CN103677770B - Instruction recombination method and device - Google Patents
Instruction recombination method and device Download PDFInfo
- Publication number
- CN103677770B CN103677770B CN201210327202.8A CN201210327202A CN103677770B CN 103677770 B CN103677770 B CN 103677770B CN 201210327202 A CN201210327202 A CN 201210327202A CN 103677770 B CN103677770 B CN 103677770B
- Authority
- CN
- China
- Prior art keywords
- instruction
- address
- fragment
- jump
- machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Memory System Of A Hierarchy Structure (AREA)
- Advance Control (AREA)
Abstract
The present invention provides a kind of instruction recombination method when running, including: step 1, cache instruction running environment;Step 2, from first storage position read destination address, according to destination address obtain machine instruction fragment to be scheduled;The last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Step 3, preserve the destination address of the first jump instruction in the first storage position;Step 4, the first jump instruction is replaced with the second jump instruction, generate and there is two address restructuring instruction fragment;The entry address of described second jump instruction directional order restructuring platform;With step 5, recover described instruction operation environment, and jump to the second address and continue executing with.
Description
Technical field
The present invention relates to computer safety field, particularly relate to a kind of instruction recombination method and device.
Background technology
Existing electronic information security field includes security of system, data safety and three sub-fields of equipment safety.
In data security arts, general following three technology is used to guarantee data safety: the safe skill of (1) data content
Art, including data ciphering and deciphering technology and end-to-end data encryption technology, ensures that data are storing with content in transmitting procedure not
Illegally read;(2) data safe transfer technology, including preventing from illegally copying, printing or other output, ensures that data are using
With the safety in transfer process;(3) network interrupter technique, blocks including network physical and arranges the technology such as network barrier.
According to correlation analysis, all harm currently for computer the most effectively detect ability at most about 50%;By
When above-mentioned technology at reply computer inner core virus, wooden horse, Loopholes of OS, system backdoor and is artificially divulged a secret, ability is not
Foot, the most any calculating equipment (such as computer, handheld communication devices etc.) all there may be malicious code.Once malice generation
Code enters terminal system, and above-mentioned encryption technology, anti-copy technology and network interrupter technique will lose work in this case
With.Existing hacking technique can utilize system vulnerability or system backdoor penetrate above-mentioned safe practice and implant malicious code, and
Malicious code is utilized to obtain user data.Above-mentioned technology more cannot take precautions against actively or passively divulging a secret of concerning security matters personnel, such as, internal
Personnel can carry storage device, downloads required data and takes away storage device, cause inside from internal network or terminal
Divulge a secret;The most such as, calculating equipment can directly be taken away by internal staff.
To sum up, anti-copy technology cannot ensure that classified information is not illegally stored in terminal.Cannot be true based on network filtering
Protect classified information not lose.Concerning security matters personnel can be caused divulged a secret by malicious code or malice instrument, it is also possible to because of secrecy-involved apparatus or
Out of control the causing of storage medium is divulged a secret.
Summary of the invention
The present invention provides a kind of instruction recombination method and device, it is achieved the capture instructed during operation and restructuring.
According to one aspect of the invention, it is provided that a kind of instruction recombination method during operation, including:
Step 1, cache instruction running environment;
Step 2, from first storage position read destination address, according to destination address obtain machine instruction sheet to be scheduled
Section;The last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
Step 3, preserve the destination address of the first jump instruction in the first storage position;
Step 4, the first jump instruction is replaced with the second jump instruction, generate and there is two address restructuring instruction sheet
Section;The entry address of described second jump instruction directional order restructuring platform;With
Step 5, recover described instruction operation environment, and jump to the second address and continue executing with.
Optionally, in step 2, treat that dispatch command fragment includes according to destination address acquisition:
From the beginning of destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out dis-assembling;
Check in dis-assembling result and whether comprise jump instruction, if do not comprised, continue to obtain below one section to be scheduled
Machine instruction, until matching jump instruction, this jump instruction is the first jump instruction;Wherein, the first jump instruction with
And all instruction compositions before treat dispatch command fragment.
Optionally, between step 4 and step 5, also include:
Assembly code after the restructuring that will generate generates corresponding machine code by assembler.
Optionally, between step 1 and step 2, also include:
Read destination address from the first storage position, utilize described destination address lookup address correspondence table;Described address pair
Answer the restructuring instruction fragment that table has preserved for representing machine instruction fragment to be scheduled whether to have;
If finding corresponding record, recovering described instruction operation environment, and jumping to the preservation address continuation in record
Perform.
Optionally, if not finding corresponding record in the correspondence table of address, after step 4, also include:
A record is set up with described destination address in the corresponding table in address in the address utilizing restructuring instruction fragment.
Optionally, before step 4, also include:
Resolve described machine instruction fragment to be scheduled, utilize instruction set to mate described machine instruction fragment, obtain waiting to locate
The target machine instructions of reason;
In a predetermined manner, described target machine instructions is revised.
Optionally, described target instruction target word is storage/reading instruction;
In a predetermined manner, revise described target machine instructions to include: revise storage therein and read address for peace
Address in full storage device.
Optionally, described target instruction target word is I/O instruction;
In a predetermined manner, revise described target machine instructions to include: the input instruction in being instructed by described I/O is all
Stop.
Optionally, described target instruction target word is network transmission instruction;
In a predetermined manner, revise described target machine instructions to include: check the target in the transmission instruction of described network
Whether remote computing devices corresponding to address is secure address (i.e. allowing reference address);If it is not, stop described network to pass
Defeated instruction.
According to a further aspect of the present invention, it is provided that a kind of computer-readable medium, in described computer-readable recording medium, storage has calculating
The executable program code of machine, described program code is for performing the step of said method.
According to another aspect of the present invention, it is provided that instruction recombination device during a kind of operation, including:
Instruction operation environment caching and recovery unit, be suitable to caching and recover instruction operation environment;
First storage position, is suitable to preserve destination address;
Instruction acquiring unit, couples with instruction operation environment caching and recovery unit, is suitable to read from the first storage position
Destination address, and obtain machine instruction fragment to be scheduled according to destination address;Wherein, machine instruction fragment to be dispatched is last
Article one, instruction is the first jump instruction;With
Instruction recombination unit, couples with instruction operation environment caching and recovery unit, is suitable to preserve in the first storage position
The destination address of the first jump instruction;It is further adapted for replacing with the first jump instruction the second jump instruction, generates and there is the second ground
The restructuring instruction fragment of location;The entry address of described second jump instruction indicator device.
Optionally, during described operation, instruction recombination device also includes:
Instruction retrieval unit, is suitable to utilize described destination address lookup address correspondence table;Described address correspondence table is used for table
Show whether machine instruction fragment to be dispatched has the restructuring instruction fragment preserved;
If finding corresponding record, instruction retrieval unit is further adapted for call instruction running environment caching and recovery unit,
Recover described instruction operation environment, and the preservation address jumped in record continues executing with;
Without finding corresponding record, instruction retrieval unit is further adapted for utilizing the address of restructuring instruction fragment with described
Destination address sets up a record in the correspondence table of address.
Optionally, described instruction recombination unit also includes:
Instruction resolution unit, is suitable to utilize instruction set to mate described machine instruction fragment to be scheduled, obtains pending
Target machine instructions;
Instruction modification unit, is suitable in a predetermined manner, revises described target machine instructions.
Optionally, described target instruction target word is storage/reading instruction;
Described instruction modification unit is suitably modified to storage therein and reading address is the address on safety storage apparatus.
Optionally, described target instruction target word is I/O instruction;
The input instruction that described instruction modification unit is suitable in being instructed by described I/O all stops.
Optionally, described target instruction target word is network transmission instruction;
The far-end calculating that described instruction modification unit is suitable to check the destination address in the transmission instruction of described network corresponding sets
Whether standby be secure address;If it is not, described instruction modification unit is suitable to stop the transmission instruction of described network.
Optionally, described instruction recombination unit also includes:
Dis-assembling unit, is suitable to before instruction resolution unit resolves described machine instruction fragment to be scheduled, dis-assembling
Described machine instruction fragment to be scheduled, generates assembly instruction fragment to be scheduled;
Assembly unit, is suitable to the assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents.
The method and apparatus that the present invention provides can realize capture and the restructuring instructed when running, and, treat getting
After dispatch command fragment, it is also possible to machine instruction therein is analyzed and processes, thus when being possible not only to realize running
Instruction capture, restructuring, it is also possible to realize the management to predetermined target instruction target word.
Accompanying drawing explanation
Fig. 1 is the system level schematic diagram calculating equipment in prior art;
The flow chart of instruction recombination method when Fig. 2 is the operation provided in one embodiment of the invention;
Fig. 3 is the generation process schematic of the restructuring instruction fragment provided in one embodiment of the invention;
Fig. 4 is the flow chart of step S102 in the Fig. 2 provided in another embodiment of the present invention;
When Fig. 5 is the operation provided in another embodiment of the present invention, the flow chart of instruction recombination method, utilizes address pair
Table is answered to preserve the instruction fragment recombinated;
When Fig. 6 is the operation provided in another embodiment of the present invention, the flow chart of instruction recombination method, individually opens up and deposits
Storage space puts the destination address preserving the first jump instruction;
The flow chart of instruction recombination method when Fig. 7 is the operation provided in another embodiment of the present invention, for on-fixed
Length instruction collection carries out dis-assembling and compilation process;
The flow chart of instruction recombination method when Fig. 8 is the operation provided in another embodiment of the present invention, instructs with pop down
Substitute or record the first jump instruction;
The flow chart of instruction recombination method, operation therein when Fig. 9 a is the operation provided in another embodiment of the present invention
Time instruction recombination method comprehensive before feature in multiple embodiments;
Operating process when instruction recombination method is run on X86 system processor when Fig. 9 b-9d is the operation in Fig. 9 a
Schematic diagram;
Instruction recombination apparatus structure schematic diagram when Figure 10 is the operation provided in one embodiment of the invention;
Instruction recombination apparatus structure schematic diagram when Figure 11 is the operation provided in another embodiment of the present invention;
Figure 12 is the instruction recombination cellular construction schematic diagram provided in another embodiment of the present invention;
Instruction recombination apparatus structure schematic diagram when Figure 13 is the operation provided in another embodiment of the present invention;
Instruction recombination apparatus structure schematic diagram when Figure 14 is the operation provided in another embodiment of the present invention.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing, the present invention is entered
One step describes in detail.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not used to limit this
Invention.
Analyze
Being illustrated in figure 1 in prior art the system level schematic diagram of the equipment that calculates, from top to bottom, calculating equipment includes:
User interface layer 101, application layer 102, operating system nucleus layer 103, hardware mapping layer 104 and hardware layer 105.
Wherein, user interface layer 101 is the interface between user and equipment, and user is by this layer and equipment (i.e. equipment
Other levels, such as application layer 102) interact.Application layer 102 refers to application software layer.
Operating system nucleus layer 103 is a kind of logical layer based on software, is by software data and software generation in general
Code composition, compared to boundary layer 101 and application layer 102, the code of operating system nucleus layer 103 has higher authority, permissible
Various software and hardware resources in computer system are carried out complete operation.
Hardware mapping layer 104 is a kind of logical layer based on software, and it is generally operational in operating system nucleus layer, have with
The authority that inner nuclear layer is identical.Hardware mapping layer is primarily to solve the operator scheme of different types of hardware is mapped as one
Unified high-level interface, upwards shields the particularity of hardware.In general, hardware mapping layer is mainly by operating system nucleus layer
103 use, and complete the operation to various hardware.
Hardware layer 105 refers to constitute all hardware parts of computer system.
This calculating equipment is carried out by user by user interface layer 101 (being i.e. in the user interface of user interface layer 101)
Operate and obtain graphical or non-patterned feedback.As a example by the operation preserving data, its process includes:
(1) user interface 101 that user is provided by certain application program, selects " preservation " function;
(2) application layer 102 calls corresponding code, and above-mentioned user operation is converted into what one or more operating system provided
Interface function, i.e. " preserves " operation and transforms into calling the interface function that sequence of operations system kernel layer 103 provides;
(3) each operating system interface function is converted into the mapping of one or more hardware by operating system nucleus layer 103
The interface function that layer 104 provides;I.e. " preserve " operation to transform into the interface function that a series of hardware mapping layers 104 provide
Call;
(4) each interface function oneself provided is converted into one or more hardware instruction tune by hardware mapping layer 104
With;Finally,
(5) hardware layer 105 (such as CPU) receives above-mentioned hardware instruction and calls and perform hardware instruction.
For this calculating equipment, after it is invaded by malicious code, malicious code can obtain required from calculating equipment
Data, after stealing data, its behavioral pattern includes:
(1) storage behavior: target data content is saved in certain storage position;
(2) transport behavior: the data stolen directly are transferred to by network the destination address specified.
It addition, the behavioral pattern using the personnel of above-mentioned calculating equipment or information equipment to carry out divulging a secret inside includes:
(1) actively divulge a secret: concerning security matters personnel are copied by active, penetrated security system by malice instrument, inserted wooden horse etc.
Means directly obtain confidential data, and divulge a secret;
(2) passively divulge a secret: the computer of concerning security matters librarian use or storage medium because of keeping be not good at losing or improper use (such as
Concerning security matters equipment is directly accessed Internet) divulging a secret of causing.
The above-mentioned multiple mode of divulging a secret makes the data of this calculating equipment cannot ensure safely.
Inventor it has been investigated that, in computer running, cpu address depositor preserves next machine that will run
The address of device instruction, the address that such as pc (program counter, program counter) points to;Obtain the number in this depositor
According to, and the address pointed to according to these data, the one or more of machine instructions that will run under reading, it is possible to achieve during operation
The purpose of capture machine instruction.
Further, dispatch command fragment is treated (the most wherein by what described one or more machine instruction of amendment formed
Insert extra jump instruction, herein referred as instruction recombination) so that before this section of instruction operation is complete, regains CPU holds
Row power, and the capture next one treats dispatch command fragment again, it is possible to achieve capture the purpose of machine instruction during operation continuously.
Further, getting after dispatch command fragment, it is also possible to machine instruction therein is analyzed and processes,
Thus instruction capture, restructuring when being possible not only to realize running, it is also possible to realize the management to predetermined target instruction target word.
Instruction recombination or instruction tracing
Based on above-mentioned analysis and discovery, a kind of instruction recombination method when providing operation in one embodiment of the present of invention,
The method is referred to as instruction recombination platform when running.As in figure 2 it is shown, the method S100 includes:
S101, cache instruction running environment;Described instruction operation environment includes address register, under address register preserves
Article one, the address of the machine instruction will run, this address is the first address;
S102, obtains machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled
It it is the first jump instruction;
S103, before described first jump instruction, inserts the second jump instruction, generates and have two address restructuring instruction
Fragment;The entry address of described second jump instruction directional order restructuring platform, after i.e. performing this second jump instruction, performs step
Rapid S101;
S104, is revised as the second address by the first address in described address register;With
S105, recovers described instruction operation environment.
In the present embodiment, during above-mentioned operation, instruction recombination method performs on the CPU of X86-based;At its of the present invention
In his embodiment, during above-mentioned operation, instruction recombination method can also be held on MIPS processor or processor based on ARM framework
OK.It will appreciated by the skilled person that said method can be at the instruction of any other type in calculating equipment
Perform on reason unit.
Wherein, in step S101, described cache instruction running environment may include that
In caching stack, it is pressed into CPU machine instruction runs relevant register data.
In other embodiments of the invention, cache or preserve instruction operation environment can also that specify, acquiescence its
His caching data structure and address are carried out.
In step S101, described address register can be cpu address depositor.
In step s 102, in machine instruction fragment to be scheduled, the last item instruction is the first jump instruction, waits to dispatch
Machine instruction fragment in an only jump instruction, machine instruction fragment to be scheduled include described first jump instruction and
Machine instruction all to be scheduled before it.
In step s 103, the last item in described machine instruction fragment to be scheduled instructs (the i.e. first jump instruction
JP1) front, insert the second jump instruction JP2, the entry address of described JP2 directional order restructuring platform, generate and there is the second address
A " restructuring instruction fragment.
Inserting the second jump instruction is to when CPU runs described machine instruction fragment to be scheduled, run at JP1
Before, restart to run described instruction recombination platform, so, instruction recombination platform just can continue to analyze next section to be scheduled
Machine instruction fragment, thus complete the restructuring of instruction during all operation by repeating this method.
In step S105, recover described instruction operation environment and may include that
Eject, from caching stack, the register data that instruction operation is relevant;The jump instruction that wherein address register preserves
" the new machine instruction fragment as entry address that destination address has been modified to the second address A.
After step S105 performs, having recovered described instruction operation environment, instruction recombination platform completes once to run, and CPU holds
Row described restructuring instruction fragment, i.e. CPU will perform with the second address A " machine instruction fragment as entry address.Restructuring instruction sheet
When section goes to the second jump instruction JP2, described instruction recombination platform retrieves CPU control (i.e. performing step S101),
Now the destination address of the first jump instruction has obtained, and this destination address is the first new address, then re-executes step
S101~step S105.
Below in conjunction with Fig. 3, further illustrate instruction recombination process and the generation process of restructuring instruction fragment.
Fig. 3 includes that (the such as machine already loaded into certain program in internal memory refers in machine instruction set 401 to be scheduled
Make), wherein instruction 4012 is the first jump instruction, if the destination address of instruction 4012 is variable, then assumes initially that instruction
4012 point to machine instruction 4013;The scheduling that needed including the first jump instruction 4012 before the first jump instruction 4012
Machine instruction constitute machine instruction fragment 4011.
(instruction recombination platform 411), first cache instruction running environment after instruction recombination method is run;Then obtain
(such as copy) machine instruction fragment 4011;Instruction recombination platform inserts the second jump instruction before the first jump instruction 4012
4113, the second jump instruction 4113 directional order restructuring platform 411 itself, thus generate restructuring instruction fragment 4111, restructuring
The address of instruction fragment is A ";Value A of the address register in the instruction operation environment of described caching is revised as address A ";?
Rear recovery described instruction operation environment.
After instruction recombination platform 411 terminates to run, CPU performs with A, and " the restructuring instruction fragment as address, when going to the
During two jump instructions 4113, instruction recombination platform 411 can regain CPU control.Now, the mesh of the first jump instruction 4012
Mark address 4013 has generated, and this destination address is the first new address, and instruction recombination platform is opened again according to this destination address
Begin to perform step S101~step S105, continue to analyze follow-up machine instruction to be scheduled, thus instruct when completing operation
The method of restructuring.
According to a further embodiment of the invention, as shown in Figure 4, in step s 102, machine instruction sheet to be scheduled is obtained
Section may include that
S1021, reads machines instruction address to be scheduled from address register (such as cpu address depositor):
S1022, with jump instruction as searched targets, retrieves the machine instruction and follow-up that described machines instruction address points to
Instruction, until finding first jump instruction (the referred to as first jump instruction);Described jump instruction refers to change machine instruction
Order performs the machine instruction of flow process, including Jump instruction, Call instruction, Return instruction etc.;
S1023, waits to adjust as one using described first jump instruction and the machine instruction all to be scheduled before it
The machine instruction fragment of degree;This machine instruction fragment is saved in instruction recombination platform, or other instruction recombination platforms can
The storage position read.
In other embodiments of the invention, obtaining machine instruction fragment to be scheduled can also be with non-jump instruction (example
Such as write instruction, read instruction etc.) it is searched targets, further cutting machine instruction fragment.Due in such embodiments,
It is also required to ensure that instruction recombination platform still is able to obtain CPU control or right of execution after performing until scheduling jump instruction, so
Jump instruction needs as the second searched targets, thus obtains the machine instruction fragment that granularity is less.
According to a further embodiment of the invention, between step S102 and S103, during described operation, instruction recombination method is also
May include that
Utilize instruction set to mate described machine instruction fragment to be scheduled, obtain target machine instructions;Described instruction set bag
Include X86, MIPS and ARM instruction set;With
In a predetermined manner, described target machine instructions is revised.
Instruction monitoring when being possible not only to run, it is also possible to carrying out other processing procedures, related embodiment will later
It is discussed in detail.
Further, in order to improve the efficiency of instruction recombination method, can be by treating pointed by the jump instruction of fixing address
Dispatch command obtains the most in the lump.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method during operation, the method S300 includes:
S301, cache instruction running environment;Described instruction operation environment includes address register, under address register preserves
Article one, the address of the machine instruction will run, this address is the first address;
S302, obtains machine instruction fragment to be scheduled;Wherein, the last item instruction of machine instruction fragment to be scheduled
It it is the first jump instruction;
S303, before described first jump instruction, inserts the second jump instruction, generates and have two address restructuring instruction
Fragment;The entry address of described second jump instruction directional order restructuring platform, after i.e. performing this second jump instruction, performs step
Rapid S301;
S304, is revised as the second address by the first address in described address register;
S305, recovers described instruction operation environment.
Compared with the method provided in embodiment before, difference is: in step s 302, and machine to be scheduled refers to
Make and fragment can include a plurality of jump instruction;An only argument address jump instruction in jump instruction, referred to as first redirects
Instruction.
It should be noted that jump instruction can include two classes, argument address jump instruction and constant address jump instruction,
Wherein, the jump address of constant address jump instruction is constant (i.e. immediate), and the parameter ground in argument address jump instruction
A location typically machine instruction before jump instruction is calculated.
Similarly, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;Machine to be scheduled
Instruction fragment includes described first jump instruction and the machine instruction all to be scheduled before it.
Further, owing to the machine instruction generated in program operation process has the highest repeatability, in order to improve
The efficiency of instruction recombination method, saves the calculating resource (cpu resource) of calculating equipment, it is possible to use a small amount of memory space is protected
Deposit restructuring instruction fragment.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method during operation.As it is shown in figure 5, the method
S200 includes:
S201, cache instruction running environment;Described instruction operation environment includes that address register (deposit by such as cpu address
Device) (in general, instruction operation environment refers to all depositors of CPU, and including general register, status register, address is posted
Storage etc.), address register preserves the address of next machine instruction that will run, and this address is the first address;
S202, utilizes described first address search address correspondence table;Described address correspondence table is for representing that the first address A refers to
To treat dispatch command fragment whether have preserved restructuring instruction fragment, the data of address correspondence table are address pair;
S203, if finding corresponding record, is revised as protecting by described first address A (i.e. value A of address register)
The address A ' of the restructuring instruction fragment deposited;
S204, without finding corresponding record, obtains machine instruction fragment to be scheduled;Wherein, machine to be scheduled
The last item instruction of device instruction fragment is the first jump instruction;
S205, before described first jump instruction, inserts the second jump instruction, generates and have two address restructuring instruction
Fragment;The entry address of described second jump instruction directional order restructuring platform, after i.e. performing this second jump instruction, performs step
Rapid S201;
S206, is revised as the second address by the first address in described address register;
S207, recovers described instruction operation environment.
Further, step S206 also includes: utilizes the second address A and " builds in the corresponding table in described address with the first address A
On the spot location is to (or a record).There is address A " restructuring instruction fragment be stored in restructuring instruction platform in, for reusing.
This method utilizes address correspondence table, saves and calculates resource, improves the efficiency of instruction recombination when running.
Above-mentioned recombination method is typically by treating that inserting required jump instruction among dispatch command fragment completes, in the present invention
In other embodiments, it is also possible to complete the generation of restructuring instruction fragment by other means.It is situated between in detail below in conjunction with embodiment
Continue.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, individually open up storage position and preserve first
The destination address of jump instruction.As shown in Figure 6, the method S110 includes:
S111, cache instruction running environment;
S112, reads destination address from the first storage position, obtains the machine waiting to dispatch (the most pending) according to destination address
Device instruction fragment;Wherein, the last item instruction of machine instruction fragment to be dispatched is the first jump instruction;
S113, preserves the destination address of the first jump instruction in the first storage position;
S114, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment;
The entry address of described second jump instruction directional order restructuring platform, after i.e. performing this second jump instruction, performs step
S111;
S115, recovers described instruction operation environment, and jumps to the second address and continue executing with.
Wherein, in step S112, obtain machine instruction fragment to be scheduled and may include that
S1121, with jump instruction as searched targets, retrieve the machine instruction and follow-up that described machines instruction address points to
Instruction, until finding first jump instruction (the referred to as first jump instruction);
Described jump instruction refers to change machine instruction order and performs the machine instruction of flow process, instruct including Jump,
Call instruction, Return instruction etc.;
S1122, wait to adjust as one using described first jump instruction and the machine instruction all to be scheduled before it
The machine instruction fragment of degree;This machine instruction fragment is saved in instruction recombination platform, or other instruction recombination platforms can
The storage position read.
In step S113, the destination address parameter of the i.e. jump instruction of destination address, it can be immediate or variable ginseng
Number, preserves its value for immediate, preserves its address/quote for variable parameter.When processor will perform certain jump instruction
Time, its jump target addresses has been computed complete.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, carry out for on-fixed length instruction collection
Dis-assembling and compilation process.As it is shown in fig. 7, the method includes:
S121, cache instruction running environment;
S122, reads destination address from the first storage position, obtains according to destination address and treat dispatch command fragment:
From the beginning of destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out dis-assembling, and will
Dis-assembling result carries out processing and mating wherein comprising jump instruction by a lexical analyzer, if do not comprised, continues
Continuous next section of machine instruction to be scheduled of acquisition repeats aforesaid operations, until matching jump instruction, this jump instruction is
First jump instruction;First jump instruction and all instruction compositions before treat dispatch command fragment;
S123, preserves the destination address of the first jump instruction in the first storage position;
S124, replaces with the second jump instruction by the first jump instruction, generates and has two address restructuring instruction fragment;
The entry address of described second jump instruction directional order restructuring platform;In the present embodiment, this first jump instruction and second is jumped
Turn instruction and be all assembly instruction;
S125, the assembly code after the restructuring that will generate generates corresponding machine code by assembler;With
S126, recovers described instruction operation environment, and jumps to the second address and continue executing with.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, substitute or record first with pop down instruction
Jump instruction.As shown in Figure 8, the method S130 includes:
S131, cache instruction running environment;
S132, obtains address and the parameter of the jump instruction preserved in stack, calculates next instruction address that will run,
This address is the first address;
S133, treats the machine instruction fragment of scheduling/execution according to the first address acquisition;Wherein, machine instruction sheet to be dispatched
The last item instruction of section is the first jump instruction;
S134, replace the first jump instruction be pop down instruction, pop down instruct in record the first jump instruction address and
Operand;
S135, adds the second jump instruction after pop down instructs, and generates and has two address restructuring instruction fragment;Institute
State the entry address of the second jump instruction directional order restructuring platform;With
S136, recovers described instruction operation environment, and jumps to the second address and continue executing with.
It will appreciated by the skilled person that the function provided in each embodiment above-mentioned or feature can be according to realities
Border need to be superimposed upon in same embodiment, the most one by one combination be given, the most only give one example and carry out example
Property explanation.
According to a further embodiment of the invention, it is provided that a kind of instruction recombination method, as illustrated in fig. 9, including:
(1) cache instruction running environment, described instruction operation environment includes whole CPU environment and memory environment;Obtain
The address of the jump instruction preserved in stack and parameter, calculate the instruction address (zero-address) that next article will run, by first
Address is set to zero-address;
(2) utilizing the first address to search address correspondence table (also referred to as address search table), if finding record, recovering institute
The instruction operation environment of caching, and the corresponding address (address in the correspondence table of address is internal) jumping to find continues executing with;
(3) without finding record, start to obtain pending machine instruction fragment from the first address, instruction fragment
Ending is jump instruction (jump instruction address is the 3rd address);
(4) from the beginning of the first address, machine code is carried out dis-assembling, and by dis-assembling result by a lexical analyzer
Process, generate the assembly code after restructuring, until the 3rd address;
(5) judge whether the code at the 3rd address can process further, the mesh of the jump instruction at the i.e. the 3rd address
Mark address is known quantity (such as, immediate), if it can, the first address is set to the 3rd address (or the mesh of the 3rd address
Mark address), restart to perform (3);
(6) if it is not possible, the assembly code after the restructuring generated is last, add pop down instruction and record current 3rd ground
The original address position (value of the i.e. the 3rd address) of location and operand, and pop down instruct after add jump to recombinate platform open
The instruction begun, i.e. can make step (1) start again at execution;
(7) assembly code after the restructuring that will generate generates corresponding machine code by assembler, and is stored in restructuring ground
The address (the second address) distributed in space, location, and the second address and zero-address are stored in the form of corresponding address pair
In the correspondence table of address;
(8) recover environment, and jump to the second address and continue executing with.
Understanding for convenience, the method that now running this embodiment with X86 system processor provides illustrates, with reference to figure
9b-9d, an instantiation procedure of instruction recombination is as follows:
(1) after restructuring platform is started working, first caching present instruction running environment;Obtain the jump instruction preserved in stack
Address and parameter, calculate next instruction address that will run, this address is the first address.
(2) utilizing the first address to search address correspondence table, if finding record, recovering the instruction operation ring cached
Border, and the corresponding address jumping to find continues executing with (Fig. 9 b);Without finding record, proceed as follows (Fig. 9 c).
(3) machine code, from the beginning of the first address, is carried out dis-assembling, and dis-assembling result is divided by a morphology by-(6)
Parser processes, and generates restructuring code;
This paragraph assembly code is retrieved, checks whether and comprise jump instruction;
First jump instruction is analyzed, it is judged that whether its jump target addresses is known quantity, if known quantity,
Then continually looking for, until finding Article 1 argument address jump instruction, the referred to as first jump instruction, the address of this instruction is the 3rd
Address;
At the assembly code (from the first address to the machine instruction of the 3rd address, do not include the first jump instruction) generated
The instruction of rear addition pop down records the first original address position redirected and operand of current 3rd address;
Add after pop down instructs and jump to the instruction (the second jump instruction) that restructuring platform starts.
(7) assembly code generated is generated corresponding machine code by assembler, and be stored in restructuring address space
The address (the second address) distributed;
Second address is stored in the corresponding table in address with the form of corresponding address pair with zero-address.
(8) recover environment, and jump to the second address and continue executing with.
(Fig. 9 d) processor starts to perform two address instruction, and the jump instruction in instruction fragment to be reorganized before is
Through replacing with pop down instruction and redirecting the instruction of duplicate removal group platform, it is to provide input to restructuring platform that pop down instructs main purpose
Parameter.(Fig. 9 d), when going to the second jump instruction, restructuring platform retrieves execution, carries out above-mentioned step (1), passes through
Check address and the parameter of the jump instruction preserved in pop down instruction, calculate next instruction address that will run, this address
It it is the first address.
The process afterwards i.e. circulation of said process.
Further, in order to i.e. perform instruction monitoring when running after system start-up, it is achieved calculate the equipment operation phase
Operation time the full monitoring of instruction, in another embodiment of the present invention, load instruction during amendment computer starting, instruct at load
Call the instruction recombination platform that the present invention provides before execution, perform instruction recombination method during above-mentioned operation, owing to load instruction is jumped
Turning address is known fixing address, and instruction recombination platform can establish address correspondence table and this Article 1 record in advance, and
Establish first restructuring instruction fragment.
Further, according to a further embodiment of the invention, it is provided that a kind of computer-readable medium, wherein, described readable
In medium, storage has the executable program code of computer, and described program code is for performing the operation provided in above-described embodiment
Time instruction recombination method step.
Further, according to a further embodiment of the invention, it is provided that a kind of computer program, wherein, described computer journey
The step of instruction recombination method when sequence comprises the operation provided in above-described embodiment.
Instruction recombination for data safety
During above-mentioned operation, instruction recombination method provides the foundation for further application.The following examples provide
Various instruction recombination methods when carrying out, for different machines instruction, the operation processed, including storage/read instruction, I/O refers to
Order, and network transmission instruction:
(1) storage/read instruction refers to all in computer system (External memory equipment be included but not limited to disk, shifting
Dynamic storage, optical storage) carry out the instruction or the instruction combination that store/read.
(2) instruction of the address space of all operations peripheral hardware during I/O refers to computer system, these instruct eventually shadow
Ring peripheral hardware input/output state, data, signal etc..Here I/O Address space includes but not limited to that (I/O address is empty
Between, memory-mapped I/O device address space).
(3) network transmission refers to the instruction of the had an impact network equipment in computer system, and these instruct eventually shadow
Ring all correlation properties such as the transmission of computer system network equipment, state, data, signal.
Wherein, storage/common factor can be there is between reading instruction with I/O instruction.
According to one embodiment of the invention, it is provided that a kind of for instruction recombination method when storing/read the operation instructed
S400, including:
S401, cache instruction running environment;Described instruction operation environment includes address register, under address register preserves
Article one, the address of the machine instruction will run, this address is the first address;
S402, utilizes described first address search address correspondence table;
S403, if finding corresponding record, is revised as the ground of the restructuring instruction fragment preserved by described first address A
Location A ';
S404, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S4041, obtains machine instruction fragment to be dispatched;Wherein, the last item instruction of machine instruction fragment to be scheduled
It it is the first jump instruction;Identical with step S102;
S4042, machine instruction fragment to be dispatched described in dis-assembling, obtain assembly instruction fragment;
S4043, searched targets assembly instruction, described target assembly instruction is storage/reading instruction;
S4044, if retrieval obtains storage in described assembly instruction fragment/readings instruction, revise storage therein with
Reading address is the address on safety storage apparatus;Amendment mode can be home address space and safety storage apparatus address sky
Directly mapping between;
S4045, before described first jump instruction JP1, inserts the second jump instruction JP2, and described JP2 directional order is recombinated
The entry address of platform;
S4046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine instruction fragment;
S4047, utilizes restructuring machine instruction fragment address A " to set up one with the first address A in the corresponding table in described address
Record (or address to), has address A " restructuring instruction fragment be stored in restructuring instruction platform;
S4048, is revised as the second address A by the first address A ";
S405, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is also possible to omit anti-
Compilation and corresponding compilation step, direct handling machine instructs.
In step S4044, operate for storage and reading instruction, revise target therein and source address, with reality
Existing storage reorientation/redirection, it is ensured that data safety.The method of more specifically safety storage/read will provide in the present invention
The following examples are introduced.
According to one embodiment of the invention, it is provided that a kind of for I/O instruction operation time instruction recombination method S500, bag
Include:
S501, cache instruction running environment;Described instruction operation environment includes address register, under address register preserves
Article one, the address of the machine instruction will run, this address is the first address;
S502, utilizes described first address search address correspondence table;
S503, if finding corresponding record, is revised as the ground of the restructuring instruction fragment preserved by described first address A
Location A ';
S504, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S5041, obtains machine instruction fragment to be dispatched;Wherein, the last item instruction of machine instruction fragment to be scheduled
It it is the first jump instruction;Identical with step S102;
S5042, machine instruction fragment described in dis-assembling, obtain assembly instruction fragment;
S5043, searched targets assembly instruction, described target assembly instruction is I/O instruction;
S5044, if retrieval obtains the I/O instruction in described assembly instruction fragment, the input in being instructed by described I/O refers to
Order all stops;
S5045, before described first jump instruction JP1, inserts the second jump instruction JP2, and described JP2 directional order is recombinated
The entry address of platform;
S5046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine instruction fragment;
S5047, utilizes restructuring machine instruction fragment address A " to set up one with the first address A in the corresponding table in described address
Record (or address to), has address A " restructuring instruction fragment be stored in restructuring instruction platform;
S5048, is revised as the second address A by the first address A ";
S505, recovers described instruction operation environment.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is also possible to omit anti-
Compilation and corresponding compilation step, direct handling machine instructs.
In step S5044, operating for I/O instruction, the input instruction in being instructed by described I/O all stops,
To realize thoroughly blocking the write operation to local hardware device;Processing procedure is instructed, also in conjunction with the storage in a upper embodiment
The prevention to the input instruction in addition to storage instruction can be realized, the Information Security in calculating equipment can be improved.
According to one embodiment of the invention, it is provided that a kind of for network transmission instruction operation time instruction recombination method
S600, including:
S601, cache instruction running environment;Described instruction operation environment includes address register, under address register preserves
Article one, the address of the machine instruction will run, this address is the first address;
S602, utilizes described first address search address correspondence table;
S603, if finding corresponding record, is revised as the ground of the restructuring instruction fragment preserved by described first address A
Location A ';
S604, without finding corresponding record, the generation method of restructuring instruction fragment includes:
S6041, obtains machine instruction fragment to be dispatched;Wherein, the last item instruction of machine instruction fragment to be scheduled
It it is the first jump instruction;Identical with step S102;
S6042, machine instruction fragment to be dispatched described in dis-assembling, obtain assembly instruction fragment;
S6043, searched targets assembly instruction, described target assembly instruction is network transmission instruction;
S6044, if retrieval obtains the network transmission instruction in described assembly instruction fragment, checks the transmission of described network to refer to
Whether remote computing devices corresponding to destination address in order is secure address, if it is not, stop the transmission instruction of described network;
S6045, before described first jump instruction JP1, inserts the second jump instruction JP2, and described JP2 directional order is recombinated
The entry address of platform;
S6046, the assembly instruction fragment revised of compilation, generates and has address A " restructuring machine instruction fragment;
S6047, utilizes restructuring machine instruction fragment address A " to set up one with the first address A in the corresponding table in described address
Record (or address to), has address A " restructuring instruction fragment be stored in restructuring instruction platform;
S6048, is revised as the second address A by the first address A ";
S605, recovers described instruction operation environment.
In step S6044, stop/refusal network transmission instruction can be by inserting one to many in code in the reassembled
The transmission instruction of itself is replaced with " instruction cancelling current operation " or directly replaces with illegal command by bar instruction, regard hard
Depending on the difference of part.
The present embodiment carries out instruction process after dis-assembling step;In other embodiments, it is also possible to omit anti-
Compilation and corresponding compilation step, direct handling machine instructs.
In step S6044, operate for network transmission instruction, check the target ground in the transmission instruction of described network
Whether remote computing devices corresponding to location is secure address;If it is not, stop the transmission instruction of described network, to realize data peace
Full transmission.
Address correspondence table in above-mentioned multiple embodiment is set up by instruction recombination platform and safeguards, can be fixing long
The structure of arrays of degree, it is also possible to be the list structure of variable-length, it is also possible to be the suitable data of other storage binary datas
Structure.Preferably, its adjustable in length, and it takes up room releasably.The operation of release address correspondence table can be entered at random
OK, it is also possible to the cycle is carried out.In certain embodiments, described address correspondence table can also include that time field set up in record,
For when Free up Memory deletion record, according to the length deletion record of the time of setting up.In certain embodiments, described address
Corresponding table can also include recording access times field, in searching address correspondence table step, if it is found, by this field of change
Value;Described record access times field is also used for when Free up Memory deletion record, according to how many deletion notes of access times
Record.
It addition, it will be understood to those skilled in the art that above-mentioned instruction recombination method (instruction recombination method when i.e. running)
The method that can use software or hardware realizes:
(1) if implemented in software, then the step that said method is corresponding is stored in computer with the form of software code can
Read, on medium, to become software product;
(2) if realized with hardware, then the step that said method is corresponding describes with hardware identification code (such as Verilog), and
Solidification (through processes such as physical Design/placement-and-routing/fab flows) becomes chip product (such as processor products).Below
Will be described in detail.
Instruction recombination device
Corresponding, according to one embodiment of the invention with instruction recombination method S100 during above-mentioned operation, it is provided that a kind of operation
Time instruction recombination device.As shown in Figure 10, instruction recombination device 500 includes:
Instruction operation environment caching and recovery unit 501, be suitable to caching and recover instruction operation environment;Described instruction operation
Environment includes address register, and this address register preserves the address of next machine instruction that will run, and this address is
One address;
Instruction acquiring unit 502, is suitable to, after unit 501 cache instruction running environment, obtain machine instruction to be scheduled
Fragment;Wherein, the last item instruction of machine instruction fragment to be scheduled is the first jump instruction;
Instruction recombination unit 503, is suitable to resolve, revise described machine instruction fragment to be scheduled, including: redirect first
Before instruction, insert the second jump instruction, generate and there is the second address A " restructuring instruction fragment;Described second jump instruction is pointed to
Device 500, after i.e. performing this second jump instruction, the instruction operation environment caching of device 500 and recovery unit 501 carry out next
Secondary process;With
Address replacement unit 504, is suitable to be revised as the value of the address register in the instruction operation environment of described caching
The address of restructuring instruction fragment.
Described instruction operation environment caching and recovery unit 501 are replaced single with instruction acquiring unit 502 and address respectively
Unit 504 couples, and described instruction acquiring unit 502, instruction recombination unit 503 and address replacement unit 504 couple successively.
It is as follows that device 500 performs process:
First, instruction operation environment caching and recovery unit 501 cache instruction running environment, such as it is pressed in caching stack
The register data that instruction operation is relevant;
Then, described instruction acquiring unit 502 reads machines instruction address to be scheduled from cpu address depositor 511, and
Instructing fragment from described machines instruction address read machine, the instruction of described machine instruction fragment the last item is jump instruction;
Such as, instruction acquiring unit 502 reads machines instruction address to be scheduled from cpu address depositor 511;To redirect
Instruction is searched targets, retrieves the machine instruction that described machines instruction address is corresponding, until finding first jump instruction;Described
Jump instruction includes such as Jump instruction and Call instruction etc.;Described first jump instruction and all machines before thereof are referred to
Order is as a machine instruction fragment to be scheduled;This machine instruction fragment is saved in device 500, or other device
The storage position that 500 can read;
Then, instruction recombination unit 503, before the last item of the machine instruction fragment of described acquisition instructs, inserts second
Jump instruction, the entry address of described second jump instruction indicator device 500, generate there is address A " restructuring instruction fragment;
Then, value A of the address register in the instruction operation environment of described caching is revised as by address replacement unit 504
Address A ";
Finally, instruction operation environment caching and recovery unit 501 recover described instruction operation environment, such as from caching stack
Pop instruction runs relevant register data.
Corresponding with instruction recombination method S300 during above-mentioned operation, described instruction acquiring unit 502 can be non-by first
Constant address jump instruction is as the first jump instruction.To improve the execution efficiency of reconstruction unit.
Corresponding, according to a further embodiment of the invention with instruction recombination method S200 during above-mentioned operation, it is provided that Yi Zhongyun
Instruction recombination device during row, it is possible to instruction repeatability when making full use of operation, improves efficiency, saves and calculate resource.
As shown in figure 11, instruction recombination device 600 includes:
Instruction operation environment caching and recovery unit 601, be suitable to caching and recover instruction operation environment;Described instruction operation
Environment includes that address register, address register preserve the address of next machine instruction that will run, and this address is first
Address;
Instruction acquiring unit 602, is suitable to obtain machine instruction fragment to be scheduled;Wherein, machine instruction sheet to be scheduled
The last item instruction of section is the first jump instruction;
Instruction recombination unit 603, is suitable to machine instruction fragment to be dispatched described in parsing, amendment, including: redirect finger first
Insert the second jump instruction before order, to generate, there is two address restructuring instruction fragment;Dress is pointed in described second jump instruction
Putting 600, after i.e. performing this second jump instruction, the instruction operation environment caching of device 600 and recovery unit 601 are carried out next time
Process;
Address replacement unit 604, is suitable to be revised as the value of the address register in the instruction operation environment of described caching
The address of restructuring instruction fragment;With
Instruction retrieval unit 605, is suitable to utilize described first address search address correspondence table;Described address correspondence table is used for
Represent the first address A sensing treats whether dispatch command fragment has the restructuring instruction fragment preserved, the number of address correspondence table
According to for address pair;
If finding corresponding record, instruction retrieval unit 605 is suitable to call address replacement unit 604, by described first
Address A (i.e. value A of address register) is revised as the address A ' of the restructuring instruction fragment preserved;Corresponding without finding
Record, instruction retrieval unit is suitable to utilize the second address A " sets up a record with address A in the corresponding table in described address.
Described instruction operation environment caching and recovery unit 601 are replaced single with instruction retrieval unit 605 and address respectively
Unit 604 couples, and described instruction retrieval unit 605 is replaced with instruction acquiring unit 602, instruction recombination unit 603 and address respectively
Unit 604 couples, and described instruction acquiring unit 602, instruction recombination unit 603 and address replacement unit 604 couple successively.
The execution process of device 600 is as follows:
First, instruction operation environment caching and recovery unit 601 cache instruction running environment, such as it is pressed in caching stack
The register data that instruction operation is relevant;
Then, value A of the address register during instruction retrieval unit 605 utilizes the instruction operation environment of described caching is searched
Address correspondence table;
If finding corresponding record, instruction retrieval unit 605 call address replacement unit 604, address replacement unit 604
Value A of described address register is revised as value A in record ';Address replacement unit 604 call instruction running environment caching and
Recovery unit 602, to recover described instruction operation environment, i.e. ejects, from caching stack, the register data that instruction operation is relevant,
This reorganization operation terminates;
Without finding corresponding record, described instruction acquiring unit 602 reads to be scheduled from cpu address depositor
Machines instruction address, and instruct fragment from described machines instruction address read machine, described machine instruction fragment the last item refers to
Order is jump instruction.Concrete, instruction acquiring unit 602 reads machines instruction address to be scheduled from cpu address depositor;With
Jump instruction is searched targets, retrieves the machine instruction that described machines instruction address is corresponding, until finding first jump instruction;
Described jump instruction includes Jump instruction and Call instruction etc.;Described first jump instruction and all machines before thereof are referred to
Order is as a machine instruction fragment to be scheduled;This machine instruction fragment is saved in device 600, or other device
The storage position that 600 can read;
Then, instruction recombination unit 603, before the last item of the machine instruction fragment of described acquisition instructs, inserts second
Jump instruction, the entry address of described second jump instruction indicator device 600, generate there is address A " restructuring instruction fragment;
Then, instruction recombination unit 603 is by address A, and " being sent to instruction retrieval unit 605, instruction retrieval unit 605 utilizes
Address A " sets up a record with the corresponding table in address A address wherein;In case subsequent instructions is reused;
Then, value A of the address register in the instruction operation environment of described caching is revised as by address replacement unit 604
Address A ";
Finally, instruction operation environment caching and recovery unit 601 recover described instruction operation environment, are i.e. hit by a bullet from caching stack
Go out the register data that instruction operation is relevant.
With continued reference to Figure 11, wherein, instruction recombination unit 603 can also include:
Instruction resolution unit 6031, is suitable to utilize instruction set to mate described machine instruction fragment, obtains pending target
Machine instruction (i.e. utilizes target instruction target word to retrieve machine instruction fragment to be scheduled);Described instruction set includes X86, MIPS and ARM
Instruction set;
Instruction modification unit 6032, is suitable in a predetermined manner, revises described target machine instructions.
Such as, if described target instruction target word is storage/reading instruction, described instruction resolution unit 6031 will be responsible for acquisition and treats
Storage in the machine instruction fragment of scheduling/reading instruction, described instruction modification unit 6032 revises storage therein and reading
Address is the address on safety storage apparatus.Its effect is identical, the most not with above-mentioned corresponding embodiment of the method S400 with effect
Repeat again.
The most such as, if described target instruction target word is I/O instruction, described instruction resolution unit 6031 will be responsible for obtaining to be waited to dispatch
Machine instruction fragment in I/O instruction, described instruction modification unit 6032 described I/O is instructed in input instruction all resistances
Only.Its effect is identical with above-mentioned corresponding embodiment of the method S500 with effect, repeats no more here.
The most such as, if described target instruction target word is network transmission instruction, described instruction resolution unit 6031 will be responsible for obtaining
Network transmission instruction in machine instruction fragment to be scheduled, described instruction modification unit 6032 checks the transmission instruction of described network
In remote computing devices corresponding to destination address whether be secure address;If it is not, described instruction modification unit is suitable to resistance
Only described network transmission instruction.Its effect is identical with above-mentioned corresponding embodiment of the method S600 with effect, repeats no more here.
According to a further embodiment of the invention, above-mentioned instruction recombination unit can also include that dis-assembling unit and compilation are single
Unit.As shown in figure 12, instruction recombination unit 703 includes: the dis-assembling unit 7031 coupled successively, instructs resolution unit 7032,
Instruction modification unit 7033 and assembly unit 7034.
Wherein, dis-assembling unit 7031 is suitable to before resolving, revising described machine instruction fragment to be scheduled, dis-assembling
Described machine instruction fragment to be scheduled, generates assembly instruction fragment to be scheduled;It is sent to instruct resolution unit 7032.
Assembly unit 7034 is suitable to after resolving, revising described machine instruction fragment to be scheduled, after compilation restructuring
Assembly instruction fragment, obtains the restructuring instruction fragment that machine code represents;It is sent to instruct replacement unit.
In this embodiment, described instruction resolution unit 7032 and instruction modification unit 7033 will operate compilation to be scheduled
Instruction fragment.
Corresponding, according to a further embodiment of the invention with instruction recombination method S110 during above-mentioned operation, it is provided that Yi Zhongyun
Instruction recombination device during row.As shown in figure 13, instruction recombination device 800 includes:
Instruction operation environment caching and recovery unit 801, be suitable to cache instruction running environment;
Instruction acquiring unit 802 and the first storage position 803, wherein, instruction acquiring unit 802 is suitable to from the first storage position
Put 803 reading destination addresses, and obtain the machine instruction fragment treating scheduling/execution according to destination address;Wherein, machine to be dispatched
The last item instruction of instruction fragment is the first jump instruction;And
Instruction recombination unit 804, is suitable to preserve the destination address of the first jump instruction in the first storage position 803, by the
One jump instruction replaces with the second jump instruction, generates and has two address restructuring instruction fragment;Described second jump instruction
The entry address of indicator device 800.
Wherein, instruction operation environment caching and recovery unit 801 be further adapted for instruction recombination unit 804 replacement instruction it
After, recover described instruction operation environment, and jump to the second address and continue executing with.
The execution process of device 800 is as follows:
First, instruction operation environment caching and recovery unit 801 cache instruction running environment;
Then, instruction acquiring unit 802 reads destination address (treating dispatch command address), root from the first storage position 803
Machine instruction fragment to be dispatched is obtained according to destination address;Wherein, the last item instruction of machine instruction fragment to be dispatched is first
Jump instruction;
Then, instruction recombination unit 804 preserves the destination address of the first jump instruction in the first storage position 803;For
Immediate preserves its value, preserves its address/quote for variable parameter;
Then, the first jump instruction is replaced with the second jump instruction by instruction recombination unit 804, generates and has the second address
Restructuring instruction fragment;
Finally, instruction operation environment caching and recovery unit 801 recover described instruction operation environment, and jump to the second ground
Location continues executing with.
According to a further embodiment of the invention, it is provided that instruction recombination device during a kind of operation, relative with said method S130
Should, and the feature of the device provided in some embodiment above-mentioned is provided.As shown in figure 14, this device 900 includes:
Instruction operation environment caching and recovery unit 901, be suitable to caching and recover instruction operation environment;
Instruction acquiring unit 902, is suitable to obtain next instruction that will run ground by the way of input parameter calculating
Location, this address is the first address;It is further adapted for treating the machine instruction fragment of scheduling/execution according to the first address acquisition;Wherein, wait to adjust
The last item instruction of degree machine instruction fragment is the first jump instruction;
Instruction recombination unit 903, being suitable to replace the first jump instruction is pop down instruction, records the first jumping in pop down instructs
Turn address and the operand of instruction;It is further adapted for after pop down instructs adding the second jump instruction, generates that to have the two address
Restructuring instruction fragment;The entry address of described second jump instruction indicator device 900;It is further adapted for the second of restructuring instruction fragment
A record is set up with the first address in the corresponding table in address in address;
Instruction retrieval unit 904, is suitable to utilize described first address search address correspondence table;Described address correspondence table is used for
Represent the first address sensing treats whether dispatch command fragment has the restructuring instruction fragment preserved, the data of address correspondence table
For address pair;
If finding corresponding record, instruction retrieval unit 904 is suitable to call instruction running environment caching and recovery unit
901 recover the instruction operation environment cached, and the corresponding address jumping to find continues executing with (reorganization operation completes);
Without finding corresponding record, call instruction recomposition unit 903 carries out reorganization operation.
Wherein, instruction recombination unit 903 can also include dis-assembling unit 9031, instructs resolution unit 9032, and instruction is repaiied
Change unit 9033, and assembly unit 9034.
Wherein, after instruction recombination unit 902 completes restructuring, be suitable to call instruction running environment caching and recovery unit
901 recover the instruction operation environment cached, and the address jumping to restructuring instruction fragment continues executing with, and (this reorganization operation is complete
Become).
According to a further embodiment of the invention, above-mentioned dis-assembling unit 9031 may be located among instruction acquiring unit 902,
Carried out dis-assembling when obtaining instruction fragment to be scheduled by it to operate.
It will be understood by those skilled in the art that the arrow of the data stream in the accompanying drawing of said apparatus embodiment is intended merely to just
In the concrete operations flow process explained in above-described embodiment, do not limit in figure the data flow between unit or connection side
To, for coupling relation between unit in device.
Above with instruction recombination method and apparatus when describing operation that some embodiments are detailed, itself and prior art phase
Ratio, has the advantage that
By instruction recombination method, the instruction of calculating equipment can be monitored under instruction operation state;
Utilize address correspondence table, improve instruction recombination efficiency, save calculating resource;
Operate for storage and reading instruction, revise target therein and source address, to realize storage reorientation/weight
Orientation, it is ensured that data safety;
Operating for I/O instruction, the input instruction in being instructed by described I/O all stops, to realize thoroughly blocking
Write operation to local hardware device;The prevention to the input instruction in addition to storage instruction can also be realized, meter can be improved
Information Security in calculation equipment;
Operate for network transmission instruction, check the far-end meter that the destination address in the transmission instruction of described network is corresponding
Whether calculation equipment is secure address;If it is not, stop the transmission instruction of described network, to realize Security Data Transmission.
It should be noted that and understand, in the feelings without departing from the spirit and scope of the present invention required by appended claims
Under condition, it is possible to the present invention of foregoing detailed description is made various modifications and improvements.It is therefore desirable to the model of the technical scheme of protection
Enclose and do not limited by given any specific exemplary teachings.
Claims (16)
1. instruction recombination method when running, including:
Step 1, cache instruction running environment;
Step 2, from first storage position read destination address, according to destination address obtain machine instruction fragment to be scheduled;Treat
The last item instruction of the machine instruction fragment of scheduling is the first jump instruction;
Step 3, preserve the destination address of the first jump instruction in the first storage position;
Step 4, the first jump instruction is replaced with the second jump instruction, generate and there is two address restructuring instruction fragment;Institute
State the entry address of the second jump instruction directional order restructuring platform;With
Step 5, recover described instruction operation environment, and jump to the second address and continue executing with.
2. instruction recombination method during operation as claimed in claim 1, in step 2, obtains machine to be dispatched according to destination address
Instruction fragment includes:
From the beginning of destination address, obtain one section of machine instruction to be scheduled, this section of machine instruction is carried out dis-assembling;
Checking in dis-assembling result and whether comprise jump instruction, if do not comprised, continuing to obtain one section of machine to be scheduled below
Instruction, until matching jump instruction, this jump instruction is the first jump instruction;Wherein, the first jump instruction and it
Front all instructions form machine instruction fragment to be dispatched.
3. instruction recombination method during operation as claimed in claim 2, between step 4 and step 5, also includes:
Assembly code after the restructuring that will generate generates corresponding machine code by assembler.
4. instruction recombination method during operation as claimed in claim 1, between step 1 and step 2, also includes:
Read destination address from the first storage position, utilize described destination address lookup address correspondence table;Described address correspondence table
The restructuring instruction fragment preserved for representing machine instruction fragment to be scheduled whether to have;
If finding corresponding record, recovering described instruction operation environment, and jumping in record corresponding with described destination address
Restructuring instruction fragment address continue executing with.
5. instruction recombination method during operation as claimed in claim 4, if do not find corresponding note in the correspondence table of address
Record, after step 4, also includes:
A record is set up with described destination address in the corresponding table in address in the address utilizing restructuring instruction fragment.
6. instruction recombination method during operation as claimed in claim 1, before step 4, also includes:
Resolve described machine instruction fragment to be scheduled, utilize machine instruction fragment to be dispatched described in instruction set coupling, treated
The target machine instructions processed;
In a predetermined manner, described target machine instructions is revised.
7. instruction recombination method during operation as claimed in claim 6, wherein, described target machine instructions refers to for storage/reading
Order;
In a predetermined manner, revise described target machine instructions to include: revise storage therein and read address for depositing safely
Address on storage equipment.
8. instruction recombination method during operation as claimed in claim 6, wherein, described target machine instructions is I/O instruction;
In a predetermined manner, revise described target machine instructions to include: the input instruction all resistances in being instructed by described I/O
Only.
9. instruction recombination method during operation as claimed in claim 6, wherein, described target machine instructions is that network transmission refers to
Order;
In a predetermined manner, revise described target machine instructions to include: check the destination address in the transmission instruction of described network
Whether corresponding remote computing devices is secure address;If it is not, stop the transmission instruction of described network.
10. instruction recombination device when running, including:
Instruction operation environment caching and recovery unit, be suitable to caching and recover instruction operation environment;
First storage position, is suitable to preserve destination address;
Instruction acquiring unit, couples with instruction operation environment caching and recovery unit, is suitable to read target from the first storage position
Address, and obtain machine instruction fragment to be scheduled according to destination address;Wherein, the last item of machine instruction fragment to be dispatched
Instruction is the first jump instruction;With
Instruction recombination unit, couples with instruction operation environment caching and recovery unit, is suitable to preserve first in the first storage position
The destination address of jump instruction;It is further adapted for replacing with the first jump instruction the second jump instruction, generates that to have the two address
Restructuring instruction fragment;The entry address of instruction recombination device when running is pointed in described second jump instruction.
Instruction recombination device during 11. operation as claimed in claim 10, also includes:
Instruction retrieval unit, is suitable to utilize described destination address lookup address correspondence table;Described address correspondence table is treated for expression
Whether scheduling machine instruction fragment has the restructuring instruction fragment preserved;
If finding corresponding record, instruction retrieval unit is further adapted for call instruction running environment caching and recovery unit, recovers
Described instruction operation environment, and jump to the address continuation of the instruction fragment recombinated corresponding with described destination address in record
Perform;
Without finding corresponding record, instruction retrieval unit is further adapted for utilizing the address of restructuring instruction fragment and described target
Address sets up a record in the correspondence table of address.
Instruction recombination device during 12. operation as claimed in claim 10, described instruction recombination unit also includes:
Instruction resolution unit, is suitable to utilize instruction set to mate described machine instruction fragment to be scheduled, obtains pending target
Machine instruction;
Instruction modification unit, is suitable in a predetermined manner, revises described target machine instructions.
Instruction recombination device during 13. operation as claimed in claim 12, wherein, described target machine instructions is storage/reading
Instruction;
Described instruction modification unit is suitably modified to storage therein and reading address is the address on safety storage apparatus.
Instruction recombination device during 14. operation as claimed in claim 12, wherein, described target machine instructions is I/O instruction;
The input instruction that described instruction modification unit is suitable in being instructed by described I/O all stops.
Instruction recombination device during 15. operation as claimed in claim 12, wherein, described target machine instructions is that network transmission refers to
Order;
The remote computing devices that described instruction modification unit is suitable to check the destination address in the transmission instruction of described network corresponding is
No for secure address;If it is not, described instruction modification unit is suitable to stop the transmission instruction of described network.
Instruction recombination device during 16. operation as claimed in claim 12, described instruction recombination unit also includes:
Dis-assembling unit, is suitable to before instruction resolution unit resolves described machine instruction fragment to be scheduled, described in dis-assembling
Machine instruction fragment to be scheduled, generates assembly instruction fragment to be scheduled;
Assembly unit, is suitable to the assembly instruction fragment after compilation restructuring, obtains the restructuring instruction fragment that machine code represents.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210327202.8A CN103677770B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210327202.8A CN103677770B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103677770A CN103677770A (en) | 2014-03-26 |
| CN103677770B true CN103677770B (en) | 2016-12-21 |
Family
ID=50315448
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210327202.8A Expired - Fee Related CN103677770B (en) | 2012-09-06 | 2012-09-06 | Instruction recombination method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103677770B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103942499B (en) * | 2014-03-04 | 2017-01-11 | 中天安泰(北京)信息技术有限公司 | Data black hole processing method based on mobile storer and mobile storer |
| CN110554998B (en) * | 2018-03-30 | 2024-02-13 | 腾讯科技(深圳)有限公司 | Hook method, device, terminal and storage medium for replacing function internal instruction |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607503A (en) * | 2003-10-14 | 2005-04-20 | 微软公司 | Systems and methods for using synthetic instruction in a virtual machine |
| CN101604370A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | A kind of method of monitoring Windows kernel function call of highly compatible |
| US7886287B1 (en) * | 2003-08-27 | 2011-02-08 | Avaya Inc. | Method and apparatus for hot updating of running processes |
| CN103299270A (en) * | 2011-04-29 | 2013-09-11 | 北京中天安泰信息科技有限公司 | Method and device for recombining runtime instruction |
-
2012
- 2012-09-06 CN CN201210327202.8A patent/CN103677770B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7886287B1 (en) * | 2003-08-27 | 2011-02-08 | Avaya Inc. | Method and apparatus for hot updating of running processes |
| CN1607503A (en) * | 2003-10-14 | 2005-04-20 | 微软公司 | Systems and methods for using synthetic instruction in a virtual machine |
| CN101604370A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | A kind of method of monitoring Windows kernel function call of highly compatible |
| CN103299270A (en) * | 2011-04-29 | 2013-09-11 | 北京中天安泰信息科技有限公司 | Method and device for recombining runtime instruction |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103677770A (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103679039B (en) | Secure storage method of data and device | |
| CN103942499B (en) | Data black hole processing method based on mobile storer and mobile storer | |
| Wilander et al. | RIPE: Runtime intrusion prevention evaluator | |
| Shar et al. | Defeating SQL injection | |
| CN108090346A (en) | A kind of code reuse attack defense method and system based on data stream monitoring | |
| Wang et al. | Reranz: A light-weight virtual machine to mitigate memory disclosure attacks | |
| CN103299284A (en) | Method and apparatus for data security reading | |
| CN103299270B (en) | Instruction recombination method and device during operation | |
| CN103679040B (en) | Data safe reading method and device | |
| CN110225029A (en) | Detection method for injection attack, device, server and storage medium | |
| CN103329141B (en) | Safe data storage method and device | |
| CN101261664A (en) | A method for realizing software protection based on the program code stored in the software protection device | |
| Pawlowski et al. | Probfuscation: an obfuscation approach using probabilistic control flows | |
| CN106845234A (en) | A kind of Android malware detection method based on the monitoring of function flow key point | |
| CN103927493B (en) | Data black hole processing method | |
| CN103677746B (en) | Instruction recombination method and device | |
| CN103995705A (en) | Operating system address space randomized distribution system and method | |
| CN103729598B (en) | The safe interacted system of data and method for building up thereof | |
| CN108763924A (en) | Insincere third party library access right control method in a kind of Android application program | |
| CN103677770B (en) | Instruction recombination method and device | |
| CN103677769B (en) | Instruction recombination method and device | |
| CN103942492B (en) | Uniprocessor version data black hole processing method and the equipment of calculating | |
| CN103729600B (en) | Data security interacted system method for building up and data security interacted system | |
| CN103679041B (en) | Data safe reading method and device | |
| Roemer | Finding the bad in good code: Automated return-oriented programming exploit discovery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100097 HAIDIAN, BEIJING TO: 100071 FENGTAI, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150122 Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: The safe and sound Information Technology Co., Ltd in sky in Beijing Address before: 100097 Beijing city Haidian District landianchang road Jin Yuan era business center B block 2-6B1 Applicant before: Beijing Zhongtian Antai Technology Co., Ltd. |
|
| CB02 | Change of applicant information |
Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant after: Zhongtian Aetna (Beijing) Information Technology Co. Ltd. Address before: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Applicant before: The safe and sound Information Technology Co., Ltd in sky in Beijing |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161221 Termination date: 20180906 |