CN104679561B - A kind of method and system of dynamic link library file loading - Google Patents
A kind of method and system of dynamic link library file loading Download PDFInfo
- Publication number
- CN104679561B CN104679561B CN201510081941.7A CN201510081941A CN104679561B CN 104679561 B CN104679561 B CN 104679561B CN 201510081941 A CN201510081941 A CN 201510081941A CN 104679561 B CN104679561 B CN 104679561B
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- link library
- library file
- file
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Stored Programmes (AREA)
Abstract
The present invention relates to the method and system that dynamic link library field more particularly to a kind of dynamic link library file load.This method includes:S100, a dynamic link library file is read, the dynamic link library file is loaded onto preset first memory;S200, check whether the dynamic link library file meets PE forms;If the dynamic link library file meets PE forms, step S300 is performed;Otherwise end step feeds back the dynamic link library file error;S300, the PE heads in the dynamic link library file are extracted according to PE forms, preset second memory is loaded onto by described PE.By the dynamic link library file for meeting PE forms being loaded onto the first memory, then the PE heads of the dynamic link library are loaded onto the second memory, PE loadings are realized.
Description
Technical field
The present invention relates to the method and system that dynamic link library field more particularly to a kind of dynamic link library file load.
Background technology
There are many hidden method about dynamic link library file, the method for such as smearing chain, can allow dynamic link library file from
It disappears in module chained list, but still can find the trace of dynamic link library file in layer is driven in tools such as XT, it is hidden
It is bad to hide effect.The XT is XueTr, is a operating system management tool being well received by the public, there is process, thread, process mould
Block, Process Window, proceeding internal memory information inspection, hot key information inspection enter journey, kill the functions such as thread, Unload module.
(1) there are mainly two types of Remote thread injecting methods, a kind of is the direct code for replicating pre-implant in parent to target
The process address space, then starts the code of injection, and this remote thread is once successfully realized, then it be only present in target into
In the memory of journey, there is no corresponding disk file, concealment looks nice, and shortcoming is exactly, it is necessary in injecting codes
The instruction of all direct addressins is modified, however uses compilation manual modification excessively cumbersome;
(2) another more commonly used method is one dll file of injection to target process, and the realization of this method can be with
It is using a message Hook as by being injected or still using code, the advantages of this method is that dll files are carried and reset
Position table, that is to say, that you need not be worried to correct direct addressing instruction again, and dll can do by myself reorientation!.But its shortcomings that, is just
It is that dll filenames, the file path being loaded can be seen with management of process tool.It is thus less perfect, as long as because
User looks at that module list is very easy to find suspicious module, obtains the complete trails of dll, and dll files expose like this.
Invention content
The technical problems to be solved by the invention are:The method that a kind of dynamic link library file loading of seamless loading is provided
And system.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:
A kind of method of dynamic link library file loading, includes the following steps:
S100, a dynamic link library file is read, the dynamic link library file is loaded onto preset first memory;
S200, check whether the dynamic link library file meets PE forms;If the dynamic link library file meets PE
Form then performs step S300;Otherwise end step feeds back the dynamic link library file error;
S300, the PE heads in the dynamic link library file are extracted according to PE forms, described PE is loaded onto preset
Second memory.
Another technical solution that the present invention uses for:
A kind of system of dynamic link library file loading, including reading unit, the first loading unit, inspection unit, extraction
Unit and the second loading unit;
The reading unit, for reading a dynamic link library file;
First loading unit, for the dynamic link library file to be loaded onto preset first memory;
The inspection unit, for checking whether the dynamic link library file meets PE forms;
The extraction unit, for extracting the PE heads in the dynamic link library file according to PE forms;
Second loading unit, for being loaded onto preset second memory by described PE.
The beneficial effects of the present invention are:
1st, by loading method provided by the invention, it is more hidden to load dynamic link library file;Because it does not pass through
The information of LDR chains in PEB (PEB is process context block, is the structure of a relevant information for saving process) is distorted, need
The module to be hidden is extractd from LDR chained lists, with reaching hiding mesh, but directly dynamic link library file is loaded into interior
It deposits, does not leave any trace, trace all can not check by OD and XT tools;
2nd, it is more stable by this loading method loading dynamic link library file on 32 and 64 systems;
3rd, in R3 application layers, (privilege level is divided into 4 ranks to game needs by the CPU of Intel sometimes:RING0、RING1、
RING2 and RING3;Windows only uses RING0 and RING3, and RING0 is only used to operating system, and RING3 can give operation system
System and application layer can be with) dynamic link library file is hidden, it prevents from being used by people the sentence for finding dynamic link library file
Handle carries out illegal operation to dynamic link library file;This loading method, which can be realized, allows dynamic link library file to load base address
The plug-in dynamic access of Shi Burang arrives.
Description of the drawings
Fig. 1 is the flow chart of method that the dynamic link library file of the specific embodiment of the invention loads;
Fig. 2 is the structure diagram that the dynamic link library file of the specific embodiment of the invention loads;
Fig. 3 is the PE file structure figures of the specific embodiment of the invention;
Fig. 4 is the PE file structure comparison diagrams in the disk and memory of the specific embodiment of the invention;
Label declaration:
10th, reading unit;20th, the first loading unit;30th, inspection unit;40th, extraction unit;50th, the second loading unit.
Specific embodiment
For the technology contents that the present invention will be described in detail, the objects and the effects, below in conjunction with embodiment and coordinate attached
Figure is explained.
The design of most critical of the present invention is:By the way that the dynamic link library file for meeting PE forms is loaded onto in first
It deposits, then the PE heads of the dynamic link library is loaded onto the second memory, realize PE loadings.
Fig. 1 is please referred to, is the flow chart of method that the dynamic link library file of the specific embodiment of the invention loads, specifically
It is as follows:
A kind of method of dynamic link library file loading, includes the following steps:
S100, a dynamic link library file is read, the dynamic link library file is loaded onto preset first memory;
S200, check whether the dynamic link library file meets PE forms;If the dynamic link library file meets PE
Form then performs step S300;Otherwise end step feeds back the dynamic link library file error;
S300, the PE heads in the dynamic link library file are extracted according to PE forms, described PE is loaded onto preset
Second memory.
As can be seen from the above description, the beneficial effects of the present invention are:
1st, by loading method provided by the invention, it is more hidden to load dynamic link library file;Because it does not pass through
The information of LDR chains in PEB (PEB is process context block, is the structure of a relevant information for saving process) is distorted, need
The module to be hidden is extractd from LDR chained lists, with reaching hiding mesh, but directly dynamic link library file is loaded into interior
It deposits, does not leave any trace, trace all can not check by OD and XT tools;
2nd, it is more stable by this loading method loading dynamic link library file on 32 and 64 systems;
3rd, in R3 application layers, (privilege level is divided into 4 ranks to game needs by the CPU of Intel sometimes:RING0、RING1、
RING2 and RING3;Windows only uses RING0 and RING3, and RING0 is only used to operating system, and RING3 can give operation system
System and application layer can be with) dynamic link library file is hidden, it prevents from being used by people the sentence for finding dynamic link library file
Handle carries out illegal operation to dynamic link library file;This loading method, which can be realized, allows dynamic link library file to load base address
The plug-in dynamic access of Shi Burang arrives.
Further, step S400 is further included, according to described PE update plot information, by the dynamic link library file
Section information be loaded onto preset second memory;Relocation table is adjusted, loads the plot letter of required dynamic link library file
Breath and adjustment import table;Page is marked according to section header, section is marked as can drop.
Further, the step S300 is specially:(PE loaders will be in the loading of PE files in a manner that PE is aligned
It deposits, each PE section areas are alignment with 1000, change the offset address in each section area.In general, PE files reflecting on disk
Picture is not completely to copy with basically identical in memory.Windows loaders can determine which partly needs to load,
Which does not partly need to load, and since disk alignment is aligned inconsistent with memory, is loaded into the PE files and magnetic of memory
The distribution of PE file various pieces on disk all can be variant.) by described PE it is loaded onto preset second memory.It is aligned by PE
Mode to load be a normal process flow, need to allow code loading correct in this way and can perform.
Further, this method specifically includes:
Step 1 reads a target dll file to memory;
Step 2, memory loading target dll file, specifically include:
Whether step 21, detection target dll file are normal PE forms;
Step 22, the file that target dll file is PE forms, some position of the PE offsets being located in PE files is
The memory block that the PE heads distribution of DLL is indicated with MEM_COMMIT;
Step 23, the memory block for copying distribution to PE;
Step 24, PE update imagebase information;
Step 25 copies section information to newly assigned memory from target dll file;
Step 26, adjustment relocation table;
Step 27, the required dll plots of loading and adjustment import table;
Step 28 marks page according to section header, and section is marked as can drop, be discharged.
Referring to Fig. 2, the structure diagram that the dynamic link library file for the specific embodiment of the invention loads, specifically such as
Under:
A kind of system of dynamic link library file loading, including reading unit 10, the first loading unit 20, inspection unit
30th, 40 and second loading unit 50 of extraction unit;
The reading unit 10, for reading a dynamic link library file;
First loading unit 20, for the dynamic link library file to be loaded onto preset first memory;
The inspection unit 30, for checking whether the dynamic link library file meets PE forms;
The extraction unit 40, for extracting the PE heads in the dynamic link library file according to PE forms;
Second loading unit 50, for being loaded onto preset second memory by described PE.
As can be seen from the above description, the beneficial effects of the present invention are:
1st, by loading method provided by the invention, it is more hidden to load dynamic link library file;Because it does not pass through
The information of LDR chains in PEB (PEB is process context block, is the structure of a relevant information for saving process) is distorted, need
The module to be hidden is extractd from LDR chained lists, with reaching hiding mesh, but directly dynamic link library file is loaded into interior
It deposits, does not leave any trace, trace all can not check by OD and XT tools;
2nd, it is more stable by this loading method loading dynamic link library file on 32 and 64 systems;
3rd, in R3 application layers, (privilege level is divided into 4 ranks to game needs by the CPU of Intel sometimes:RING0、RING1、
RING2 and RING3;Windows only uses RING0 and RING3, and RING0 is only used to operating system, and RING3 can give operation system
System and application layer can be with) dynamic link library file is hidden, it prevents from being used by people the sentence for finding dynamic link library file
Handle carries out illegal operation to dynamic link library file;This loading method, which can be realized, allows dynamic link library file to load base address
The plug-in dynamic access of Shi Burang arrives.
Such as Fig. 3, shown in 4, the embodiment of the present invention one is:
1st, a target dll file is read to memory:LPVOIDlpMem=ReadFileToMem (szDllFile);
2nd, memory is loaded directly into DLL:MemoryLoadLibrary(lpMem);
(1) check whether target DLL is normal PE forms;
(2) files of the DLL for PE forms, some position of the PE offsets being located in PE files, the PE heads for being DLL distribute
The memory block indicated with MEM_COMMIT;
(3) memory block for copying distribution to PE;
Specially:The PE heads of PE files are read in, including DOS, PE and Section heads, to newly assigned memory block;
(4) PE update imageBase information;
Specially:Whether windows loaders load address according to defined in PE ImageBase in front can be used, such as
Fruit is occupied by other modules, then redistributes a block space;If file is address loaded from not being that ImageBase is defined
ImageBase is then corrected in address again.
(5) section information is copied to newly assigned memory from dll file;
Specially:According to the information in section header portion, each section of file is mapped to the space of distribution, and fixed according to each section
The data of justice change the attribute of mapped page.
(6) relocation table is adjusted;
Specially:Instruction for direct addressin needs to repair relocation table, and otherwise addressing can fail.Program loader institute
The reorientation work of work will exactly need the place relocated, all plus the load address of program in program.
(7) required dll plots are loaded and adjustment imports table;
Specially:Required DLL is loaded to the process space according to the input table of PE files, is then replaced in IAT tables
Data are the address of practical call function.
(8) page is marked according to section header, section is marked as discardable dischargeing.
In conclusion a kind of method and system of dynamic link library file loading provided by the invention;It is carried by the present invention
The loading method of confession, loading dynamic link library file are more hidden;Because it is not that (PEB is process context by distorting PEB
Block is the structure of a relevant information for saving process) in LDR chains information, needing hiding module from LDR chained lists
Dynamic link library file with reaching hiding mesh, but is directly loaded into memory, does not leave any trace by middle excision, is led to
It crosses OD and XT tools and all can not check trace;Dynamic link library file ratio is loaded by this loading method on 32 and 64 systems
Relatively stablize;Sometimes in R3 application layers, (privilege level is divided into 4 ranks to game needs by the CPU of Intel:RING0、RING1、
RING2 and RING3;Windows only uses RING0 and RING3, and RING0 is only used to operating system, and RING3 can give operation system
System and application layer can be with) dynamic link library file is hidden, it prevents from being used by people the sentence for finding dynamic link library file
Handle carries out illegal operation to dynamic link library file;This loading method, which can be realized, allows dynamic link library file to load base address
The plug-in dynamic access of Shi Burang arrives.
The foregoing is merely the embodiment of the present invention, are not intended to limit the scope of the invention, every to utilize this hair
The equivalents that bright specification and accompanying drawing content are made directly or indirectly are used in relevant technical field, similarly include
In the scope of patent protection of the present invention.
Claims (2)
- A kind of 1. method of dynamic link library file loading, which is characterized in that include the following steps:S100, a dynamic link library file is read, the dynamic link library file is loaded onto preset first memory;S200, check whether the dynamic link library file meets PE forms;If the dynamic link library file meets PE forms, Then perform step S300;Otherwise end step feeds back the dynamic link library file error;S300, the PE heads in the dynamic link library file are extracted according to PE forms, preset second is loaded onto by described PE Memory;It further includes step S400, according to described PE update plot information, the section information of the dynamic link library file is loaded To preset second memory;Relocation table is adjusted, the plot information and adjustment for loading required dynamic link library file import Table;Page is marked according to section header, section is marked as can drop.
- 2. the method for dynamic link library file loading according to claim 1, which is characterized in that this method specifically includes:Step 1 reads a target dll file to memory;Step 2, memory loading target dll file, specifically include:Whether step 21, detection target dll file are normal PE forms;Step 22, the file that target dll file is PE forms, some position of the PE offsets being located in PE files are DLL's PE are distributed the memory block indicated with MEM_COMMIT;Step 23, the memory block for copying distribution to PE;Step 24, PE update imagebase information;Step 25 copies section information to newly assigned memory from target dll file;Step 26, adjustment relocation table;Step 27, the required dll plots of loading and adjustment import table;Step 28 marks page according to section header, and section is marked as can drop, be discharged.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510081941.7A CN104679561B (en) | 2015-02-15 | 2015-02-15 | A kind of method and system of dynamic link library file loading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510081941.7A CN104679561B (en) | 2015-02-15 | 2015-02-15 | A kind of method and system of dynamic link library file loading |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104679561A CN104679561A (en) | 2015-06-03 |
| CN104679561B true CN104679561B (en) | 2018-07-06 |
Family
ID=53314658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510081941.7A Active CN104679561B (en) | 2015-02-15 | 2015-02-15 | A kind of method and system of dynamic link library file loading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104679561B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105843640B (en) * | 2016-03-21 | 2017-11-14 | 武汉斗鱼网络科技有限公司 | The method for implanting and device of a kind of dynamic link library |
| CN105955762A (en) * | 2016-04-19 | 2016-09-21 | 北京金山安全软件有限公司 | Method and device for injecting dynamic link library file and electronic equipment |
| CN106339247A (en) * | 2016-09-13 | 2017-01-18 | 武汉斗鱼网络科技有限公司 | Loading system and loading method for DLL (Dynamic Link Library) file |
| CN106599730B (en) * | 2016-12-20 | 2019-08-02 | 武汉斗鱼网络科技有限公司 | File test method, device and system |
| CN109656571A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Loading method, device, terminal and computer readable storage medium |
| CN115543586B (en) * | 2022-11-28 | 2023-03-17 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1762957A1 (en) * | 2005-09-13 | 2007-03-14 | Cloudmark, Inc | Signature for executable code |
| CN1945589A (en) * | 2006-10-16 | 2007-04-11 | 珠海金山软件股份有限公司 | Method for protecting dynamic chanining bank interface under windows platform |
| US7210141B1 (en) * | 1998-07-21 | 2007-04-24 | Touchtunes Music Corporation | System for remote loading of objects or files in order to update software |
| CN101309149A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Address processing method and apparatus |
| CN101470619A (en) * | 2007-12-29 | 2009-07-01 | 安凯(广州)软件技术有限公司 | Application program dynamic loading method based on microkernel operating system |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102999354A (en) * | 2012-11-15 | 2013-03-27 | 北京奇虎科技有限公司 | File loading method and file loading device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100938672B1 (en) * | 2007-11-20 | 2010-01-25 | 한국전자통신연구원 | The method and apparatus for detecting dll inserted by malicious code |
-
2015
- 2015-02-15 CN CN201510081941.7A patent/CN104679561B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7210141B1 (en) * | 1998-07-21 | 2007-04-24 | Touchtunes Music Corporation | System for remote loading of objects or files in order to update software |
| EP1762957A1 (en) * | 2005-09-13 | 2007-03-14 | Cloudmark, Inc | Signature for executable code |
| CN1945589A (en) * | 2006-10-16 | 2007-04-11 | 珠海金山软件股份有限公司 | Method for protecting dynamic chanining bank interface under windows platform |
| CN101470619A (en) * | 2007-12-29 | 2009-07-01 | 安凯(广州)软件技术有限公司 | Application program dynamic loading method based on microkernel operating system |
| CN101309149A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Address processing method and apparatus |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102999354A (en) * | 2012-11-15 | 2013-03-27 | 北京奇虎科技有限公司 | File loading method and file loading device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104679561A (en) | 2015-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104679561B (en) | A kind of method and system of dynamic link library file loading | |
| US7529745B2 (en) | Method of verifying metadata of a migrated file | |
| US20210026934A1 (en) | Systems and methods for policy linking and/or loading for secure initialization | |
| US20220374415A1 (en) | Systems and methods for updating metadata | |
| TW200719147A (en) | Copying storage units and related metadata to storage | |
| CN104598823A (en) | Kernel level rootkit detection method and system in Andriod system | |
| CN103778239B (en) | Multi-database data management method and system | |
| CN102819717B (en) | Method and device for carrying out protection processing on file | |
| Nolan | Decompiling android | |
| US20060195833A1 (en) | Data-burning method and system thereof based on auto-detection of computer platform | |
| SE0402710D0 (en) | Management of internal logic for electronic pens | |
| CN105874429A (en) | Systems and methods for injecting code into an application | |
| CN109271804A (en) | A kind of document audit based on Linux security module, means of defence | |
| US8738569B1 (en) | Systematic verification of database metadata upgrade | |
| Sağlam et al. | Token-based plagiarism detection for metamodels | |
| CN110298175A (en) | A kind of processing method and relevant apparatus of dll file | |
| CN107193590A (en) | A kind of anti-root methods based on android | |
| CN105550582A (en) | Method and system for accessing to virtual disk | |
| CN103294591A (en) | Method for detecting crossing use of mobile storage equipment | |
| WO2023093757A1 (en) | Protection method for system data in control system, and related apparatus | |
| CN103838647A (en) | Data state transition method and system based on snapshot remapping | |
| US20110145825A1 (en) | Information processing apparatus, computer-readable recording medium configured to store command execution determination program, and command execution determination method | |
| CN102467452A (en) | Storage space distribution method for static storage distribution local non-static data | |
| CN104331308B (en) | A kind of PE program files load and execution method | |
| CN104021355A (en) | Safety inspection method for simultaneously operating same file through multiple processes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |