492B (en) | Uniprocessor version data black hole processing method and the equipment of calculating | |
| CN100478974C (en) | Method and device for preventing from computer virus | |
| CN109472135A (en) | A kind of method, apparatus and storage medium of detection procedure injection | |
| CN103679041B (en) | Data safe reading method and device | |
| CN103729600B (en) | Data security interacted system method for building up and data security interacted system | |
| Botacin et al. | Near-memory & in-memory detection of fileless malware | |
| CN103679042B (en) | Secure storage method of data and device | |
| CN109040136A (en) | A kind of detection method and electronic equipment of network attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100097 HAIDIAN, BEIJING TO: 100071 FENGTAI, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150122 Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: The safe and sound Information Technology Co., Ltd in sky in Beijing Address before: 100097 Beijing city Haidian District landianchang road Jin Yuan era business center B block 2-6B1 Applicant before: Beijing Zhongtian Antai Technology Co., Ltd. |
|
| CB02 | Change of applicant information |
Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: Zhongtian Aetna (Beijing) Information Technology Co. Ltd. Address before: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant before: The safe and sound Information Technology Co., Ltd in sky in Beijing |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160914 Termination date: 20180906 |