CN105808251A - Virtual function table based method and system for bypassing security detection by hijack - Google Patents
Virtual function table based method and system for bypassing security detection by hijack Download PDFInfo
- Publication number
- CN105808251A CN105808251A CN201610121933.5A CN201610121933A CN105808251A CN 105808251 A CN105808251 A CN 105808251A CN 201610121933 A CN201610121933 A CN 201610121933A CN 105808251 A CN105808251 A CN 105808251A
- Authority
- CN
- China
- Prior art keywords
- function
- virtual table
- present
- present function
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/20—Software design
- G06F8/22—Procedural
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a virtual function table based method and system for bypassing security detection by hijack. The method comprises the steps of (1) obtaining an address of a virtual function table of an IDirect3DDevice9 object in a process; (2) finding a serial number of a Present function in the virtual function table of the IDirect3DDevice9 object from a d3d9.h header file; (3) constructing a stub function used for replacing the Present function of a system, wherein the stub function is used for realizing the calling of a function designed by a developer and the calling of the Present function of the system; and (4) according to the address of the virtual function table of the IDirect3DDevice9 object and the serial number of the Present function in the virtual function table, replacing the Present function in the virtual function table of the IDirect3DDevice9 object with the stub function. According to the method and system, a realization principle of the C++ virtual function table is skillfully utilized and the Present function in the virtual function table of the IDirect3DDevice9 object is replaced with the stub function by replacing the address of the Present function in the virtual function table of the IDirect3DDevice9 object, so that the Present function in d3d9.dll is hijacked and the code integrity detection of the system is bypassed finally.
Description
Technical field
The invention belongs to computer development technical field, more particularly, to a kind of method and system kidnapped based on virtual table and walk around safety detection.
Background technology
At present, live software is all the display content that the Present function by the d3d9.dll in hook process obtains video card, then display content is sent to service end by network and just can realize live.Current hook technology is all pitching pile before the function of wanted hook.Pitching pile is exactly that the assembly code of the function header wanted hook is modified as jmp instruction and jumps to the function of oneself, then oneself function call complete after reduce the code of amendment place, then jump to the function of original wanted hook again.The realization of the method needs the code of amendment d3d9.dll.But much play especially first person shooting game (First-personshootinggame at present, FPS) there is " plug-in " in the game of type, and the realization of " plug-in " function also can remove the code of amendment d3d9.dll, so so can cause that the code integrity of d3d9.dll can be detected by the game of game developer's especially FPS type, if be detected that there is code to be modified, assert it is plug-in, game can be played rolls off the production line." plug-in " not only can hookPresent function, also game data can be modified, it is that one is illegal to call, and live software only understands hookPresent function thus obtaining live display content, without trip live data is made any amendment, be a kind of legal calling, should not be taken as and illegally call, it is therefore desirable to a kind of can live software hookPresent function obtain display content time avoid misjudged breaking as the method illegally called.
Summary of the invention
For disadvantages described above or the Improvement requirement of prior art, the invention provides a kind of new hook method, it is possible to be not modified code and just can realize the function of hook, thus having walked around the detection of system.The method is in that the function Present of the d3d9.dll of hook is a Virtual Function of pointer IDirect3DDevice9, and the Virtual Function of c++ realizes being realized by a virtual table, virtual table is exactly Virtual Function in every particular address in actual memory, and IDirect3DDevice9 to as if heap on create, revise the data that of virtual table of this object is only comparable to have modified on heap, it is not related to amendment code, so will not be detected by code integrity.
For achieving the above object, a kind of according to the present invention kidnaps the method walking around safety detection based on virtual table, comprises the steps:
(1) address of the virtual table of IDirect3DDevice9 object in acquisition process;
(2) from d3d9.h header file, find Present function sequence number in the virtual table at IDirect3DDevice9 object place;
(3) structure one is for the pile function of replacement system Present function, and this pile function is used for realizing: call the function of developer's design and calling system Present function;
(4) sequence number in virtual table according to the address of the virtual table of IDirect3DDevice9 object and Present function, replaces with pile function by the Present function in the virtual table of IDirect3DDevice9 object.
According to another aspect of the present invention, additionally provide a kind of system kidnapped based on virtual table and walk around safety detection, module, pile function constructing module and Present function replacement module is searched including virtual table address acquisition module, Present function ordinal, wherein:
Described virtual table address acquisition module, for the address of the virtual table of IDirect3DDevice9 object in acquisition process;
Described Present function ordinal searches module, for finding Present function sequence number in the virtual table at IDirect3DDevice9 object place from d3d9.h header file;
Described pile function constructing module, for constructing a pile function for replacement system Present function, this pile function is used for realizing: call the function of developer's design and calling system Present function;
Described Present function replacement module, for address and the Present function sequence number in virtual table of the virtual table according to IDirect3DDevice9 object, the Present function in the virtual table of IDirect3DDevice9 object is replaced with pile function.
What the present invention make use of C++ virtual table cleverly realizes principle, by the address of Present function in the virtual table at replacement IDirect3DDevice9 object place, thus the Present function in the virtual table of IDirect3DDevice9 object is replaced with pile function, it is achieved thereby that it is achieved thereby that abduction to the Present function in d3d9.dll, finally walked around the code integrity detection of system.
Accompanying drawing explanation
Fig. 1 is that the present invention kidnaps the flow chart of the method walking around safety detection based on virtual table;
Fig. 2 is that the present invention kidnaps the structure chart of the system walking around safety detection based on virtual table.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein is only in order to explain the present invention, is not intended to limit the present invention.As long as just can be mutually combined additionally, technical characteristic involved in each embodiment of invention described below does not constitute conflict each other.
As it is shown in figure 1, the invention provides a kind of method kidnapped based on virtual table and walk around safety detection, comprise the steps:
(1) address of the virtual table of IDirect3DDevice9 object in acquisition process;
Specifically, the address of above-mentioned acquisition can be the pointer of the virtual table of IDirect3DDevice9 object in process.
(2) from d3d9.h header file, find Present function sequence number in the virtual table at IDirect3DDevice9 object place;
In embodiments of the present invention, in d3d9.h header file, Present function sequence number in the virtual table at IDirect3DDevice9 object place is 17.
(3) structure one is for the pile function of replacement system Present function, and this pile function is used for realizing: call the function of developer's design and calling system Present function;
Specifically, this pile function can be a paragraph assembly code function (being such as named nakedPresentTrans) of structure, for realizing replacing original Present function, the function of this section of code one is to call the function of developer's design, and another is calling system Present function.
Such as, the realization of this pile function may is that
Specifically, when the above-mentioned pile function of programming realization, it is possible to adopt the language such as compilation, C.
(4) sequence number in virtual table according to the address of the virtual table of IDirect3DDevice9 object and Present function, replaces with pile function by the Present function in the virtual table of IDirect3DDevice9 object.
Such as specific implementation can be:
PDeviceVt [17]=(DWORD) &nakedPresentTrans;
Wherein pDeviceVt is exactly the virtual table pointer of IDirect3DDevice9 object, and wherein 17 is Present function sequence number in the virtual table at IDirect3DDevice9 object place, and DWORD is 4 byte data types.
Further, as shown in Figure 2, present invention also offers a kind of system kidnapped based on virtual table and walk around safety detection, search module, pile function constructing module and Present function replacement module including virtual table address acquisition module, Present function ordinal, wherein:
Described virtual table address acquisition module, for the address of the virtual table of IDirect3DDevice9 object in acquisition process;
In embodiments of the present invention, the address that described virtual table address acquisition module obtains can be the pointer of the virtual table of IDirect3DDevice9 object in process.
Described Present function ordinal searches module, for finding Present function sequence number in the virtual table at IDirect3DDevice9 object place from d3d9.h header file;
In the embodiment of the present invention, described Present function sequence number in the virtual table at IDirect3DDevice9 object place is 17.
Described pile function constructing module, for constructing a pile function for replacement system Present function, this pile function is used for realizing: call the function of developer's design and calling system Present function;
Described Present function replacement module, for address and the Present function sequence number in virtual table of the virtual table according to IDirect3DDevice9 object, the Present function in the virtual table of IDirect3DDevice9 object is replaced with pile function.
In the embodiment of the present invention, described Present function replacement module is replaced the specific implementation of Present function and is:
PDeviceVt [Present_ID]=(DWORD) &nakedPresentTrans, wherein pDeviceVt is the virtual table pointer of IDirect3DDevice9 object, Present_ID is Present function sequence number in the virtual table at IDirect3DDevice9 object place, nakedPresentTrans is pile function, and DWORD is 4 byte data types.
Those skilled in the art will readily understand; the foregoing is only presently preferred embodiments of the present invention; not in order to limit the present invention, all any amendment, equivalent replacement and improvement etc. made within the spirit and principles in the present invention, should be included within protection scope of the present invention.
Claims (8)
1. kidnap the method walking around safety detection based on virtual table for one kind, it is characterised in that described method comprises the steps:
(1) address of the virtual table of IDirect3DDevice9 object in acquisition process;
(2) from d3d9.h header file, find Present function sequence number in the virtual table at IDirect3DDevice9 object place;
(3) structure one is for the pile function of replacement system Present function, and this pile function is used for realizing: call the function of developer's design and calling system Present function;
(4) sequence number in virtual table according to the address of the virtual table of IDirect3DDevice9 object and Present function, replaces with pile function by the Present function in the virtual table of IDirect3DDevice9 object.
2. the method walking around safety detection based on virtual table abduction as claimed in claim 1, it is characterised in that the address that described step (1) obtains is the pointer of the virtual table of IDirect3DDevice9 object in process.
3. the method walking around safety detection based on virtual table abduction as claimed in claim 1 or 2, it is characterised in that in described step (2), Present function sequence number in the virtual table at IDirect3DDevice9 object place is 17.
4. the method walking around safety detection based on virtual table abduction as claimed in claim 1 or 2, it is characterised in that the specific implementation of described step (4) is:
PDeviceVt [Present_ID]=(DWORD) &nakedPresentTrans, wherein pDeviceVt is the virtual table pointer of IDirect3DDevice9 object, Present_ID is Present function sequence number in the virtual table at IDirect3DDevice9 object place, nakedPresentTrans is pile function, and DWORD is 4 byte data types.
5. kidnap the system walking around safety detection based on virtual table for one kind, it is characterised in that include virtual table address acquisition module, Present function ordinal searches module, pile function constructing module and Present function replacement module, wherein:
Described virtual table address acquisition module, for the address of the virtual table of IDirect3DDevice9 object in acquisition process;
Described Present function ordinal searches module, for finding Present function sequence number in the virtual table at IDirect3DDevice9 object place from d3d9.h header file;
Described pile function constructing module, for constructing a pile function for replacement system Present function, this pile function is used for realizing: call the function of developer's design and calling system Present function;
Described Present function replacement module, for address and the Present function sequence number in virtual table of the virtual table according to IDirect3DDevice9 object, the Present function in the virtual table of IDirect3DDevice9 object is replaced with pile function.
6. the system walking around safety detection based on virtual table abduction as claimed in claim 5, it is characterised in that the address that described virtual table address acquisition module obtains is the pointer of the virtual table of IDirect3DDevice9 object in process.
7. the system walking around safety detection based on virtual table abduction as described in claim 5 or 6, it is characterised in that described Present function sequence number in the virtual table at IDirect3DDevice9 object place is 17.
8. the system walking around safety detection based on virtual table abduction as described in claim 5 or 6, it is characterised in that described Present function replacement module is replaced the specific implementation of Present function and is:
PDeviceVt [Present_ID]=(DWORD) &nakedPresentTrans, wherein pDeviceVt is the virtual table pointer of IDirect3DDevice9 object, Present_ID is Present function sequence number in the virtual table at IDirect3DDevice9 object place, nakedPresentTrans is pile function, and DWORD is 4 byte data types.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610121933.5A CN105808251B (en) | 2016-03-03 | 2016-03-03 | Virtual function table hijacking bypass security detection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610121933.5A CN105808251B (en) | 2016-03-03 | 2016-03-03 | Virtual function table hijacking bypass security detection method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105808251A true CN105808251A (en) | 2016-07-27 |
CN105808251B CN105808251B (en) | 2021-02-02 |
Family
ID=56466638
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610121933.5A Active CN105808251B (en) | 2016-03-03 | 2016-03-03 | Virtual function table hijacking bypass security detection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105808251B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106295325A (en) * | 2016-08-12 | 2017-01-04 | 武汉斗鱼网络科技有限公司 | A kind of hook method and system for obtaining video card content |
CN106295326A (en) * | 2016-08-12 | 2017-01-04 | 武汉斗鱼网络科技有限公司 | A kind of inline hook method and system for obtaining video card content |
CN106339300A (en) * | 2016-08-12 | 2017-01-18 | 武汉斗鱼网络科技有限公司 | Method and system for acquiring FPS of third-party game |
CN107194250A (en) * | 2017-03-31 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | The integrity checking method and device of internal storage code |
CN108446149A (en) * | 2018-02-28 | 2018-08-24 | 北京凌宇智控科技有限公司 | A kind of third party's dynamic bank interface hold-up interception method and system |
CN108762934A (en) * | 2018-06-02 | 2018-11-06 | 北京泽塔云科技股份有限公司 | Remote graphics Transmission system, method and Cloud Server |
CN108880785A (en) * | 2018-05-25 | 2018-11-23 | 武汉斗鱼网络科技有限公司 | A kind of detection C++ void table is by the method, apparatus, terminal and readable medium of hook |
CN109086183A (en) * | 2018-07-12 | 2018-12-25 | 武汉斗鱼网络科技有限公司 | A kind of monitoring method of application program, device, electronic equipment and storage medium |
WO2019047442A1 (en) * | 2017-09-06 | 2019-03-14 | 武汉斗鱼网络科技有限公司 | Method and system for bypassing function call chain detection in ios application |
CN109857650A (en) * | 2019-01-14 | 2019-06-07 | 珠海金山网络游戏科技有限公司 | A kind of game performance monitor method and system |
CN115952017A (en) * | 2023-03-09 | 2023-04-11 | 腾讯科技(深圳)有限公司 | Memory processing method, device, equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102163143A (en) * | 2011-04-28 | 2011-08-24 | 北京北大众志微系统科技有限责任公司 | A method realizing prediction of value association indirect jump |
CN103823683A (en) * | 2014-02-27 | 2014-05-28 | 北京六间房科技有限公司 | Video recording device and method |
CN104881610A (en) * | 2015-06-16 | 2015-09-02 | 北京理工大学 | Method for defending hijacking attacks of virtual function tables |
-
2016
- 2016-03-03 CN CN201610121933.5A patent/CN105808251B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102163143A (en) * | 2011-04-28 | 2011-08-24 | 北京北大众志微系统科技有限责任公司 | A method realizing prediction of value association indirect jump |
WO2012145992A1 (en) * | 2011-04-28 | 2012-11-01 | 北京北大众志微系统科技有限责任公司 | Method for implementing value-associated indirect jump prediction |
CN103823683A (en) * | 2014-02-27 | 2014-05-28 | 北京六间房科技有限公司 | Video recording device and method |
CN104881610A (en) * | 2015-06-16 | 2015-09-02 | 北京理工大学 | Method for defending hijacking attacks of virtual function tables |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106295326A (en) * | 2016-08-12 | 2017-01-04 | 武汉斗鱼网络科技有限公司 | A kind of inline hook method and system for obtaining video card content |
CN106339300A (en) * | 2016-08-12 | 2017-01-18 | 武汉斗鱼网络科技有限公司 | Method and system for acquiring FPS of third-party game |
CN106295325A (en) * | 2016-08-12 | 2017-01-04 | 武汉斗鱼网络科技有限公司 | A kind of hook method and system for obtaining video card content |
CN106295325B (en) * | 2016-08-12 | 2020-02-07 | 武汉斗鱼网络科技有限公司 | Hook method and system for acquiring content of display card |
CN106295326B (en) * | 2016-08-12 | 2020-02-07 | 武汉斗鱼网络科技有限公司 | Inline hook method and system for acquiring content of display card |
CN107194250A (en) * | 2017-03-31 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | The integrity checking method and device of internal storage code |
WO2019047442A1 (en) * | 2017-09-06 | 2019-03-14 | 武汉斗鱼网络科技有限公司 | Method and system for bypassing function call chain detection in ios application |
CN108446149A (en) * | 2018-02-28 | 2018-08-24 | 北京凌宇智控科技有限公司 | A kind of third party's dynamic bank interface hold-up interception method and system |
CN108446149B (en) * | 2018-02-28 | 2021-07-20 | 北京凌宇智控科技有限公司 | Third-party dynamic library interface interception method and system |
CN108880785A (en) * | 2018-05-25 | 2018-11-23 | 武汉斗鱼网络科技有限公司 | A kind of detection C++ void table is by the method, apparatus, terminal and readable medium of hook |
CN108880785B (en) * | 2018-05-25 | 2021-07-23 | 武汉斗鱼网络科技有限公司 | Method, device, terminal and readable medium for detecting C + + virtual table quilt hook |
CN108762934A (en) * | 2018-06-02 | 2018-11-06 | 北京泽塔云科技股份有限公司 | Remote graphics Transmission system, method and Cloud Server |
CN109086183A (en) * | 2018-07-12 | 2018-12-25 | 武汉斗鱼网络科技有限公司 | A kind of monitoring method of application program, device, electronic equipment and storage medium |
CN109857650A (en) * | 2019-01-14 | 2019-06-07 | 珠海金山网络游戏科技有限公司 | A kind of game performance monitor method and system |
CN109857650B (en) * | 2019-01-14 | 2022-07-01 | 珠海金山网络游戏科技有限公司 | Game performance monitoring method and system |
CN115952017A (en) * | 2023-03-09 | 2023-04-11 | 腾讯科技(深圳)有限公司 | Memory processing method, device, equipment and medium |
CN115952017B (en) * | 2023-03-09 | 2023-05-23 | 腾讯科技(深圳)有限公司 | Memory processing method, device, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN105808251B (en) | 2021-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105808251A (en) | Virtual function table based method and system for bypassing security detection by hijack | |
CN109753806B (en) | Server protection method and device | |
EP3542494B1 (en) | System and method for implementing native contract on blockchain | |
CN109873804B (en) | Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium | |
US10733152B2 (en) | System and method for implementing native contract on blockchain | |
CN101996180A (en) | Picture examination and filter system and method | |
CN104881601A (en) | Floating window display setup, control method and device | |
US9268939B2 (en) | Method and apparatus for determining virus-infected files | |
CN108733797B (en) | File processing method and related device | |
CN109254868B (en) | File detection method and device | |
CN109753820B (en) | Method, device and system for data open sharing | |
CN104573497A (en) | Processing method and device for starting items | |
CN105608189B (en) | Picture classification method and device and electronic equipment | |
CN104268472A (en) | Method and device for restoring address of function modified by third party dynamic link library | |
TW200402634A (en) | Data processing method, data processing device, computer program and recording medium | |
CN103685254A (en) | Common account information safety detecting method and server | |
CN106373571A (en) | Voice control method and device | |
CN107291637A (en) | The method and apparatus of compatible polytypic mobile communication module in Android system | |
CN108710492B (en) | Method for identifying third-party library in APP program | |
CN110276021A (en) | Place name matching process and device based on semantic similarity | |
CN112035804B (en) | Method and device for inserting watermark identification in document page, electronic equipment and storage medium | |
CN109151557B (en) | Video creation method and related device | |
CN104217021A (en) | Reading server, terminal equipment and method for displaying reading contents | |
CN107577941B (en) | Method and equipment for intercepting code bypass | |
CN105224573B (en) | A kind of regular data configuration method and device, system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |