CN112306683A - Function hijacking method, device, medium and electronic equipment - Google Patents

Function hijacking method, device, medium and electronic equipment Download PDF

Info

Publication number
CN112306683A
CN112306683A CN202011185857.7A CN202011185857A CN112306683A CN 112306683 A CN112306683 A CN 112306683A CN 202011185857 A CN202011185857 A CN 202011185857A CN 112306683 A CN112306683 A CN 112306683A
Authority
CN
China
Prior art keywords
function
address
hijacked
absolute
data structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011185857.7A
Other languages
Chinese (zh)
Inventor
朴英敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ByteDance Network Technology Co Ltd
Original Assignee
Beijing ByteDance Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ByteDance Network Technology Co Ltd filed Critical Beijing ByteDance Network Technology Co Ltd
Priority to CN202011185857.7A priority Critical patent/CN112306683A/en
Publication of CN112306683A publication Critical patent/CN112306683A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/366Software debugging using diagnostics

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides a function hijacking method, a function hijacking device, a function hijacking medium and electronic equipment. The function hijacking method comprises the following steps: acquiring an absolute starting address of a first jump table in a first memory; acquiring an absolute address of a pointer variable of the hijacked system function based on an absolute starting address of the first jump table and a data structure of the first jump table; and writing the entry address of a preset hijack function into the absolute address of the pointer variable of the hijacked system function. And acquiring the absolute address of the pointer variable of the hijacked system function through the absolute starting address of the jump table and the data structure of the jump table, and changing the absolute address value of the pointer variable of the hijacked system function in the jump table from the entry address of the hijacked system function to the entry address of the preset hijacked function. The aim of acquiring the hidden debugging information of the hijacked system function is achieved by modifying an entry address in the jump table. The original high-concurrency operation environment of the system is reserved on the basis of keeping the original functions, and the operation stability, safety and reliability of the system are guaranteed. Under the condition of monitoring the running condition of the hijacked system function, the debugging requirement of the hijacked system function under a high concurrency environment is met.

Description

Function hijacking method, device, medium and electronic equipment
Technical Field
The disclosure relates to the technical field of computers, in particular to a function hijacking method, a function hijacking device, a function hijacking medium and electronic equipment.
Background
Memory leaks are the space dynamically created by the dynamic memory allocation function and are not released after use, resulting in the memory unit being occupied until the end of the program. Memory leaks are errors that are difficult to locate and track. Code that leaks out of memory will only occur under certain circumstances or operating procedures.
The memory out-of-range means that after a block of memory is applied to the system, the application range is exceeded when the system is used.
The memory wild pointer means that the position pointed by the pointer is unknown (random, incorrect, without explicit restriction). If the pointer variable is not initialized during definition, the value of the pointer variable is random, and the value of the pointer variable is the address of another variable, which means that the pointer points to the variable which is uncertain.
In software development, for example, memory problems such as memory leakage, memory boundary crossing, and memory field pointer are the most troublesome development problems. Such problems are very difficult to analyze and typically occur when memory is frequently applied in the system.
The memory application interface is a closed interface provided by an operating system or a development system for a developer to apply for a memory. The memory application interface is hijacked usually by hook technology, and debug information is recorded, for example, inline hook technology and hit table hook technology. When a problem occurs, the problem is analyzed according to the debugging information. However, both of the two methods adopt complex system hooks, so that the program running speed is reduced, the original high-concurrency running environment of the program is damaged, and the debugging requirement in the high-concurrency environment cannot be met.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
An object of the present disclosure is to provide a function hijacking method, apparatus, medium, and electronic device, which can solve at least one of the above-mentioned technical problems. The specific scheme is as follows:
according to a specific implementation manner of the present disclosure, in a first aspect, the present disclosure provides a function hijacking method, including:
acquiring an absolute starting address of a first jump table in a first memory; the first memory comprises a memory occupied by a first function library symbol table after a function library symbol table file is loaded, the function library symbol table at least comprises a jump table, the jump table is a predefined data structure, the data structure of the jump table at least comprises a predefined hijacked system function pointer variable, and the value of the absolute address of the hijacked system function pointer variable is the entry address of the hijacked system function;
acquiring an absolute address of a pointer variable of the hijacked system function based on an absolute starting address of the first jump table and a data structure of the first jump table;
and writing the entry address of a preset hijack function into the absolute address of the pointer variable of the hijacked system function.
According to a second aspect of the present disclosure, there is provided a function hijacking apparatus including:
the first obtaining unit is used for obtaining an absolute starting address of a first jump table in a first memory; the first memory comprises a memory occupied by a first function library symbol table after a function library symbol table file is loaded, the function library symbol table at least comprises a jump table, the jump table is a predefined data structure, the data structure of the jump table at least comprises a predefined hijacked system function pointer variable, and the value of the absolute address of the hijacked system function pointer variable is the entry address of the hijacked system function;
a second obtaining unit, configured to obtain an absolute address of the hijacked system function pointer variable based on an absolute start address of the first skip list and a data structure of the first skip list;
and the hijacking unit is used for writing the entry address of a preset hijacking function into the absolute address of the pointer variable of the hijacked system function.
According to a third aspect, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a function hijacking method as defined in any one of the first aspects.
According to a fourth aspect thereof, the present disclosure provides an electronic device, comprising: one or more processors; storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the function hijacking method as claimed in any one of the first aspects.
Compared with the prior art, the scheme of the embodiment of the disclosure at least has the following beneficial effects:
the disclosure provides a function hijacking method, a function hijacking device, a function hijacking medium and electronic equipment. The method comprises the steps of obtaining an absolute address of a pointer variable of a hijacked system function through an absolute starting address of a jump table and a data structure of the jump table, and changing an absolute address value of the pointer variable of the hijacked system function in the jump table from an entry address of the hijacked system function to an entry address of a preset hijacked function. The aim of acquiring the hidden debugging information of the hijacked system function is achieved by modifying an entry address in the jump table. The original high-concurrency operation environment of the system is reserved on the basis of keeping the original functions, and the operation stability, safety and reliability of the system are guaranteed. Under the condition of monitoring the running condition of the hijacked system function, the debugging requirement of the hijacked system function under a high concurrency environment is met.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale. In the drawings:
FIG. 1 shows a flow diagram of a function hijacking method according to an embodiment of the present disclosure;
FIG. 2 illustrates an exemplary diagram of a predefined function library global data structure of a function hijacking method according to an embodiment of the present disclosure;
FIG. 3 is a diagram illustrating jump representation of a function hijacking method according to an embodiment of the present disclosure;
fig. 4 is a diagram illustrating an example of codes written to an entry address of a preset hijacking function according to a function hijacking method of an embodiment of the present disclosure;
fig. 5 illustrates a code example diagram of recording oDispath- > malloc () of the function hijacking method according to an embodiment of the present disclosure;
FIG. 6 shows a block diagram of elements of a function hijacking device, according to an embodiment of the present disclosure;
fig. 7 shows an electronic device connection structure schematic according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
Alternative embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
The first embodiment provided by the present disclosure, namely, the embodiment of the function hijacking method.
The embodiments of the present disclosure will be described in detail with reference to fig. 1 to 5.
As shown in fig. 1, in step S101, an absolute start address of a first skip list in a first memory is obtained.
The first memory comprises a memory occupied by the symbol table of the first function library after the symbol table file of the function library is loaded.
The function library symbol table file is a library file in which information of the hijacked system function is provided so that the developer performs some operations associated with the system through the hijacked system function. Before a program calls a hijacked system function, a function library symbol table file defining the hijacked system function needs to be loaded into a memory. For example, in the android system, the function library symbol table file is the so symbol table file; commonly used hijacked system functions in the so symbol table file comprise malloc functions for dynamically allocating memory spaces; before a program calls a malloc function, a so symbol table file comprising the malloc function needs to be loaded into a memory.
The hijacked system function is an interface function for an external developer to access an operating system, and specific code of the hijacked system function is not disclosed to the outside. Therefore, the developer can not track the memory problem inside the hijacked system function. The embodiment of the present disclosure is to provide a method for tracking the memory problem of the hijacked system function simply and quickly.
The symbol table of the function library at least comprises a jump table, the jump table is a predefined data structure, the data structure of the jump table at least comprises a predefined pointer variable of the hijacked system function, and the value of the absolute address of the pointer variable of the hijacked system function is the entry address of the hijacked system function.
The first jump table is a data structure stored in the first memory. Variables associated with the system functions are defined in the first jump table. The entry address of the system function is also the start address of the system function. For example, as shown in FIG. 2, a predefined function library global data structure libc _ globals is defined; wherein, the jump table MallocDispatch defines the variable of malloc _ dispatch; as shown in FIG. 3, MallocDispatch is a data structure defining a system function, and includes a definition of the hijacked system function malloc in MallocDispatch; in the memory, the fact that the hijacked system function malloc is defined is that the entry address of the hijacked system function malloc is actually stored in the absolute address of the malloc pointer variable of the hijacked system function under the variable malloc _ dispatch.
The method for acquiring the absolute start address of the first jump table in the first memory comprises the following steps:
and step S101-1, obtaining the symbol base address of the symbol table of the first function library.
The symbol base address is an absolute address. The absolute address is the cell address occupying the memory and the cell address is calculated from the memory starting address.
Usually, the symbol base address of the first function library symbol table is the initial address of the first memory after the function library symbol table file is loaded into the memory. However, in some cases, the symbol base address of the symbol table of the first function library is not the start address of the first memory. For example, in the android system, the symbol base address of the so symbol table file after loading is not equal to the start address of the first memory.
In the android system, the obtaining of the symbol base address of the symbol table of the first function library comprises the following steps:
and step S101-1-1, acquiring the absolute initial address of the first memory and the program header information of the symbol table of the first function library.
The first internal memory occupies a series of absolute addresses, and the absolute starting address of the first internal memory is an address obtained by calculating the first unit of the internal memory occupied by the symbol table of the first function library from the initial address of the internal memory.
The first function library symbol table comprises program header information. The program header information includes an offset of a symbol base address of the symbol table of the first function library relative to an absolute start address of the first memory. The offset is the distance between the absolute start address of the first memory and the symbol base address.
For example, in the android system, the loading address (i.e., the absolute start address of the first memory) of the libc.
And step S101-1-2, acquiring the symbol base address based on the program header information and the absolute start address of the first memory.
Namely, calculating the sum of the offset of the program header information relative to the absolute start address of the first memory and the absolute start address of the first memory, and obtaining the symbol base address of the symbol table file of the function library.
And step S101-2, mapping the function library symbol table file into a second memory to obtain a second function library symbol table.
Since the absolute start address of the first skip list cannot be directly obtained from the first memory, the absolute start address of the first skip list is obtained by an indirect method in the embodiment of the disclosure. That is, the function library symbol table file is actively mapped into the second memory, and the second memory comprises a memory occupied by the second function library symbol table after the function library symbol table file is loaded. Because the first function library symbol table and the second function library symbol table are derived from the same function library symbol table file, some same information in the first memory can be acquired from the second memory through an indirect method.
And mapping the function library symbol table file into a second memory, for example, in an android system, the function library symbol table file can be mapped into the second memory through a system function mmap.
And S101-3, acquiring a relative initial address of the second jump table based on the second function library symbol table and a predefined function library global data structure.
Wherein the function library global data structure comprises at least a predefined second jump table variable.
The relative starting address of the second jump table is the address of the first unit in the memory units occupied by the second jump table, and the unit address is obtained by calculation from the symbol base address.
For example, as shown in FIG. 2, a predefined function library global data structure, the name of which is libc _ globals.
The obtaining a relative start address of the second jump table based on the second function library symbol table and a predefined function library global data structure comprises the following steps:
and S101-3-1, acquiring a relative initial address of the global data structure of the function library based on the second function library symbol table and the name of the global data structure of the function library.
The relative initial address of the global data structure of the function library is the address of the first unit in the memory units occupied by the global data structure of the function library, and the unit address is obtained by calculation from the symbol base address.
Since the file format and content of the function library symbol table file and the function library global data structure representation are known. Therefore, the purpose of this step is to obtain the relative start address of the second jump table by analyzing the symbol table of the second function library, so as to obtain the relative start address of the first jump table.
Specifically, the obtaining of the relative start address of the function library global data structure based on the second function library symbol table and the name of the function library global data structure includes the following steps:
and S101-3-1-1, acquiring partition header information based on the format header information of the second function library symbol table.
The method includes the steps of including a plurality of partition information in a function library symbol table file, wherein each partition information includes header information per partition, and at least function symbol partition characteristics are included in the header information of the partition.
For example, in the android system, the so symbol table file is an elf format file, and all partition information and program header file information of the so symbol table file can be obtained through elf format header information.
And S101-3-1-2, retrieving the partition header information according to the preset function symbol partition characteristics, and acquiring function symbol partition information.
The preset function symbol partition characteristic refers to a function symbol partition characteristic associated with function hijacking in the embodiment of the disclosure. For example, the partition header information includes the function symbol partition characteristics associated with the jump table: "SHT _ SYMTAB" and/or "SHT _ STRTAB", corresponding to the function symbol partition information under each function symbol partition characteristic.
And S101-3-1-3, retrieving the function symbol partition information based on the name of the global data structure of the function library, and acquiring a relative initial address of the global data structure of the function library.
For example, the name of the function library global data structure is libc _ globals, and the relative starting address of the function library global data structure libc _ globals is obtained by traversing the partition information corresponding to the function symbol under each function symbol partition characteristic.
And S101-3-2, acquiring the relative start address of the second jump table based on the relative start address of the global data structure of the function library and the global data structure of the function library.
Because the global data structure of the function library comprises the second jump table, the relative initial address of the second jump table relative to the initial address of the global data structure of the function library can be obtained through the global data structure of the function library. Therefore, the relative start address of the second jump table can be obtained under the condition that the relative start address of the function base global data structure and the relative start address of the second jump table relative to the start address of the function base global data structure are known.
And step S101-4, calculating the sum of the symbol base address and the relative starting address of the second jump table, and acquiring the absolute starting address of the first jump table.
The relative start address of the first jump table can be obtained indirectly by the relative start address of the second jump table, whereby the absolute start address of the first jump table is obtained by the sum of the base address of the symbol and the relative start address of said second jump table.
And step S102, acquiring the absolute address of the hijacked system function pointer variable based on the absolute starting address of the first jump table and the data structure of the first jump table.
The value of the hijacked system function pointer variable represents the entry address of the hijacked system function. For example, the hijacked system function is malloc, and the value of the hijacked system function pointer variable is the entry address of the hijacked system function malloc.
Optionally, the obtaining an absolute address of the hijacked system function pointer variable based on the absolute start address of the first jump table and the data structure of the first jump table includes the following steps:
and step S102-1, acquiring a first offset of the hijacked system function pointer variable based on the data structure of the first jump table.
The first offset is an offset of a hijacking system function pointer variable relative to an absolute start address of a data structure of the first jump table.
And step S102-2, calculating the sum of the absolute starting address of the first jump table and the first offset, and acquiring the absolute address of the hijacked system function pointer variable.
The predefined function library global data structure comprises variable definitions related to a system function structure, wherein the system function structure comprises definitions of system functions (including definitions of hijacked system functions). For example, as shown in FIG. 2, the system function structure (i.e., the data structure of the jump table) is Malloc Dispatch, and the variable associated with the system function structure is Malloc _ Dispatch; the offset of malloc _ dispatch relative to the function library global data structure libc _ globals is: (sizeof (char) + sizeof (void)) × 4+ sizeof (long) × 4+4 ═ 36; assuming that the absolute starting address of the global data structure libc _ globals of the function library is A, the absolute starting address of the data structure variable malloc _ dispatch of the jump table is A + 36; the jump table includes the hijacked system function malloc, and the offset of the hijacked system function malloc relative to the starting address of the jump table is as follows: the offset of the hijacked system function malloc from the function library global data structure libc _ globals is: 36+12 ═ 48; the absolute address of the malloc pointer variable of the hijacked system function is: a +36+12 is a + 48.
And step S103, writing the entry address of a preset hijack function into the absolute address of the pointer variable of the hijacked system function.
Namely, the value of the absolute address of the pointer variable of the hijacked system function is set as the entry address of the preset hijacked function. The entry address of the predetermined hijacking function is also the starting address of the predetermined hijacking function. For example, the hijacking function is preset to be hook _ malloc (), and as shown in fig. 4, the entry address of hook _ malloc (), that is, the start address of hook _ malloc () (i.e., & hook _ malloc ()), is set to the value of the absolute address of the pointer variable of the hijacked system function (i.e., ((void) (a + 48))). In order to enable the hijacked preset hijacked function to execute the function of the original hijacked system function besides the step of recording the debugging information, the preset hijacked function comprises information of recording the running condition of a debugging object and information of calling the hijacked system function. The hijacked system function (such as malloc function) is also hidden, and the developer cannot directly call the hijacked system function, so that the function hijacking method is repeated to obtain the absolute address of the pointer variable of the hijacked system function, record the absolute address under the variable pointer for calling the hijacked system function, and call the absolute address in the self-defined function. For example, as shown in fig. 5, the absolute address of the malloc pointer variable of the hijacked system function is obtained and recorded under odipath- > malloc () and then called in the customized malloc function.
The method comprises the steps of obtaining an absolute address of a pointer variable of a hijacked system function through an absolute starting address of a jump table and a data structure of the jump table, and changing an absolute address value of the pointer variable of the hijacked system function in the jump table from an entry address of the hijacked system function to an entry address of a preset hijacked function. The aim of acquiring the hidden debugging information of the hijacked system function is achieved by modifying an entry address in the jump table. The original high-concurrency operation environment of the system is reserved on the basis of keeping the original functions, and the operation stability, safety and reliability of the system are guaranteed. Under the condition of monitoring the running condition of the hijacked system function, the debugging requirement of the hijacked system function under a high concurrency environment is met.
Corresponding to the first embodiment provided by the disclosure, the disclosure also provides a second embodiment, namely a function hijacking device. Since the second embodiment is basically similar to the first embodiment, the description is simple, and the relevant portions should be referred to the corresponding description of the first embodiment. The device embodiments described below are merely illustrative.
Fig. 6 shows an embodiment of a function hijacking device provided by the present disclosure.
Referring to fig. 6, the present disclosure provides a function hijacking device, including:
a first obtaining unit 601, configured to obtain an absolute start address of a first skip list in a first memory; the first memory comprises a memory occupied by a first function library symbol table after a function library symbol table file is loaded, the function library symbol table at least comprises a jump table, the jump table is a predefined data structure, the data structure of the jump table at least comprises a predefined hijacked system function pointer variable, and the value of the absolute address of the hijacked system function pointer variable is the entry address of the hijacked system function;
a second obtaining unit 602, configured to obtain an absolute address of the hijacked system function pointer variable based on an absolute start address of the first skip list and a data structure of the first skip list;
the hijacking unit 603 is configured to write an entry address of a preset hijacking function into an absolute address of the pointer variable of the hijacked system function.
Optionally, the first obtaining unit 601 includes:
the first obtaining symbol base address subunit is used for obtaining a symbol base address of the symbol table of the first function library; the symbol base address is an absolute address;
a symbol table obtaining sub-unit of a second function library, which is used for mapping the symbol table file of the function library into a second memory and obtaining a symbol table of the second function library;
a first obtain second jump table relative start address subunit, configured to obtain a relative start address of the second jump table based on the second function library symbol table and a predefined function library global data structure; wherein the function library global data structure comprises at least a predefined second jump table variable;
and the absolute starting address obtaining subunit is used for calculating the sum of the symbol base address and the relative starting address of the second jump table, and obtaining the absolute starting address of the first jump table.
Optionally, the obtaining a relative start address of the second skip list in the first sub-unit includes:
a first obtaining function library global data structure relative start address subunit, configured to obtain a relative start address of the function library global data structure based on the second function library symbol table and the name of the function library global data structure;
and the second obtaining relative start address subunit is configured to obtain the relative start address of the second jump table based on the relative start address of the function library global data structure and the function library global data structure.
Optionally, in the relative start address subunit of the global data structure of the first obtaining function library, the method includes:
a partition header information acquiring subunit, configured to acquire partition header information based on format header information of the second function library symbol table;
the function symbol partition information obtaining subunit is used for retrieving the partition header information according to preset function symbol partition characteristics and obtaining function symbol partition information;
and the second acquiring function library global data structure relative start address subunit is used for retrieving the function symbol partition information based on the name of the function library global data structure and acquiring the relative start address of the function library global data structure.
Optionally, the first obtaining symbol base address subunit includes:
an acquiring address information subunit, configured to acquire an absolute start address of the first memory and program header information of the first function library symbol table;
and a second obtaining symbol base address subunit, configured to obtain the symbol base address based on the program header information and the absolute start address of the first memory.
Optionally, the second obtaining unit 602 includes:
a first offset quantum unit is obtained and used for obtaining a first offset of the hijacked system function pointer variable based on the data structure of the first jump table;
and the absolute address obtaining subunit is configured to calculate a sum of the absolute start address of the first jump table and the first offset, and obtain an absolute address of the hijacked system function pointer variable.
Optionally, the preset hijack function includes information for recording an operation status of the debug object and information for calling the hijacked system function.
The method comprises the steps of obtaining an absolute address of a pointer variable of a hijacked system function through an absolute starting address of a jump table and a data structure of the jump table, and changing an absolute address value of the pointer variable of the hijacked system function in the jump table from an entry address of the hijacked system function to an entry address of a preset hijacked function. The aim of acquiring the hidden debugging information of the hijacked system function is achieved by modifying an entry address in the jump table. The original high-concurrency operation environment of the system is reserved on the basis of keeping the original functions, and the operation stability, safety and reliability of the system are guaranteed. Under the condition of monitoring the running condition of the hijacked system function, the debugging requirement of the hijacked system function under a high concurrency environment is met.
The disclosed embodiment provides a third embodiment, namely an electronic device, which is used for a function hijacking method, and the electronic device comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the one processor to cause the at least one processor to perform the function hijacking method as described in the first embodiment.
The fourth embodiment provides a computer storage medium, which stores computer-executable instructions that can execute the function hijacking method as described in the first embodiment.
Referring now to FIG. 7, shown is a schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure. The terminal device in the embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, the electronic device may include a processing device (e.g., central processing unit, graphics processor, etc.) 701, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage device 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the electronic apparatus are also stored. The processing device 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
Generally, the following devices may be connected to the I/O interface 705: input devices 706 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 707 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 708 including, for example, magnetic tape, hard disk, etc.; and a communication device 709. The communication device 709 may allow the electronic device to communicate wirelessly or by wire with other devices to exchange data. While fig. 7 illustrates an electronic device having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via the communication means 709, or may be installed from the storage means 708, or may be installed from the ROM 702. The computer program, when executed by the processing device 701, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (10)

1. A method for function hijacking, comprising:
acquiring an absolute starting address of a first jump table in a first memory; the first memory comprises a memory occupied by a first function library symbol table after a function library symbol table file is loaded, the function library symbol table at least comprises a jump table, the jump table is a predefined data structure, the data structure of the jump table at least comprises a predefined hijacked system function pointer variable, and the value of the absolute address of the hijacked system function pointer variable is the entry address of the hijacked system function;
acquiring an absolute address of a pointer variable of the hijacked system function based on an absolute starting address of the first jump table and a data structure of the first jump table;
and writing the entry address of a preset hijack function into the absolute address of the pointer variable of the hijacked system function.
2. The method according to claim 1, wherein said obtaining an absolute start address of a first skip list in the first memory comprises:
acquiring a symbol base address of the symbol table of the first function library; the symbol base address is an absolute address;
mapping the function library symbol table file to a second memory to obtain a second function library symbol table;
acquiring a relative starting address of the second jump table based on the second function library symbol table and a predefined function library global data structure; wherein the function library global data structure comprises at least a predefined second jump table variable;
and calculating the sum of the symbol base address and the relative starting address of the second jump table to obtain the absolute starting address of the first jump table.
3. The function hijacking method according to claim 2, wherein said obtaining a relative starting address of the second jump table based on the second function library symbol table and a predefined function library global data structure comprises:
acquiring a relative initial address of the function library global data structure based on the second function library symbol table and the name of the function library global data structure;
and acquiring the relative starting address of the second jump table based on the relative starting address of the function library global data structure and the function library global data structure.
4. The function hijacking method according to claim 3, wherein said obtaining the relative starting address of the function library global data structure based on the second function library symbol table and the name of the function library global data structure comprises:
acquiring partition header information based on format header information of the second function library symbol table;
retrieving the partition header information according to the partition characteristics of the preset function symbols to obtain the partition information of the function symbols;
and retrieving the function symbol partition information based on the name of the global data structure of the function library to obtain a relative initial address of the global data structure of the function library.
5. The function hijacking method according to claim 2, wherein said obtaining the symbol base address of the first function library symbol table comprises:
acquiring an absolute initial address of the first memory and program header information of the symbol table of the first function library;
and acquiring the symbol base address based on the program header information and the absolute starting address of the first memory.
6. The function hijacking method according to claim 1, wherein said obtaining the absolute address of the hijacked system function pointer variable based on the absolute start address of the first jump table and the data structure of the first jump table comprises:
acquiring a first offset of a pointer variable of the hijacked system function based on a data structure of the first jump table;
and calculating the sum of the absolute starting address of the first jump table and the first offset to obtain the absolute address of the hijacked system function pointer variable.
7. The method according to claim 1, wherein the predetermined hijacking function includes information for recording the running status of the debugging object and information for calling the hijacked system function.
8. A function hijacking device, comprising:
the first obtaining unit is used for obtaining an absolute starting address of a first jump table in a first memory; the first memory comprises a memory occupied by a first function library symbol table after a function library symbol table file is loaded, the function library symbol table at least comprises a jump table, the jump table is a predefined data structure, the data structure of the jump table at least comprises a predefined hijacked system function pointer variable, and the value of the absolute address of the hijacked system function pointer variable is the entry address of the hijacked system function;
a second obtaining unit, configured to obtain an absolute address of the hijacked system function pointer variable based on an absolute start address of the first skip list and a data structure of the first skip list;
and the hijacking unit is used for writing the entry address of a preset hijacking function into the absolute address of the pointer variable of the hijacked system function.
9. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements a function hijacking method as claimed in any one of claims 1 to 7.
10. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a function hijacking method as claimed in any one of claims 1 to 7.
CN202011185857.7A 2020-10-29 2020-10-29 Function hijacking method, device, medium and electronic equipment Pending CN112306683A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011185857.7A CN112306683A (en) 2020-10-29 2020-10-29 Function hijacking method, device, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011185857.7A CN112306683A (en) 2020-10-29 2020-10-29 Function hijacking method, device, medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN112306683A true CN112306683A (en) 2021-02-02

Family

ID=74332287

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011185857.7A Pending CN112306683A (en) 2020-10-29 2020-10-29 Function hijacking method, device, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112306683A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114416219A (en) * 2021-12-31 2022-04-29 北京五八信息技术有限公司 System function calling method and device, electronic equipment and readable medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100287536A1 (en) * 2009-05-07 2010-11-11 International Business Machiness Corporation Profiling application performance according to data structure
CN104699503A (en) * 2015-02-28 2015-06-10 深圳市同洲电子股份有限公司 Method and device for replacing function execution logic in Android system
CN106326745A (en) * 2016-08-22 2017-01-11 浪潮电子信息产业股份有限公司 Method for preventing system calling hijacking in Linux system
CN108415739A (en) * 2018-02-28 2018-08-17 腾讯科技(深圳)有限公司 A kind of the hook method, apparatus and storage medium of Dynamic Link Library Function
CN110059477A (en) * 2019-03-14 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100287536A1 (en) * 2009-05-07 2010-11-11 International Business Machiness Corporation Profiling application performance according to data structure
CN104699503A (en) * 2015-02-28 2015-06-10 深圳市同洲电子股份有限公司 Method and device for replacing function execution logic in Android system
CN106326745A (en) * 2016-08-22 2017-01-11 浪潮电子信息产业股份有限公司 Method for preventing system calling hijacking in Linux system
CN108415739A (en) * 2018-02-28 2018-08-17 腾讯科技(深圳)有限公司 A kind of the hook method, apparatus and storage medium of Dynamic Link Library Function
CN110059477A (en) * 2019-03-14 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114416219A (en) * 2021-12-31 2022-04-29 北京五八信息技术有限公司 System function calling method and device, electronic equipment and readable medium

Similar Documents

Publication Publication Date Title
CN111090536B (en) Method, device, medium and electronic equipment for acquiring memory leakage information
CN110502357B (en) Stack backtracking method, device, medium and equipment
CN111611145B (en) Breakdown information collection method and device, storage medium and electronic equipment
CN110851139B (en) Method and device for checking codes and electronic equipment
CN110865852B (en) Webpage component loading method and device, electronic equipment and storage medium
CN113835992B (en) Memory leakage processing method and device, electronic equipment and computer storage medium
CN110673986A (en) Memory operation abnormity capturing method, device, terminal and storage medium
CN111625422B (en) Thread monitoring method, thread monitoring device, electronic equipment and computer readable storage medium
CN111198777A (en) Data processing method, device, terminal and storage medium
CN110851204A (en) Application starting method and device and application packaging method and device
CN111400068B (en) Interface control method and device, readable medium and electronic equipment
CN112306683A (en) Function hijacking method, device, medium and electronic equipment
CN112084024A (en) Memory monitoring method, device, medium and electronic equipment
CN114296986B (en) Memory leakage positioning method, device, medium and electronic equipment
CN110674050A (en) Memory out-of-range detection method and device, electronic equipment and computer storage medium
CN110764995B (en) Method, device, medium and electronic equipment for detecting file access abnormality
CN111382076A (en) Application program testing method and device, electronic equipment and computer storage medium
CN111797009A (en) Method and device for detecting code compatibility and electronic equipment
CN111309323A (en) Parameter initialization method and device and electronic equipment
CN112559394B (en) System library access method and device and electronic equipment
CN111240738A (en) File processing method, device, equipment and medium
CN111310175A (en) iOS application safety monitoring and protecting method and device based on plug-in
CN111562913B (en) Method, device and equipment for pre-creating view component and computer readable medium
CN110489341B (en) Test method and device, storage medium and electronic equipment
CN112732269B (en) Access method and device applied to physical address of AVS2 hardware encoder

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination