CN105718374A - Method and system for hotspot module instruction tracking - Google Patents

Method and system for hotspot module instruction tracking Download PDF

Info

Publication number
CN105718374A
CN105718374A CN201610052808.3A CN201610052808A CN105718374A CN 105718374 A CN105718374 A CN 105718374A CN 201610052808 A CN201610052808 A CN 201610052808A CN 105718374 A CN105718374 A CN 105718374A
Authority
CN
China
Prior art keywords
page
thread
guard
module
debugged
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610052808.3A
Other languages
Chinese (zh)
Inventor
万仁忠
王东
王少杰
白金
李冰
宋珺
王宏
梁利
王派
李蒙
李霞
曹越
徐茜
陈琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Information Technology Security Research Center
Original Assignee
National Information Technology Security Research Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Information Technology Security Research Center filed Critical National Information Technology Security Research Center
Priority to CN201610052808.3A priority Critical patent/CN105718374A/en
Publication of CN105718374A publication Critical patent/CN105718374A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3612Software analysis for verifying properties of programs by runtime analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method and system for hotspot module instruction tracking and belongs to the technical field of software analysis.The method includes the steps that firstly, a hotspot module, namely, a page in which a user is interested, is marked; when one thread has access to the page in which the user is interested, a PAGE_GUARD exception is triggered, and therefore a debugger is triggered for treatment; then all threads are set to be in single-step debugging through the debugger, the page number of the page is added to a recovery chain table, and due to the fact that the page in which the PAGE_GUARD exception is triggered will automatically lose PAGE_GUARD attributes, the completeness of instruction tracking in a multi-thread environment and a kernel call-back environment is guaranteed; finally, whether the address of an execution instruction is located in the page in which the user is interested or not is analyzed in the current execution thread, if yes, single-step debugging continues, if not, the thread is not operated, and the PAGE_GUARD attributes of the page in which the user is interested are set again according to the chain table used formerly.

Description

A kind of method and system of hot spot module instruction trace
Technical field
The present invention relates to the method and system of a kind of hot spot module instruction trace, belong to software analysis technology field.
Background technology
Debugger exists for when computer is born; initial debugger is all based on what hardware was directly realized by; the operation principle of debugger is based on the abnormal mechanism of central processing unit; and by the exception of operating system distribute after the subsystem (or module) of case distribution is responsible for being encapsulated process; real-time, interactive is carried out with debugger in the way of relatively more friendly; debugging is that software maintenance is most important, the most direct with one of error correction, is also requisite a kind of mechanism.
The most basic function of debugger includes control software design and runs, and checks information in running software, revises software execution flow journey.Control software design runs and refers to, and the program interrupt of an operation at full speed is got off, and makes it perform according to the wish of user, and debugger is by forcing target program to trigger the exception of a meticulous structure to complete these work;Checking information in running software, these information are including but not limited to the register information of current thread, stack information, memory information, (EIP register, is used for storing CPU and to read the address of instruction current EIP, and CPU reads the instruction that namely will perform by EIP register.After each CPU has performed corresponding assembly instruction, the value of EIP register will increase.) near dis-assembling information etc.;Amendment software execution flow journey includes amendment memory information, dis-assembling information, stack information, register information etc..
The page specified cannot be carried out full instruction tracing by common debugger, single step follow the tracks of can track thread instruction preferably, but still cannot process system readjustment trigger instruction perform, single step follow the tracks of performance cost while be also very big;Breakpoint is followed the tracks of can solve performance cost preferably, but breakpoint to arrange expense very big, and the instruction that system readjustment triggers cannot be processed equally perform, therefore breakpoint is followed the tracks of often only with the tracking of limited quantity instruction.
Summary of the invention
For above-mentioned prior art problem, it is an object of the invention to provide a kind of method carrying out instruction tracing for hot spot module, the method can analysis process accesses dynamically page, carry out debugged process effectively following the trail of checking, and the effectively detection malicious code access to page, having good performance, appointed hot spot module in the completeness and performance cost of instruction trace can be the page at the file place that user oneself specifies simultaneously.
In order to achieve the above object, the present invention adopts the following technical scheme that
A kind of method of hot spot module instruction trace, first indicates hot spot module, the page that namely user is interested;When the page that thread accesses to user is interested, (PAGE_GUARD mark specifies protection page (guardpage) so will to trigger PAGE_GUARD, namely can produce an one-shot because first time is accessed when a page is submitted abnormal, then obtain the access rights specified.) abnormal, process thus triggering debugger;Then passing through debugger, to arrange all threads be single-step debug, and the page number of this page is added recovery chained list, because having triggered page abnormal for PAGE_GUARD can automatically lose PAGE_GUARD attribute, the completeness followed the tracks of so that it is guaranteed that multi-thread environment and kernel readjustment environment give an order;It is last whether the current address performing to analyze in thread execution instruction is positioned at page interested, if it is, continuation single-step debug, otherwise, so this thread is not operated, and resets the PAGE_GUARD attribute of the page interested according to the chained list used before.
A kind of system of hot spot module instruction trace, including with lower module:
Debugging loop module: after a process becomes debugged process, when completing some operation or occurring abnormal, it can send notification to debugger, then self is hung up, and until debugger order, it continues executing with;
Abnormality processing module: by abnormal distribution, different anomalous events is processed, abnormality processing has separated reception and has processed error code, it is a kind of mechanism in programming language or computer hardware, for processing the unusual condition (namely beyond some specific condition of program normal execution flow) occurred in software or information system;
Read depositor and memory modules: thread has a context environmental, and it contains the most information about thread, for instance the address of thread stack, the instruction address etc. that thread is currently executing.Context environmental preserves in a register, context can be occurred to switch, be actually and be saved in internal memory by the context environmental of a thread, then by the context environmental load register of another thread time system carries out thread scheduling;
Breakpoint functional module: when debugging, when only debugged process suspension performs, it just can be performed operation by debugger, for instance observe memory content etc..If debugged process is not stopped, debugger can not do whatever.Making debugged process stop, except the debugging event that particular moment just occurs, unique approach is exactly exception throw except several, and breakpoint is exactly the exception reaching object above;
Single step performs module: it is one of modal debugging method that single step performs, and namely performs line code every time, and it also includes Step Into, Step Over, jumps out three kinds of orders;
By using CreateProcess, (WIN32API function CreateProcess is used for creating a new process and its main thread, and this new process runs the executable file specified.) this WindowsAPI function starts debugged program, by debugging loop module, the debugged program of debugging routine circular wait triggers anomalous event;Anomalous event is distributed processing by described abnormality processing module;By reading depositor and this module of internal memory, obtain debugged process and access the positional information of page, it may be judged whether have access to page interested, if what access is hot spot module, then trigger PAGE_GUARD abnormal;Abnormal by abnormality processing resume module PAGE_GUARD, all threads of debugged process are set to single-step debug, perform instruction one by one;And breakpoint functional module can be more flexible when mastery routine is debugged operation.
The invention reside in and employ PAGE_GUARD attribute to identify hot spot module and limited single-step debug carrys out tracking module instruction and performs, it is achieved thereby that the completeness of hot spot module instruction trace, avoid non-problem of completeness and complexity problem that simple breakpoint is followed the tracks of, it also avoid the inefficiency problem of simple instruction trace.
Compared with the existing technology, its beneficial effect shows the present invention:
One, PAGE_GUARD attribute monitor in real time page is used, with strong points, it is ensured that every thread instruction entering the page interested of knowing clearly can be detected;
Two, when triggering, PAGE_GUARD is abnormal later will carry out single-step debug to the thread of debugged process, and all threads will carry out interim single step run, it is ensured that multi-thread environment gives an order the completeness followed the tracks of;
Three, hot spot module absolutely being followed the tracks of, non-hot spot module is followed the tracks of hardly, performance cost is low, can be used for the analysis of large program.
Accompanying drawing explanation
When considered in conjunction with the accompanying drawings, by referring to detailed description below, can more completely be more fully understood that the present invention and easily learn the advantage that many of which is adjoint, but accompanying drawing described herein is used for providing a further understanding of the present invention, constitute the part of the present invention, the schematic description and description of the present invention is used for explaining the present invention, is not intended that inappropriate limitation of the present invention, such as figure wherein:
Fig. 1 is the general frame figure of the present invention;
Fig. 2 is the Use Case Map of the invention process single-step debug;
Fig. 3 is the program flow diagram of the present invention;
Fig. 4 is that module of the present invention connects block diagram.
Detailed description of the invention
Below in conjunction with the drawings and the specific embodiments, the invention will be further described.
Embodiment 1:
A kind of method of hot spot module instruction trace, comprises the following steps:
Debugging circulation step: after a process becomes debugged process, when completing some operation or occurring abnormal, it can send notification to debugger, then self is hung up, and until debugger order, it continues executing with;
Abnormality processing step: by abnormal distribution, different anomalous events is processed, abnormality processing has separated reception and has processed error code, it is a kind of mechanism in programming language or computer hardware, for processing the unusual condition (namely beyond some specific condition of program normal execution flow) occurred in software or information system;
Read depositor and internal memory step: thread has a context environmental, and it contains the most information about thread, for instance the address of thread stack, the instruction address etc. that thread is currently executing.Context environmental preserves in a register, context can be occurred to switch, be actually and be saved in internal memory by the context environmental of a thread, then by the context environmental load register of another thread time system carries out thread scheduling;
Breakpoint functional steps: when debugging, when only debugged process suspension performs, it just can be performed operation by debugger, for instance observe memory content etc..If debugged process is not stopped, debugger can not do whatever.Making debugged process stop, except the debugging event that particular moment just occurs, unique approach is exactly exception throw except several, and breakpoint is exactly the exception reaching object above;
Single step performs step: it is one of modal debugging method that single step performs, and namely performs line code every time, and it also includes Step Into, Step Over, jumps out three kinds of orders;
By using this WindowsAPI function of CreateProcess to start debugged program, by debugging loop module, the debugged program of debugging routine circular wait triggers anomalous event;Anomalous event is distributed processing by described abnormality processing module;By reading depositor and this module of internal memory, obtain debugged process and access the positional information of page, it may be judged whether have access to page interested, if what access is hot spot module, then trigger PAGE_GUARD abnormal;Abnormal by abnormality processing resume module PAGE_GUARD, all threads of debugged process are set to single-step debug, perform instruction one by one;And breakpoint functional module can be more flexible when mastery routine is debugged operation.
Embodiment 2:
One carries out instruction tracing method for hot spot module, after carrying out single-step debug, the PAGE_GUARD attribute of hot spot module will be lost, and the page number losing PAGE_GUARD attribute is added in a chained list, hot spot module is not accessed when the thread of single-step debug is determined, again the PAGE_GUARD attribute of hot spot module will be added according to this chained list, and directly perform this thread with non-single step mode;The method mainly comprises the steps that
S1: identify page interested: be set to PAGE_GUARD attribute for hot spot module place code page, identifies the PAGE_GUARD attribute of these pages;
S2: process accesses page: debugged process operationally accesses page, because page interested has been set PAGE_GUARD attribute, once thread accesses is to being designated page interested, extremely will be triggered, debugged process just will be carried out hang-up process by mastery routine, if the page accessed is not in the code page of hot spot module place, then will not thread be operated;
S3: process PAGE_GUARD abnormal: after triggering PAGE_GUARD and be abnormal, debugged process is suspended, aroused after processing etc. process to be debugged, it is single-step debug that debugging process arranges all threads of debugged process, and this page is write in a chained list, the PAGE_GUARD attribute of this page is lost;
S4: thread single-step debug: the flow process that tracing program performs step by step, again judge whether thread accesses hot spot module place code page, if not accessing page interested, then this thread not being operated, now reseting the PAGE_GUARD attribute of page according to the chained list created in S3;If accessing page interested, then all thread single-step debugs are set;
S5: reset PAGE_GUARD attribute: owing to PAGE_GUARD attribute just will be lost when carrying out single-step debug, in order to ensure that the page interested is monitored in real time, if the thread of single-step debug does not access page interested, the PAGE_GUARD attribute of page is just reset according to the S2 chained list arranged, if what certainly access is page interested, continue to thread single-step debug.
Embodiment 3:
Windows7 system for Microsoft
The debugger based on hot spot module tracking of exploitation is debugged under Windows7 system.Visualstdio2013 is used to be compiled project running.
Debugger project can specify an exe to perform file, and selected be likely to be designated PAGE_GUARD attribute by the page of malicious attack, debugger generates a process subsequently, it is appointed as debugged process, once hot spot module has been carried out read-write and will trigger PAGE_GUARD extremely by debugged process.And the exception that debugged process will trigger at its life cycle has a lot, the anomalous event receiving the transmission of debugged process according to debugger process processes abnormal, just completing a debugging flow process, table 1 lists the anomalous event that debugged device may trigger.
Table 1 present embodiment is likely to the exception triggered
One, debugging event and debugging circulation: want a program is debugged, first have to do that yes starts this program, this to use this WindowsAPI of CreateProcess to complete, debugging circulation ensure that debugger process can accurately receive the exception that debugged process is sent, and its step is as follows:
1. by one process of CreateProcess function creation;
2. the process being created is activated, and triggers abnormal;
3. the process notice debugger being created, it is desirable to abnormality processing;
4. debugger process hangs up the process that is created, and processes abnormal;
5. abnormality processing completes, and recovers the operation of the process that is created;
Two, PAGE_GUARD anomalous event flow process:
A, according to the information such as code area and data storage area, mark internal memory relevant range attribute is PAGE_GUARD, once the thread of the process being created reads or writes this region of memory, can result in PAGE_GUARD abnormal, by debugging circulation, abnormal information is passed to debugger;
B, debugger obtain PAGE_GUARD abnormal information, arrange all thread single-step debugs of debugged process, and are added to by page number in a chained list, and the PAGE_GUARD attribute of page is lost;
C, another thread run, it is judged that whether this thread accesses page interested, if it is, continue thread single-step debug, if it is not, then forward d to;
D, do not monitor the thread not accessing the page interested, owing to when b step, the PAGE_GUARD attribute of detected page is lost, and will again identify the PAGE_GUARD attribute of hot spot module according to b chained list.
The mode of the use PAGE_GUARD attribute-bit hot spot module that present embodiment proposes is effective and simple, it is possible to the access to sensitive core position of the prevention malicious program code.
Such as, when a program is analyzed by debugger, if this routine access hot spot region of our labellings, so can only carry out single-step debug, this will make malicious code be not carried out, and whether excessively conventional debugger analyzes, only by programmer oneself, the page sensitivity that debugged process accesses, if be hacked.By the PAGE_GUARD of sensitizing range is identified, decrease the part work of artificial judgment, add the debugger detection efficiency to malicious code.
Below it is only the representative embodiment in the numerous concrete range of application of the present invention, protection scope of the present invention is not constituted any limitation.Embodiments of the invention are explained, but as long as can have a lot of deformation essentially without the inventive point and effect that depart from the present invention, this will be readily apparent to persons skilled in the art.Therefore, all technical schemes adopting conversion or equivalence to replace and formed, all fall within rights protection scope of the present invention.

Claims (6)

1. the system of a hot spot module instruction trace, it is characterised in that include with lower module:
Debugging loop module: after a process becomes debugged process, when completing some operation or occurring abnormal, it can send notification to debugger, then self is hung up, and until debugger order, it continues executing with;
Abnormality processing module: by abnormal distribution, different anomalous events is processed, abnormality processing has separated reception and has processed error code, it is a kind of mechanism in programming language or computer hardware, for processing the unusual condition (namely beyond some specific condition of program normal execution flow) occurred in software or information system;
Read depositor and internal memory: thread has a context environmental, and it contains the most information about thread, for instance the address of thread stack, the instruction address etc. that thread is currently executing.Context environmental preserves in a register, context can be occurred to switch, be actually and be saved in internal memory by the context environmental of a thread, then by the context environmental load register of another thread time system carries out thread scheduling;
Breakpoint functional module: when debugging, when only debugged process suspension performs, it just can be performed operation by debugger, for instance observe memory content etc..If debugged process is not stopped, debugger can not do whatever;Making debugged process stop, except the debugging event that particular moment just occurs, unique approach is exactly exception throw except several, and breakpoint is exactly the exception reaching object above;
Single step performs module: it is one of modal debugging method that single step performs, and namely performs line code every time, and it also includes Step Into, Step Over, jumps out three kinds of orders;
By using this WindowsAPI function of CreateProcess to start debugged program, by debugging loop module, the debugged program of debugging routine circular wait triggers anomalous event;Anomalous event is distributed processing by described abnormality processing module;By reading depositor and this module of internal memory, obtain debugged process and access the positional information of page, it may be judged whether have access to page interested, if what access is hot spot module, then trigger PAGE_GUARD abnormal;Abnormal by abnormality processing resume module PAGE_GUARD, all threads of debugged process are set to single-step debug, perform instruction one by one;And breakpoint functional module can be more flexible when mastery routine is debugged operation.
2. the system of a kind of hot spot module instruction trace according to claim 1, it is characterised in that described hot spot module can be the file place region of memory that user oneself specifies.
3. the system of a kind of hot spot module instruction trace according to claim 1; it is characterized in that; described PAGE_GUARD is abnormal can be triggered when debugged process reads or writes hot spot module; and ensure after thread does not access hot spot module; reset PAGE_GUARD attribute by a chained list recording PAGE_GUARD attribute, can guarantee that and the page interested is carried out thread-level real-time tracking.
4. the method for a hot spot module instruction trace, it is characterised in that first indicate hot spot module, the page that namely user is interested;When the page that thread accesses to user is interested, then PAGE_GUARD being triggered abnormal, and processing thus triggering debugger;Then passing through debugger, to arrange all threads be single-step debug, and the page number of this page is added recovery chained list, because having triggered page abnormal for PAGE_GUARD can automatically lose PAGE_GUARD attribute, the completeness followed the tracks of so that it is guaranteed that multi-thread environment and kernel readjustment environment give an order;It is last whether the current address performing to analyze in thread execution instruction is positioned at page interested, if it is, continuation single-step debug, otherwise, so this thread is not operated, and resets the PAGE_GUARD attribute of the page interested according to the chained list used before.
5. the method for a kind of hot spot module instruction trace according to claim 4, it is characterised in that include below step;
Debugging circulation step: after a process becomes debugged process, when completing some operation or occurring abnormal, it can send notification to debugger, then self is hung up, and until debugger order, it continues executing with;
Abnormality processing step: by abnormal distribution, different anomalous events is processed, abnormality processing has separated reception and has processed error code, it is a kind of mechanism in programming language or computer hardware, for processing the unusual condition (namely beyond some specific condition of program normal execution flow) occurred in software or information system;
Read depositor and internal memory step: thread has a context environmental, and it contains the most information about thread, for instance the address of thread stack, the instruction address that thread is currently executing;Context environmental preserves in a register, context can be occurred to switch, be actually and be saved in internal memory by the context environmental of a thread, then by the context environmental load register of another thread time system carries out thread scheduling;
Breakpoint functional steps: when debugging, when only debugged process suspension performs, it just can be performed operation by debugger, for instance observe memory content;If debugged process is not stopped, debugger can not do whatever;Making debugged process stop, except the debugging event that particular moment just occurs, unique approach is exactly exception throw except several, and breakpoint is exactly the exception reaching object above;
Single step performs step: it is one of modal debugging method that single step performs, and namely performs line code every time, and it also includes Step Into, Step Over, jumps out three kinds of orders;
By using this WindowsAPI function of CreateProcess to start debugged program, by debugging loop module, the debugged program of debugging routine circular wait triggers anomalous event;Anomalous event is distributed processing by described abnormality processing module;By reading depositor and this module of internal memory, obtain debugged process and access the positional information of page, it may be judged whether have access to page interested, if what access is hot spot module, then trigger PAGE_GUARD abnormal;Abnormal by abnormality processing resume module PAGE_GUARD, all threads of debugged process are set to single-step debug, perform instruction one by one;And breakpoint functional module can be more flexible when mastery routine is debugged operation.
6. the method for a kind of hot spot module instruction trace according to claim 5, it is characterised in that include below step;
After carrying out single-step debug, the PAGE_GUARD attribute of hot spot module will be lost, and the page number losing PAGE_GUARD attribute is added in a chained list, hot spot module is not accessed when the thread of single-step debug is determined, again the PAGE_GUARD attribute of hot spot module will be added according to this chained list, and directly perform this thread with non-single step mode;The method mainly comprises the steps that
S1: identify page interested: be set to PAGE_GUARD attribute for hot spot module place code page, identifies the PAGE_GUARD attribute of these pages;
S2: process accesses page: debugged process operationally accesses page, because page interested has been set PAGE_GUARD attribute, once thread accesses is to being designated page interested, extremely will be triggered, debugged process just will be carried out hang-up process by mastery routine, if the page accessed is not in the code page of hot spot module place, then will not thread be operated;
S3: process PAGE_GUARD abnormal: after triggering PAGE_GUARD and be abnormal, debugged process is suspended, aroused after processing etc. process to be debugged, it is single-step debug that debugging process arranges all threads of debugged process, and this page is write in a chained list, the PAGE_GUARD attribute of this page is lost;
S4: thread single-step debug: the flow process that tracing program performs step by step, again judge whether thread accesses hot spot module place code page, if not accessing page interested, then this thread not being operated, now reseting the PAGE_GUARD attribute of page according to the chained list created in S3;If accessing page interested, then all thread single-step debugs are set;
S5: reset PAGE_GUARD attribute: owing to PAGE_GUARD attribute just will be lost when carrying out single-step debug, in order to ensure that the page interested is monitored in real time, if the thread of single-step debug does not access page interested, the PAGE_GUARD attribute of page is just reset according to the S2 chained list arranged, if what certainly access is page interested, continue to thread single-step debug.
CN201610052808.3A 2016-01-26 2016-01-26 Method and system for hotspot module instruction tracking Pending CN105718374A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610052808.3A CN105718374A (en) 2016-01-26 2016-01-26 Method and system for hotspot module instruction tracking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610052808.3A CN105718374A (en) 2016-01-26 2016-01-26 Method and system for hotspot module instruction tracking

Publications (1)

Publication Number Publication Date
CN105718374A true CN105718374A (en) 2016-06-29

Family

ID=56155014

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610052808.3A Pending CN105718374A (en) 2016-01-26 2016-01-26 Method and system for hotspot module instruction tracking

Country Status (1)

Country Link
CN (1) CN105718374A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108021791A (en) * 2016-10-31 2018-05-11 腾讯科技(深圳)有限公司 Data guard method and device
CN109643273A (en) * 2016-08-31 2019-04-16 微软技术许可有限责任公司 The program tracking debugged and analyzed for time travel
WO2021026938A1 (en) * 2019-08-15 2021-02-18 奇安信安全技术(珠海)有限公司 Shellcode detection method and apparatus
CN112395609A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for application layer shellcode
CN112395610A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for kernel layer shellcode
CN112860362A (en) * 2021-02-05 2021-05-28 达而观数据(成都)有限公司 Visual debugging method and system for robot automation process
US11126536B2 (en) 2016-10-20 2021-09-21 Microsoft Technology Licensing, Llc Facilitating recording a trace file of code execution using index bits in a processor cache
US11138092B2 (en) 2016-08-31 2021-10-05 Microsoft Technology Licensing, Llc Cache-based tracing for time travel debugging and analysis
US11194696B2 (en) 2016-10-20 2021-12-07 Microsoft Technology Licensing, Llc Recording a trace of code execution using reserved cache lines in a cache
US11915028B2 (en) 2017-04-01 2024-02-27 Microsoft Technology Licensing, Llc Virtual machine execution tracing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101504626A (en) * 2009-03-06 2009-08-12 中兴通讯股份有限公司 Debugging control implementing method and system
CN101599039A (en) * 2008-06-03 2009-12-09 华为技术有限公司 Abnormality eliminating method and device under the embedded type C language environment
CN101685420A (en) * 2008-09-24 2010-03-31 中兴通讯股份有限公司 Multithreading debugging method and device
CN105095079A (en) * 2015-07-27 2015-11-25 电子科技大学 Method and device for hot spot module instruction tracking

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599039A (en) * 2008-06-03 2009-12-09 华为技术有限公司 Abnormality eliminating method and device under the embedded type C language environment
CN101685420A (en) * 2008-09-24 2010-03-31 中兴通讯股份有限公司 Multithreading debugging method and device
CN101504626A (en) * 2009-03-06 2009-08-12 中兴通讯股份有限公司 Debugging control implementing method and system
CN105095079A (en) * 2015-07-27 2015-11-25 电子科技大学 Method and device for hot spot module instruction tracking

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11138092B2 (en) 2016-08-31 2021-10-05 Microsoft Technology Licensing, Llc Cache-based tracing for time travel debugging and analysis
CN109643273A (en) * 2016-08-31 2019-04-16 微软技术许可有限责任公司 The program tracking debugged and analyzed for time travel
CN109643273B (en) * 2016-08-31 2022-02-01 微软技术许可有限责任公司 Computer system, method, hardware storage device for recording playable traces
US11194696B2 (en) 2016-10-20 2021-12-07 Microsoft Technology Licensing, Llc Recording a trace of code execution using reserved cache lines in a cache
US11126536B2 (en) 2016-10-20 2021-09-21 Microsoft Technology Licensing, Llc Facilitating recording a trace file of code execution using index bits in a processor cache
CN108021791A (en) * 2016-10-31 2018-05-11 腾讯科技(深圳)有限公司 Data guard method and device
CN108021791B (en) * 2016-10-31 2021-08-10 腾讯科技(深圳)有限公司 Data protection method and device
US11915028B2 (en) 2017-04-01 2024-02-27 Microsoft Technology Licensing, Llc Virtual machine execution tracing
CN112395610A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for kernel layer shellcode
CN113646763A (en) * 2019-08-15 2021-11-12 奇安信安全技术(珠海)有限公司 Detection method and device of shellcode
CN112395609A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Detection method and device for application layer shellcode
CN113646763B (en) * 2019-08-15 2024-02-02 奇安信安全技术(珠海)有限公司 shellcode detection method and device
WO2021026938A1 (en) * 2019-08-15 2021-02-18 奇安信安全技术(珠海)有限公司 Shellcode detection method and apparatus
CN112395610B (en) * 2019-08-15 2024-04-16 奇安信安全技术(珠海)有限公司 Detection method and device for kernel layer shellcode
CN112860362A (en) * 2021-02-05 2021-05-28 达而观数据(成都)有限公司 Visual debugging method and system for robot automation process
CN112860362B (en) * 2021-02-05 2022-10-04 达而观数据(成都)有限公司 Visual debugging method and system for robot automation process

Similar Documents

Publication Publication Date Title
CN105718374A (en) Method and system for hotspot module instruction tracking
CN102346708B (en) Debugger and debugging method thereof
Zhou et al. AccMon: Automatically detecting memory-related bugs via program counter-based invariants
CN102214137B (en) Debugging method and debugging equipment
CN107357666B (en) Multi-core parallel system processing method based on hardware protection
JP4688862B2 (en) Providing support for single step functionality of virtual machines in virtual machine environments
KR102025078B1 (en) Diagnosing code using single step execution
JP4222370B2 (en) Program for causing a computer to execute a debugging support apparatus and a debugging processing method
WO2021057057A1 (en) Target-code coverage testing method, system, and medium of operating system-level program
US20080301417A1 (en) System and Method for Debugging of Computer
Greathouse et al. Demand-driven software race detection using hardware performance counters
US9575816B2 (en) Deadlock/livelock resolution using service processor
JP2007128132A (en) Thread debugging device, thread debugging method and program
US7793160B1 (en) Systems and methods for tracing errors
CN105095079B (en) A kind of method and apparatus of hot spot module instruction trace
Dovgalyuk Deterministic Replay of System's Execution with Multi-target QEMU Simulator for Dynamic Analysis and Reverse Debugging.
US9176821B2 (en) Watchpoint support system for functional simulator
CN107003897B (en) Monitoring utilization of transaction processing resources
US8612720B2 (en) System and method for implementing data breakpoints
CN102662845B (en) A kind of method, Apparatus and system realized through property data breakpoint
Zhou et al. iwatcher: Simple, general architectural support for software debugging
JPH02294739A (en) Fault detecting system
Qin System Support for Improving Software Dependability During Production Runs
EP2600252B1 (en) System and method for debugging of computer programs
US8352714B2 (en) Executing watchpoint instruction in pipeline stages with temporary registers for storing intermediate values and halting processing before updating permanent registers

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160629