CN109271414A - A kind of auditing method of the database local communication based on IPC - Google Patents
A kind of auditing method of the database local communication based on IPC Download PDFInfo
- Publication number
- CN109271414A CN109271414A CN201811477548.XA CN201811477548A CN109271414A CN 109271414 A CN109271414 A CN 109271414A CN 201811477548 A CN201811477548 A CN 201811477548A CN 109271414 A CN109271414 A CN 109271414A
- Authority
- CN
- China
- Prior art keywords
- function
- dynamic base
- address
- oracle
- sql
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The auditing method of the present invention relates to a kind of database local communication based on IPC, comprising the following steps: obtain the dynamic base for needing that hack is carried out to Oracle dynamic base, the dynamic base is for realizing customized hook function performance;In the starting of Sql*plus program, the dynamic base for carrying out hack is loaded into the running memory of Sql*plus, obtain the address for really carrying out IPC communication function, execution function call sequence original in Oracle dynamic base is distorted, is audited using the information that the Sql*plus process taken is communicated with audit server is robbed.The present invention carries out the audit measure based on IPC communication to database using client utility Sql*plus in oracle database, it is distorted according to the function address in Sql*plus memory, data image in communication is got off, audit server end is forwarded the data to by TCP again to audit, solving the problems, such as to communicate between legacy data library and client just can not obtain Content of Communication by network, and speed is fast, will not influence the execution efficiency and implementing result of client.
Description
Technical field
The invention belongs to database audit technical field, the audit of especially a kind of database local communication based on IPC
Method.Belong to database audit technical field.
Background technique
Existing database audit technology can only can just get examining for database flow by network or network interface card packet capturing
Therefore meter mode in traditional database audit product, can not obtain client and server and carry out the interior of IPC communication
Hold, while the content of the client utility for the order line execution that can not can not also audit.
Summary of the invention
It is an object of the invention to overcome the deficiencies in the prior art, a kind of database local communication based on IPC is proposed
Auditing method, client and server can not be obtained by solving in traditional database audit product carries out the interior of IPC communication
Hold, and can not audit order line execution client utility content the problem of.
The present invention solves its technical problem and adopts the following technical solutions to achieve:
A kind of auditing method of the database local communication based on IPC, comprising the following steps:
Step 1, acquisition need to carry out Oracle dynamic base the dynamic base of hack, and the dynamic base is for realizing customized
Hook function performance;
Step 2, Sql*plus program starting when, the dynamic base for carrying out hack is loaded into the running memory of Sql*plus
In, the address for really carrying out IPC communication function is obtained, execution function call sequence original in Oracle dynamic base is usurped
Change, is audited using the information that the Sql*plus process taken is communicated with audit server is robbed.
The concrete methods of realizing of the step 1 are as follows: the LD_PRELOAD environmental variance on setting linux platform utilizes ring
The dynamic base that border variable keeps process load specified.
The concrete methods of realizing of the step 2 the following steps are included:
Step 2.1 obtains the process for really carrying out IPC communication function address;
Step 2.2 distorts execution function call sequence original in Oracle dynamic base;
Step 2.3, calling system function map out one piece of memory in process, by step 1 to Oracle dynamic base into
In hook function write-in memory in the dynamic base of row hack, carry out hack's so that existing in Sql*plus process running memory
Function;
Step 2.4 distorts the function address for executing function original in step 2.2 to move in step 2.3 to Oracle
State library carries out the function address of the hook function in the dynamic base of hack, so that Oracle dynamic base is held with assembly instruction calling
When line function, the hook function in the dynamic base for carrying out hack to Oracle dynamic base is jumped to, is got by the misfortune of hook function
The information that Sql*plus process and server are communicated, and transfer it to audit server;
After step 2.5, misfortune take information, original execution function in Oracle dynamic base is executed, hook letter has been called
The several and then secondary subsequent assembly instruction of function address for distorting hook function, makes it jump back to Oracle dynamic base and has executed
Execute the process flow after function.
The concrete methods of realizing of the step 2.1 are as follows:
Step 2.1.1, it is found in Sql*plus process by the individual proc memory file of process each on linux
The dynamic base position of Oracle carries out decompiling to the dynamic base of Oracle using order, according to assembly code find really into
The position for executing function and a distinctive verification function of row IPC communication;
Step 2.1.2, the function address distance for executing function and verifying function for really carrying out IPC communication is calculated
The offset of the first address of Oracle dynamic base, the offset are that the real IPC that carries out of first address distance of Oracle dynamic base leads to
News execute function at a distance from the function address for verifying function;
The concrete methods of realizing of the step 2.2 are as follows:
Step 2.2.1, calling system function, opening Oracle dynamic base recall system function and obtain Sql* first
The function address of function is verified in plus process running memory, the function address of the verification function is distance Sql*plus process
The offset of process initial address;
Step 2.2.2, the function address for really carrying out the execution function of IPC communication is obtained as follows:
The offset that the step 2.2.1 offset obtained is subtracted to step 2.1.2 acquisition obtains the operation of Sql*plus process
The offset of the process initial address of the first address distance Sql*plus process of Oracle dynamic base in memory;
The offset of the process initial address of the first address distance Sql*plus process of Oracle dynamic base is added into step
2.1.2 the offset of first address of the execution function of the real carry out IPC communication obtained to Oracle dynamic base, obtains Sql*
The execution function of IPC communication is really carried out in plus process running memory in the initial address distance Oracle dynamic base of process
Offset, so that the function address of the execution function of IPC communication is being carried out, by the function address to the calling of function
Sequence is distorted.
The execution function includes read () function and write () function.
The advantages and positive effects of the present invention are:
1, the present invention carries out based on IPC communication database using client utility Sql*plus in oracle database
Audit measure is distorted according to the function address in Sql*plus memory, and the data image in communication is got off, then passes through
TCP forwards the data to audit server end and audits, and solves to communicate between legacy data library and client and does not pass through net
Network just can not obtain the problem of Content of Communication.
2, the present invention can be safely and efficiently under the premise of not damaging data by under data image, and speed is fast, no
It will affect the execution efficiency and implementing result of client;It can be widely applied to the networks such as database audit or database firewall peace
In full product.
3, the present invention need to only be disposed in client, not will cause any damage to the data of server-side, safety, high
Effect, can use, and have certain versatility, for the reference of other audit forms.
Detailed description of the invention
Fig. 1 is that the present invention gradually obtains the schematic diagram that IPC communication function address is really carried out in Oracle dynamic base;
Fig. 2 is the schematic diagram that the present invention carries out hack processing.
Specific embodiment
The embodiment of the present invention is further described below in conjunction with attached drawing.
A kind of auditing method of the database local communication based on IPC, as shown in Figures 1 and 2, comprising the following steps:
Step 1, acquisition need to carry out Oracle dynamic base the dynamic base of hack, which realizes customized hook
Function performance.Only dynamic base is loaded into the running memory of Sql*plus process, is just able to achieve and is adjusted in IPC communication process
With distorting for process.
In this step, by setting linux platform on LD_PRELOAD environmental variance, the environmental variance can make into
The specified dynamic base of journey load.In the path setting that will carry out the dynamic base of hack to after this environmental variance, Sql*plus into
Load at runtime is carried out the dynamic base of hack by journey.
Step 2, when Sql*plus program starts, the dynamic base for carrying out hack is loaded into the running memory of Sql*plus,
And according to the standard of linux, Sql*plus executes the init function in dynamic base, which will execute following mistake
Journey: obtaining the address for really carrying out IPC communication function, and execution function call sequence original in Oracle dynamic base is usurped
Change, is audited using the information that the Sql*plus process taken is communicated with audit server is robbed.
This step the specific process is as follows:
Step 2.1 obtains the process for really carrying out IPC communication function address, and detailed process is as follows:
Step 2.1.1, it is found in Sql*plus process by the individual proc memory file of process each on linux
The dynamic base position of Oracle carries out decompiling to the dynamic base of Oracle using order, according to assembly code find really into
Read () function, write () function and a distinctive position for verifying function for row IPC communication, this verification function is this
Oracle dynamic base is unique, and the purpose using this verification function is to eliminate system and will generate after the alignment of dynamic base memory
Offset error.
Step 2.1.2, the read () function, write () function and verification for really carrying out IPC communication are calculated according to Fig. 1
The offset (offset 2) of the first address of the function address distance Oracle dynamic base of function, this offset are just dynamic for Oracle
The first address distance in state library really carries out the function address of read () function of IPC communication, write () function and verification function
Distance.
Step 2.2 distorts execution function call sequence original in Oracle dynamic base, and the specific method is as follows:
Step 2.2.1, first calling system function, opens Oracle dynamic base, recalls system function and obtains Sql*plus
The function address of function is verified in process running memory, it is to have carried out which, which is the address of this verification function in running memory,
Address after memory alignment, and be also the process initial address of the function address distance Sql*plus process of this verification function
Offset (offset 1).
Step 2.2.2, the function address of read () function, write () function for really carrying out IPC communication, method are obtained
It is as follows:
Step 2.2.2.1, offset 1 is the function address distance Sql*plus of the verification function obtained in step 2.2.1
The offset of the process initial address of process.
Step 2.2.2.2, offset 2 is the first address distance verification letter of the Oracle dynamic base obtained in step 2.1.2
The offset of several function addresses.
Step 2.2.2.3, the offset of 2.2.2.1 1 is subtracted to the offset 2 of 2.2.2.2, as Sql*plus process is transported
The offset of the process initial address of the first address distance Sql*plus process of Oracle dynamic base in row memory.
Step 2.2.2.4, the offset that 2.2.2.3 is obtained is added into the real carry out IPC communication obtained in 2.1.2
Read () function, write () function to Oracle dynamic base first address offset, can be obtained Sql*plus process fortune
Read () function, the write () of IPC communication are really carried out in row memory in the initial address distance Oracle dynamic base of process
The offset (offset 3) of function, and be also the read () function for really carrying out IPC communication, the function of write () function
Address obtains function address, we can to function calling sequence distort.
Step 2.3, calling system function map out one piece of memory in process, and are set to writeable.Method particularly includes:
Hook function in the dynamic base for carrying out hack to Oracle dynamic base in step 1 is written in memory, such Sql*plus
It there has been the function for carrying out hack in process running memory.
Step 2.4 distorts the function address of read () function, write () function in step 2.2.2.4 for step
The function address of the hook function in the dynamic base of hack is carried out in 2.3 to Oracle dynamic base, such Oracle dynamic base exists
When calling read () function, write () function with assembly instruction, it will jump to and moved to Oracle dynamic base progress hack
Hook function in state library just can rob by the hook function that we realize and get Sql*plus process and server is led to
The information of news, and transfer it to our audit server
Step 2.5, misfortune execute original read () function, write () letter in Oracle dynamic base after taking information
Number, guarantees the process of original communication, has called hook function and then the secondary subsequent remittance of function address for distorting hook function
Instruction is compiled, so that it is jumped back to Oracle dynamic base and has executed process flow after read () function, write () function, guarantee
The normal operation of Sql*plus process.
By above step, we just rob the information for having taken Sql*plus process to communicate with server and audit, and
It also ensures the original communication flow of Sql*plus process, does not influence regular traffic;And we are to rob to take Sql*plus process
The data of the client at place, the data that will not be stored to server end have any impact, and safety and stability is efficient.
It is emphasized that embodiment of the present invention be it is illustrative, without being restrictive, therefore packet of the present invention
Include and be not limited to embodiment described in specific embodiment, it is all by those skilled in the art according to the technique and scheme of the present invention
The other embodiments obtained, also belong to the scope of protection of the invention.
Claims (5)
1. a kind of auditing method of the database local communication based on IPC, it is characterised in that the following steps are included:
Step 1, acquisition need to carry out Oracle dynamic base the dynamic base of hack, and the dynamic base is for realizing customized hook
Function performance;
Step 2, Sql*plus program starting when, the dynamic base for carrying out hack is loaded into the running memory of Sql*plus,
The address for really carrying out IPC communication function is obtained, execution function call sequence original in Oracle dynamic base is distorted,
It is audited using the information that the Sql*plus process taken is communicated with audit server is robbed.
2. a kind of auditing method of database local communication based on IPC according to claim 1, it is characterised in that: institute
State the concrete methods of realizing of step 1 are as follows: setting linux platform on LD_PRELOAD environmental variance, using environmental variance make into
The specified dynamic base of journey load.
3. a kind of auditing method of database local communication based on IPC according to claim 1, it is characterised in that: institute
State the concrete methods of realizing of step 2 the following steps are included:
Step 2.1 obtains the process for really carrying out IPC communication function address;
Step 2.2 distorts execution function call sequence original in Oracle dynamic base;
Step 2.3, calling system function map out one piece of memory in process, will carry out in step 1 to Oracle dynamic base
In hook function write-in memory in the dynamic base of hack, so that there is the letter for carrying out hack in Sql*plus process running memory
Number;
Step 2.4, by step 2.2 it is original execute function function address distort in step 2.3 to Oracle dynamic base
The function address of the hook function in the dynamic base of hack is carried out, so that Oracle dynamic base is calling execution letter with assembly instruction
When number, the hook function in the dynamic base for carrying out hack to Oracle dynamic base is jumped to, Sql* is got by the misfortune of hook function
The information that plus process and server are communicated, and transfer it to audit server;
Step 2.5, misfortune take information after, execute Oracle dynamic base in original execution function, called hook function it
Afterwards, the subsequent assembly instruction of function address for distorting hook function again makes it jump back to Oracle dynamic base and has executed execution
Process flow after function.
4. a kind of auditing method of database local communication based on IPC according to claim 3, it is characterised in that: institute
State the concrete methods of realizing of step 2.1 are as follows:
Step 2.1.1, Oracle in Sql*plus process is found by the individual proc memory file of process each on linux
Dynamic base position carries out decompiling using dynamic base of the order to Oracle, is found according to assembly code and really carry out IPC communication
Execute function and one it is distinctive verification function position;
Step 2.1.2, the function address distance Oracle for calculating the execution function for really carrying out IPC communication and verifying function is dynamic
The offset of the first address in state library, the offset are that the first address distance of Oracle dynamic base really carries out the execution of IPC communication
Function is at a distance from the function address of verification function;
The concrete methods of realizing of the step 2.2 are as follows:
Step 2.2.1, calling system function first opens Oracle dynamic base, recall system function obtain Sql*plus into
The function address of function is verified in journey running memory, the function address of the verification function is that the process of distance Sql*plus process rises
The offset of beginning address;
Step 2.2.2, the function address for really carrying out the execution function of IPC communication is obtained as follows:
The offset that the step 2.2.1 offset obtained is subtracted to step 2.1.2 acquisition, obtains Sql*plus process running memory
The offset of the process initial address of the first address distance Sql*plus process of middle Oracle dynamic base;
The offset of the process initial address of the first address distance Sql*plus process of Oracle dynamic base is added into step 2.1.2
The offset of first address of the execution function to Oracle dynamic base of the real carry out IPC communication obtained, obtain Sql*plus into
The offset of the execution function of IPC communication is really carried out in journey running memory in the initial address distance Oracle dynamic base of process
Amount, so that the function address of the execution function of IPC communication is being carried out, by the function address to the calling sequence of function
It is distorted.
5. a kind of auditing method of database local communication based on IPC according to any one of claims 1 to 4, special
Sign is: the execution function includes read () function and write () function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477548.XA CN109271414B (en) | 2018-12-05 | 2018-12-05 | IPC-based database local communication auditing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477548.XA CN109271414B (en) | 2018-12-05 | 2018-12-05 | IPC-based database local communication auditing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109271414A true CN109271414A (en) | 2019-01-25 |
| CN109271414B CN109271414B (en) | 2021-08-13 |
Family
ID=65186340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811477548.XA Active CN109271414B (en) | 2018-12-05 | 2018-12-05 | IPC-based database local communication auditing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109271414B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026609A (en) * | 2019-12-06 | 2020-04-17 | 深信服科技股份有限公司 | Information auditing method, system, equipment and computer readable storage medium |
| CN113660292A (en) * | 2021-10-19 | 2021-11-16 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114024865A (en) * | 2021-10-29 | 2022-02-08 | 中国电信股份有限公司 | Network auditing method, device and system based on Linux process function |
| CN114268496A (en) * | 2021-12-22 | 2022-04-01 | 杭州安恒信息技术股份有限公司 | Database local audit method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6502213B1 (en) * | 1999-08-31 | 2002-12-31 | Accenture Llp | System, method, and article of manufacture for a polymorphic exception handler in environment services patterns |
| US6779187B1 (en) * | 1999-04-08 | 2004-08-17 | Novadigm, Inc. | Method and system for dynamic interception of function calls to dynamic link libraries into a windowed operating system |
| CN101021804A (en) * | 2007-03-13 | 2007-08-22 | 华为技术有限公司 | Method and apparatus for calling dynamic library and dynamic library server |
| US20110010379A1 (en) * | 2009-07-09 | 2011-01-13 | Xeround Systems Ltd. | Database system with query interception and redirection |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
| CN105512552A (en) * | 2014-09-26 | 2016-04-20 | 腾讯科技(深圳)有限公司 | Method and device for parameter detection |
-
2018
- 2018-12-05 CN CN201811477548.XA patent/CN109271414B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6779187B1 (en) * | 1999-04-08 | 2004-08-17 | Novadigm, Inc. | Method and system for dynamic interception of function calls to dynamic link libraries into a windowed operating system |
| US6502213B1 (en) * | 1999-08-31 | 2002-12-31 | Accenture Llp | System, method, and article of manufacture for a polymorphic exception handler in environment services patterns |
| CN101021804A (en) * | 2007-03-13 | 2007-08-22 | 华为技术有限公司 | Method and apparatus for calling dynamic library and dynamic library server |
| US20110010379A1 (en) * | 2009-07-09 | 2011-01-13 | Xeround Systems Ltd. | Database system with query interception and redirection |
| CN105512552A (en) * | 2014-09-26 | 2016-04-20 | 腾讯科技(深圳)有限公司 | Method and device for parameter detection |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
Non-Patent Citations (3)
| Title |
|---|
| YONG YANG ET AL: "Virus Analysis on IDT Hooks of Rootkits Trojan", 《IEEE》 * |
| 周梦婷: "Android系统安全审计方法研究", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 * |
| 阙斌生: "面向Android应用程序行为的安全监控系统设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑 》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026609A (en) * | 2019-12-06 | 2020-04-17 | 深信服科技股份有限公司 | Information auditing method, system, equipment and computer readable storage medium |
| CN111026609B (en) * | 2019-12-06 | 2021-11-19 | 深信服科技股份有限公司 | Information auditing method, system, equipment and computer readable storage medium |
| CN113660292A (en) * | 2021-10-19 | 2021-11-16 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114024865A (en) * | 2021-10-29 | 2022-02-08 | 中国电信股份有限公司 | Network auditing method, device and system based on Linux process function |
| CN114024865B (en) * | 2021-10-29 | 2023-08-08 | 中国电信股份有限公司 | Network auditing method, device and system based on Linux process function |
| CN114268496A (en) * | 2021-12-22 | 2022-04-01 | 杭州安恒信息技术股份有限公司 | Database local audit method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109271414B (en) | 2021-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109271414A (en) | A kind of auditing method of the database local communication based on IPC | |
| WO2020019484A1 (en) | Simulator recognition method, recognition device, and computer readable medium | |
| CN105357204B (en) | Method and device for generating terminal identification information | |
| WO2020019483A1 (en) | Emulator identification method, identification device, and computer readable medium | |
| CN110602056B (en) | Service parameter transmission method and device | |
| CN107404481B (en) | User information recognition methods and device | |
| CN103268449B (en) | A kind of high speed detection method and system of mobile phone malicious code | |
| CN112732567B (en) | Mock data testing method and device based on ip, electronic equipment and storage medium | |
| CN103297267B (en) | A kind of methods of risk assessment of network behavior and system | |
| WO2019085466A1 (en) | Association test method and system, application server, and computer readable storage medium | |
| CN108875365B (en) | Intrusion detection method and intrusion detection device | |
| CN107808096A (en) | Method, terminal device and the storage medium of malicious code are injected into during detection APK operations | |
| CN103198243A (en) | Method and device for identifying emulational application programs | |
| CN108322463A (en) | Ddos attack detection method, device, computer equipment and storage medium | |
| CN107958154A (en) | A kind of malware detection device and method | |
| CN105095764A (en) | Virus checking and killing method and device | |
| CN107508832A (en) | A kind of device-fingerprint recognition methods and system | |
| CN109727027A (en) | Account recognition methods, device, equipment and storage medium | |
| CN109711162A (en) | A kind of security application method and system based on block chain | |
| CN106997322B (en) | Method and apparatus for automated testing | |
| CN111523097A (en) | APP brush user identification method and device based on android system and storage medium | |
| CN103902906A (en) | Mobile terminal malicious code detecting method and system based on application icon | |
| CN105207842B (en) | The method and system of the plug-in feature detection of Android | |
| CN108279988B (en) | Message processing method and system based on Lua script language | |
| CN103971052B (en) | The recognition methods of disk leading viruses and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |