CN109271414B - IPC-based database local communication auditing method - Google Patents
IPC-based database local communication auditing method Download PDFInfo
- Publication number
- CN109271414B CN109271414B CN201811477548.XA CN201811477548A CN109271414B CN 109271414 B CN109271414 B CN 109271414B CN 201811477548 A CN201811477548 A CN 201811477548A CN 109271414 B CN109271414 B CN 109271414B
- Authority
- CN
- China
- Prior art keywords
- function
- dynamic library
- address
- oracle
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to an IPC-based database local communication auditing method, which comprises the following steps: acquiring a dynamic library which needs to perform hack on an Oracle dynamic library, wherein the dynamic library is used for realizing a self-defined hook function; when the Sql plus program is started, loading the dynamic library for hack into the running memory of the Sql plus program, acquiring the address of the IPC communication function, tampering the original execution function calling sequence in the Oracle dynamic library, and auditing by using the information of the communication between the hijacked Sql plus program and the auditing server. The invention uses client tool Sql plus to audit database based on IPC communication in Oracle database, based on tampering function address in Sql plus memory, mirroring data in communication, and transmitting data to audit server end for auditing through TCP, solving the problem that communication between original database and client can not obtain communication content without network, and having high speed and not affecting execution efficiency and execution result of client.
Description
Technical Field
The invention belongs to the technical field of database auditing, and particularly relates to an IPC-based database local communication auditing method. Belonging to the technical field of database auditing.
Background
The existing database auditing technology can only acquire the auditing mode of the database flow through network or network card packet capturing, so that in the traditional database auditing product, the content of IPC communication between a client and a server cannot be acquired, and the content of a client tool executed by a command cannot be audited.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides an IPC-based database local communication auditing method, and solves the problems that the content of IPC communication between a client and a server cannot be obtained in the traditional database auditing product, and the content of a client tool executed by a command line cannot be audited.
The technical problem to be solved by the invention is realized by adopting the following technical scheme:
an IPC-based database local communication auditing method comprises the following steps:
and 2, when the Sql plus program is started, loading the dynamic library for hack into the running memory of the Sql plus program, acquiring the address of the IPC communication function, tampering the original execution function calling sequence in the Oracle dynamic library, and auditing by using the information of the communication between the hijacked Sql plus process and the auditing server.
The specific implementation method of the step 1 comprises the following steps: and setting an LD _ PRELOAD environment variable on the linux platform, and loading the designated dynamic library by the process by using the environment variable.
The specific implementation method of the step 2 comprises the following steps:
step 2.1, the process of actually carrying out IPC communication function address is obtained;
2.2, tampering the original execution function calling sequence in the Oracle dynamic library;
step 2.3, calling a system function to map out a memory in the process, and writing a hook function in the dynamic library for performing a hash on the Oracle dynamic library in the step 1 into the memory, so that the function for performing the hash exists in the Sql × plus process running memory;
step 2.4, changing the function address of the original execution function in the step 2.2 into the function address of the hook function in the dynamic library for hack of the Oracle dynamic library in the step 2.3, so that when the Oracle dynamic library calls the execution function by using the compilation instruction, the Oracle dynamic library jumps to the hook function in the dynamic library for hack of the Oracle dynamic library, acquires information for communication between the Sql plus process and the server through hook function hijacking, and forwards the information to the audit server;
and 2.5, after the information is hijacked, executing the original execution function in the Oracle dynamic library, after the hook function is called, tampering the assembly instruction behind the function address of the hook function again, and jumping back to the processing flow after the Oracle dynamic library executes the execution function.
The specific implementation method of the step 2.1 is as follows:
step 2.1.1, finding out the position of an Oracle dynamic library in the Sql plus process through a proc memory file of each process on linux, performing decompiling on the Oracle dynamic library by using a command, and finding out the position of an execution function for actually performing IPC communication and a special check function according to assembly codes;
step 2.1.2, calculating the offset of the function address of the execution function and the check function which really perform IPC communication from the initial address of the Oracle dynamic library, wherein the offset is the distance between the initial address of the Oracle dynamic library and the function address of the execution function and the check function which really perform IPC communication;
the specific implementation method of the step 2.2 is as follows:
step 2.2.1, calling a system function, opening an Oracle dynamic library, calling the system function to obtain a function address of a check function in a Sql plus process running memory, wherein the function address of the check function is an offset from a process starting address of the Sql plus process;
step 2.2.2, the function address of the execution function which really performs IPC communication is obtained according to the following method:
subtracting the offset obtained in the step 2.1.2 from the offset obtained in the step 2.2.1 to obtain the offset of the initial address of the Oracle dynamic library in the running memory of the Sql plus process from the process initial address of the Sql plus process;
adding the offset from the initial address of the process of the Sql plus process to the initial address of the Oracle dynamic library to the offset from the execution function which really performs IPC communication and is obtained in the step 2.1.2 to obtain the offset from the initial address of the process of the Sql plus process running in the memory to the execution function which really performs IPC communication in the Oracle dynamic library, thereby obtaining the function address of the execution function which performs IPC communication, and tampering the calling sequence of the function through the function address.
The execute function includes a read () function and a write () function.
The invention has the advantages and positive effects that:
1. according to the method, an IPC communication-based auditing mode is carried out on the database by using a client tool Sql plus in an Oracle database, data in communication is mirrored according to tampering on function addresses in a memory of the Sql plus, and then the data is forwarded to an auditing server end through TCP for auditing, so that the problem that communication content cannot be obtained without a network in the prior communication between the database and the client is solved.
2. The invention can safely and efficiently mirror the data on the premise of not damaging the data, has high speed and does not influence the execution efficiency and the execution result of the client; the method can be widely applied to network security products such as database audit or database firewall.
3. The invention only needs to be deployed at the client, does not cause any damage to the data of the server, is safe, efficient and available, has certain universality and can be used for reference by other audit modes.
Drawings
FIG. 1 is a schematic diagram of the present invention for gradually obtaining the address of the IPC communication function really performed in the Oracle dynamic library;
fig. 2 is a schematic diagram of the hack process performed by the present invention.
Detailed Description
The embodiments of the present invention will be described in detail with reference to the accompanying drawings.
An auditing method for IPC-based database local communication, as shown in FIG. 1 and FIG. 2, includes the following steps:
In this step, by setting an LD _ PRELOAD environment variable on the linux platform, the environment variable can cause a process to load a specified dynamic library. After setting the path of the hack-running dynamic library to this environment variable, the Sql plus process will load the hack-running dynamic library at runtime.
The specific treatment process of the step is as follows:
step 2.1, the process of obtaining the address of the IPC communication function which is really carried out is as follows:
step 2.1.1, finding out the position of an Oracle dynamic library in an Sql plus process through a proc memory file independent of each process on linux, decompiling the Oracle dynamic library by using a command, and finding out the positions of a read () function, a write () function and a special check function which really carry out IPC communication according to an assembly code, wherein the check function is unique to the Oracle dynamic library, and the purpose of using the check function is to eliminate the offset error generated after the system aligns the dynamic library memory.
And 2.1.2, calculating the offset (offset 2) of the function address of the read () function, the write () function and the check function which really perform IPC communication from the first address of the Oracle dynamic library according to the figure 1, wherein the offset is the distance from the first address of the Oracle dynamic library to the function address of the read () function, the write () function and the check function which really perform IPC communication.
2.2, tampering the original execution function calling sequence in the Oracle dynamic library, wherein the specific method is as follows:
step 2.2.1, calling the system function first, opening the Oracle dynamic library, and then calling the system function to obtain the function address of the check function in the running memory of the Sql plus process, wherein the address is the address of the check function in the running memory, is the address after the memory alignment is completed, and is the offset (offset 1) of the function address of the check function from the process starting address of the Sql plus process.
Step 2.2.2, the function address of read () function and write () function which really carry out IPC communication is obtained, and the method is as follows:
step 2.2.2.1, offset 1 is the offset of the function address of the check function obtained in step 2.2.1 from the process start address of the Sql plus process.
Step 2.2.2.2, offset 2 is the offset of the first address of the Oracle dynamic library from the function address of the check function obtained in step 2.1.2.
Step 2.2.2.3, subtracting offset 2 of 2.2.2.2 from offset 1 of 2.2.2.1, that is, the offset between the first address of the Oracle dynamic library in the running memory of the Sql plus process and the process start address of the Sql plus process.
Step 2.2.2.4, adding the offset obtained from 2.2.2.3 to the offset from the head address of the read () function and the write () function which are actually used for IPC communication and are obtained from 2.1.2 to the Oracle dynamic library to obtain the offset (offset 3) from the start address of the process in the running memory of the Sql plus process to the read () function and the write () function which are actually used for IPC communication and are also the function addresses of the read () function and the write () function which are actually used for IPC communication, so as to obtain the function address, and thus, the calling sequence of the functions can be tampered.
And 2.3, calling a system function to map out a memory in the process, and setting the memory as writable. The specific method comprises the following steps: and (3) writing the hook function in the dynamic library for hack on the Oracle dynamic library in the step (1) into the memory, so that the function for hack exists in the Sql × plus process running memory.
Step 2.4, the function address of the read () function and the write () function in the step 2.2.2.4 are tampered into the function address of the hook function in the dynamic library for hack of the Oracle dynamic library in the step 2.3, so that when the read () function and the write () function are called by the compiling instruction, the Oracle dynamic library jumps to the hook function in the dynamic library for hack of the Oracle dynamic library, the information for communication between the Sql × plus process and the server can be hijacked through the realized hook function, and the information is forwarded to the audit server
And 2.5, after the information is hijacked, executing the original read () function and write () function in the Oracle dynamic library, ensuring the original communication process, after the hook function is called, tampering the assembly instruction behind the function address of the hook function again, so that the assembly instruction jumps back to the Oracle dynamic library to execute the processing process after the read () function and the write () function, and ensuring the normal operation of the Sql plus process.
Through the steps, the information of the communication between the Sql plus process and the server is hijacked for auditing, the original communication flow of the Sql plus process is ensured, and normal business is not influenced; moreover, the data of the client where the Sql plus process is located is hijacked, the data stored by the server cannot be influenced, and the method is safe, stable and efficient.
It should be emphasized that the embodiments described herein are illustrative rather than restrictive, and thus the present invention is not limited to the embodiments described in the detailed description, but also includes other embodiments that can be derived from the technical solutions of the present invention by those skilled in the art.
Claims (4)
1. An IPC-based database local communication auditing method is characterized by comprising the following steps:
step 1, acquiring a dynamic library which needs hack on an Oracle dynamic library, wherein the dynamic library is used for realizing a self-defined hook function;
step 2, when the Sql plus program is started, loading the dynamic library for hack into the running memory of the Sql plus program, acquiring the address of the IPC communication function which is really carried out, tampering the original execution function calling sequence in the Oracle dynamic library, and auditing by using the information of the communication between the hijacked Sql plus process and the auditing server;
the specific implementation method of the step 2 comprises the following steps:
step 2.1, the process of actually carrying out IPC communication function address is obtained;
2.2, tampering the original execution function calling sequence in the Oracle dynamic library;
step 2.3, calling a system function to map out a memory in the process, and writing a hook function in the dynamic library for performing a hash on the Oracle dynamic library in the step 1 into the memory, so that the function for performing the hash exists in the Sql × plus process running memory;
step 2.4, changing the function address of the original execution function in the step 2.2 into the function address of the hook function in the dynamic library for hack of the Oracle dynamic library in the step 2.3, so that when the Oracle dynamic library calls the execution function by using the compilation instruction, the Oracle dynamic library jumps to the hook function in the dynamic library for hack of the Oracle dynamic library, acquires information for communication between the Sql plus process and the server through hook function hijacking, and forwards the information to the audit server;
and 2.5, after the information is hijacked, executing the original execution function in the Oracle dynamic library, after the hook function is called, tampering the assembly instruction behind the function address of the hook function again, and jumping back to the processing flow after the Oracle dynamic library executes the execution function.
2. The IPC-based auditing method for database local communication according to claim 1 characterized by: the specific implementation method of the step 1 comprises the following steps: and setting an LD _ PRELOAD environment variable on the linux platform, and loading the designated dynamic library by the process by using the environment variable.
3. The IPC-based auditing method for database local communication according to claim 1 characterized by: the specific implementation method of the step 2.1 is as follows:
step 2.1.1, finding out the position of an Oracle dynamic library in the Sql plus process through a proc memory file of each process on linux, performing decompiling on the Oracle dynamic library by using a command, and finding out the position of an execution function for actually performing IPC communication and a special check function according to assembly codes;
step 2.1.2, calculating the offset of the function address of the execution function and the check function which really perform IPC communication from the initial address of the Oracle dynamic library, wherein the offset is the distance between the initial address of the Oracle dynamic library and the function address of the execution function and the check function which really perform IPC communication;
the specific implementation method of the step 2.2 is as follows:
step 2.2.1, calling a system function, opening an Oracle dynamic library, calling the system function to obtain a function address of a check function in a Sql plus process running memory, wherein the function address of the check function is an offset from a process starting address of the Sql plus process;
step 2.2.2, the function address of the execution function which really performs IPC communication is obtained according to the following method:
subtracting the offset obtained in the step 2.1.2 from the offset obtained in the step 2.2.1 to obtain the offset of the initial address of the Oracle dynamic library in the running memory of the Sql plus process from the process initial address of the Sql plus process;
adding the offset from the initial address of the process of the Sql plus process to the initial address of the Oracle dynamic library to the offset from the execution function which really performs IPC communication and is obtained in the step 2.1.2 to obtain the offset from the initial address of the process of the Sql plus process running in the memory to the execution function which really performs IPC communication in the Oracle dynamic library, thereby obtaining the function address of the execution function which performs IPC communication, and tampering the calling sequence of the function through the function address.
4. An auditing method for IPC-based database local communication according to any one of claims 1 to 3 characterised in that: the execute function includes a read () function and a write () function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477548.XA CN109271414B (en) | 2018-12-05 | 2018-12-05 | IPC-based database local communication auditing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477548.XA CN109271414B (en) | 2018-12-05 | 2018-12-05 | IPC-based database local communication auditing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109271414A CN109271414A (en) | 2019-01-25 |
| CN109271414B true CN109271414B (en) | 2021-08-13 |
Family
ID=65186340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811477548.XA Active CN109271414B (en) | 2018-12-05 | 2018-12-05 | IPC-based database local communication auditing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109271414B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026609B (en) * | 2019-12-06 | 2021-11-19 | 深信服科技股份有限公司 | Information auditing method, system, equipment and computer readable storage medium |
| CN113660292B (en) * | 2021-10-19 | 2022-01-11 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114024865B (en) * | 2021-10-29 | 2023-08-08 | 中国电信股份有限公司 | Network auditing method, device and system based on Linux process function |
| CN114268496A (en) * | 2021-12-22 | 2022-04-01 | 杭州安恒信息技术股份有限公司 | Database local audit method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6502213B1 (en) * | 1999-08-31 | 2002-12-31 | Accenture Llp | System, method, and article of manufacture for a polymorphic exception handler in environment services patterns |
| US6779187B1 (en) * | 1999-04-08 | 2004-08-17 | Novadigm, Inc. | Method and system for dynamic interception of function calls to dynamic link libraries into a windowed operating system |
| CN101021804A (en) * | 2007-03-13 | 2007-08-22 | 华为技术有限公司 | Method and apparatus for calling dynamic library and dynamic library server |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
| CN105512552A (en) * | 2014-09-26 | 2016-04-20 | 腾讯科技(深圳)有限公司 | Method and device for parameter detection |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110010379A1 (en) * | 2009-07-09 | 2011-01-13 | Xeround Systems Ltd. | Database system with query interception and redirection |
-
2018
- 2018-12-05 CN CN201811477548.XA patent/CN109271414B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6779187B1 (en) * | 1999-04-08 | 2004-08-17 | Novadigm, Inc. | Method and system for dynamic interception of function calls to dynamic link libraries into a windowed operating system |
| US6502213B1 (en) * | 1999-08-31 | 2002-12-31 | Accenture Llp | System, method, and article of manufacture for a polymorphic exception handler in environment services patterns |
| CN101021804A (en) * | 2007-03-13 | 2007-08-22 | 华为技术有限公司 | Method and apparatus for calling dynamic library and dynamic library server |
| CN105512552A (en) * | 2014-09-26 | 2016-04-20 | 腾讯科技(深圳)有限公司 | Method and device for parameter detection |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
Non-Patent Citations (3)
| Title |
|---|
| Android系统安全审计方法研究;周梦婷;《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》;20160831(第8期);I138-92 * |
| Virus Analysis on IDT Hooks of Rootkits Trojan;Yong Yang et al;《IEEE》;20090728;第224-228页 * |
| 面向Android应用程序行为的安全监控系统设计与实现;阙斌生;《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑 》;20150430(第4期);I138-565 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109271414A (en) | 2019-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109271414B (en) | IPC-based database local communication auditing method | |
| KR101857001B1 (en) | Android dynamic loading file extraction method, recording medium and system for performing the method | |
| EP3528149B1 (en) | Software repackaging prevention method and device | |
| CN105590051A (en) | Trusted application generation and installation method used for trusted execution environment | |
| CN106656927B (en) | Method and device for adding Linux account into AD domain | |
| CN110968437A (en) | Method, device, equipment and medium for parallel execution of single contract based on Java intelligent contract | |
| CN114417335A (en) | Malicious file detection method and device, electronic equipment and storage medium | |
| CN111045686A (en) | Method for improving application decompilation speed, intelligent terminal and storage medium | |
| CN110990253A (en) | Method and device for realizing application debugging, computer storage medium and terminal | |
| CN111552524B (en) | Plug-in loading method and device and computer readable storage medium | |
| CN107688586B (en) | Client data shielding processing method and device | |
| CN111625225A (en) | Program specified data output method and device | |
| CN105335244A (en) | Application program recovery method | |
| CN103885875A (en) | Device and method for verifying scripts | |
| CN110968351A (en) | BIOS configuration method and device | |
| CN113806808B (en) | Non-invasive data desensitization method and system in distributed environment | |
| CN115469924A (en) | System and method for generating dynamic TCB (trusted computing bus) of Enclave program framework based on LibOS (browser/operating System) | |
| CN109597662B (en) | Method and device for calling non-public library in mobile terminal and electronic equipment | |
| CN112214220B (en) | Method, apparatus and device for integrated system | |
| CN112817663B (en) | SECCOMP rule acquisition method and device for application program | |
| CN114564348B (en) | Js third-party application monitoring method and system for code layer | |
| CN116720818B (en) | Warehouse processing method, device and computer equipment based on block chain | |
| CN114357532A (en) | Intelligent terminal anti-flashing method based on security chip | |
| CN113110890A (en) | Dynamic link library calling method and device, computer equipment and storage medium | |
| CN107634957B (en) | Protocol agent-based real-time data and file operation pre-saving method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |