CN105808251B - Virtual function table hijacking bypass security detection method and system - Google Patents
Virtual function table hijacking bypass security detection method and system Download PDFInfo
- Publication number
- CN105808251B CN105808251B CN201610121933.5A CN201610121933A CN105808251B CN 105808251 B CN105808251 B CN 105808251B CN 201610121933 A CN201610121933 A CN 201610121933A CN 105808251 B CN105808251 B CN 105808251B
- Authority
- CN
- China
- Prior art keywords
- function
- present
- virtual
- virtual function
- function table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/20—Software design
- G06F8/22—Procedural
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for bypassing security detection based on virtual function table hijack, which comprises the following steps: (1) acquiring the address of the virtual function table of an IDirect3DDevice9 object in the process; (2) finding the sequence number of the Present function in the virtual function table where the IDirect3DDevice9 object is located from the d3d9.h header file; (3) constructing a stub function for replacing the Present function of the system, the stub function being used to implement: calling a function designed by a developer, and calling a system Present function; (4) and replacing the Present function in the virtual function table of the IDirect3DDevice9 object with a stub function according to the address of the virtual function table of the IDirect3DDevice9 object and the sequence number of the Present function in the virtual function table. The method skillfully utilizes the realization principle of the C + + virtual function table, replaces the address of the Present function in the virtual function table where the IDirect3DDevice9 object is located, so that the Present function in the virtual function table of the IDirect3DDevice9 object is replaced by the stub function, thereby realizing hijacking of the Present function in the d3d9.dll and finally bypassing the code integrity detection of the system.
Description
Technical Field
The invention belongs to the technical field of computer development, and particularly relates to a method and a system for bypassing security detection based on virtual function table hijack.
Background
Currently, live broadcast software acquires display contents of a display card through a Present function of d3d9.dll in a hook process, and then sends the display contents to a server through a network to realize live broadcast. Current hook technology is based on the prepending of the desired hook function. The instrumentation is to modify the assembly code of the function header of the required hook into a jmp instruction and jump to the function of the function, then restore the code of the modified part after the function is called up, and then jump to the original function of the required hook. Implementation of this method requires modification of the code of d3d9. dll. However, at present, many games, especially games of the First-person shooter game (FPS) type, have a "plug-in" function, and the implementation of the "plug-in" function also modifies the code of the d3d9.dll, so that a game developer, especially an FPS type game, detects the code integrity of the d3d9.dll, and if the code is modified, the game is considered to be the plug-in, and the game is kicked off. The 'plug-in' can modify game data and not only hook Present function, and is an illegal call, but also live broadcast software can only hook Present function to obtain live broadcast display content, and can not modify any live broadcast data, and is a legal call which should not be regarded as illegal call, so that a method capable of avoiding misjudgment as illegal call when the hook Present function of the live broadcast software obtains the display content is needed.
Disclosure of Invention
In view of the above deficiencies and needs in the art, the present invention provides a new hook method that enables hook functionality to be implemented without modifying code, thereby bypassing system detection. The method is characterized in that the function Present of the hook d3d9.dll is a virtual function for IDirect3DDevice9, the virtual function implementation of c + + is realized by a virtual function table, the virtual function table is the address of the virtual function of an item in the actual memory, the object of the IDirect3DDevice9 is created on a heap, and the modification of an item of the virtual function table of the object is only equivalent to the modification of data on the heap and does not involve modifying codes, so that the modification cannot be detected by code integrity.
In order to achieve the above object, a method for bypassing security detection based on virtual function table hijacking according to the present invention comprises the following steps:
(1) acquiring the address of the virtual function table of an IDirect3DDevice9 object in the process;
(2) finding the sequence number of the Present function in the virtual function table where the IDirect3DDevice9 object is located from the d3d9.h header file;
(3) constructing a stub function for replacing the Present function of the system, the stub function being used to implement: calling a function designed by a developer, and calling a system Present function;
(4) and replacing the Present function in the virtual function table of the IDirect3DDevice9 object with a stub function according to the address of the virtual function table of the IDirect3DDevice9 object and the sequence number of the Present function in the virtual function table.
According to another aspect of the Present invention, there is also provided a system for bypassing security detection based on virtual function table hijacking, comprising a virtual function table address acquisition module, a Present function sequence number lookup module, a stub function construction module, and a Present function replacement module, wherein:
the virtual function table address acquisition module is used for acquiring the address of the virtual function table of the IDirect3DDevice9 object in the process;
the Present function sequence number searching module is configured to find a sequence number of the Present function in the virtual function table where the idelect 3DDevice9 object is located from the d3d9.h header file;
the pile function constructing module is used for constructing a pile function for replacing the Present function of the system, and the pile function is used for realizing: calling a function designed by a developer, and calling a system Present function;
the Present function replacing module is configured to replace the Present function in the virtual function table of the idiect 3DDevice9 object with the stub function according to the address of the virtual function table of the idiect 3DDevice9 object and the sequence number of the Present function in the virtual function table.
The method skillfully utilizes the realization principle of the C + + virtual function table, and replaces the address of the Present function in the virtual function table where the IDirect3DDevice9 object is located, so that the Present function in the virtual function table of the IDirect3DDevice9 object is replaced by the stub function, and the hijacking of the Present function in the d3d9.dll is realized, and the code integrity detection of the system is finally bypassed.
Drawings
FIG. 1 is a flow chart of a method of bypassing security detection based on virtual function table hijacking of the present invention;
FIG. 2 is a block diagram of a system for bypassing security detection based on virtual function table hijacking according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, the present invention provides a method for bypassing security detection based on virtual function table hijacking, which comprises the following steps:
(1) acquiring the address of the virtual function table of an IDirect3DDevice9 object in the process;
specifically, the obtained address may be a pointer of a virtual function table of the idiect 3DDevice9 object in the process.
(2) Finding the sequence number of the Present function in the virtual function table where the IDirect3DDevice9 object is located from the d3d9.h header file;
in the embodiment of the Present invention, the sequence number of the Present function in the virtual function table where the idelect 3DDevice9 object is located in the d3d9.h header file is 17.
(3) Constructing a stub function for replacing the Present function of the system, the stub function being used to implement: calling a function designed by a developer, and calling a system Present function;
specifically, the stub function may be a constructed section of assembly code function (for example, named nakedPresentTrans) for replacing the original Present function, where one function of the section of code is to call a function designed by a developer, and the other function is to call a system Present function.
For example, the implementation of the stub function may be:
specifically, when the stub function is implemented by programming, languages such as assembly, C and the like can be adopted.
(4) And replacing the Present function in the virtual function table of the IDirect3DDevice9 object with a stub function according to the address of the virtual function table of the IDirect3DDevice9 object and the sequence number of the Present function in the virtual function table.
For example, the specific implementation may be:
pDeviceVt[17]=(DWORD)&nakedPresentTrans;
pDeviceVt is the VIP table pointer of IDirect3DDevice9 object, 17 is the sequence number of the Present function in the VIP table of IDirect3DDevice9 object, DWORD is 4 byte data type.
Further, as shown in fig. 2, the Present invention further provides a system for bypassing security detection based on virtual function table hijacking, which includes a virtual function table address obtaining module, a Present function sequence number searching module, a stub function constructing module, and a Present function replacing module, wherein:
the virtual function table address acquisition module is used for acquiring the address of the virtual function table of the IDirect3DDevice9 object in the process;
in this embodiment of the present invention, the address obtained by the virtual function table address obtaining module may be a pointer of a virtual function table of an idiect 3DDevice9 object in a process.
The Present function sequence number searching module is configured to find a sequence number of the Present function in the virtual function table where the idelect 3DDevice9 object is located from the d3d9.h header file;
in the embodiment of the Present invention, the serial number of the Present function in the virtual function table where the idiect 3DDevice9 object is located is 17.
The pile function constructing module is used for constructing a pile function for replacing the Present function of the system, and the pile function is used for realizing: calling a function designed by a developer, and calling a system Present function;
the Present function replacing module is configured to replace the Present function in the virtual function table of the idiect 3DDevice9 object with the stub function according to the address of the virtual function table of the idiect 3DDevice9 object and the sequence number of the Present function in the virtual function table.
In the embodiment of the Present invention, a specific implementation manner of replacing the Present function by the Present function replacement module is as follows:
pDeviceVt [ Present _ ID ] (DWORD) & nakedPresentTrans, wherein pDeviceVt is a virtual function table pointer of an ideect 3DDevice9 object, Present _ ID is a sequence number of the Present function in a virtual function table where the ideect 3DDevice9 object is located, nakedPresentTrans is a stub function, and DWORD is a 4-byte data type.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method for bypassing security detection based on virtual function table hijack is characterized by comprising the following steps:
(1) acquiring the address of the virtual function table of an IDirect3DDevice9 object in the process;
(2) finding the sequence number of the Present function in the virtual function table where the IDirect3DDevice9 object is located from the d3d9.h header file;
(3) constructing a stub function for replacing the Present function of the system, the stub function being used to implement: saving the values of all registers in a stack, calling a function designed by a developer to pop all registers from the stack, and calling a system Present function;
(4) replacing the Present function in the virtual function table of the IDirect3DDevice9 object with a stub function according to the address of the virtual function table of the IDirect3DDevice9 object and the sequence number of the Present function in the virtual function table;
(5) and the live broadcast software acquires the display content of the display card through the hook function and sends the display content to the server through the network.
2. The method of claim 1, wherein the address obtained in step (1) is a pointer to a virtual function table of an IDirect3DDevice9 object in the process.
3. The method of virtual function table hijacking bypassing security detection as claimed in claim 1 or 2, wherein in said step (2), the sequence number of the Present function in the virtual function table where the IDirect3DDevice9 object is located is 17.
4. The method for bypassing security detection based on virtual function table hijacking according to claim 1 or 2, wherein the specific implementation manner of the step (4) is as follows:
pDeviceVt [ Present _ ID ] (DWORD) & nakedPresentTrans, wherein pDeviceVt is a virtual function table pointer of an ideect 3DDevice9 object, Present _ ID is a sequence number of the Present function in a virtual function table where the ideect 3DDevice9 object is located, nakedPresentTrans is a stub function, and DWORD is a 4-byte data type.
5. The utility model provides a system based on virtual function table hijack bypasses safety inspection which characterized in that, includes virtual function table address acquisition module, Present function sequence number lookup module, pile function construction module and Present function replacement module, wherein:
the virtual function table address acquisition module is used for acquiring the address of the virtual function table of the IDirect3DDevice9 object in the process;
the Present function sequence number searching module is configured to find a sequence number of the Present function in the virtual function table where the idelect 3DDevice9 object is located from the d3d9.h header file;
the pile function constructing module is used for constructing a pile function for replacing the Present function of the system, and the pile function is used for realizing: saving the values of all registers in a stack, calling a function designed by a developer to pop all registers from the stack, and calling a system Present function;
the Present function replacing module is configured to replace the Present function in the virtual function table of the idiect 3DDevice9 object with a stub function according to the address of the virtual function table of the idiect 3DDevice9 object and the sequence number of the Present function in the virtual function table;
and the live broadcast software acquires the display content of the display card through the hook function and sends the display content to the server through the network.
6. The vtable-based hijacking bypass security detection system of claim 5, wherein the address obtained by the vtable address obtaining module is a pointer to the vtable of the idiect 3DDevice9 object in the process.
7. The vtol-based system for bypassing security detection as recited in claim 5 or 6, wherein the sequence number of the Present function in the vtol table where the idiect 3DDevice9 object is located is 17.
8. The system for bypassing security detection based on virtual function table hijacking as claimed in claim 5 or 6, wherein the specific implementation manner of the Present function replacement module replacing the Present function is as follows:
pDeviceVt [ Present _ ID ] (DWORD) & nakedPresentTrans, wherein pDeviceVt is a virtual function table pointer of an ideect 3DDevice9 object, Present _ ID is a sequence number of the Present function in a virtual function table where the ideect 3DDevice9 object is located, nakedPresentTrans is a stub function, and DWORD is a 4-byte data type.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610121933.5A CN105808251B (en) | 2016-03-03 | 2016-03-03 | Virtual function table hijacking bypass security detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610121933.5A CN105808251B (en) | 2016-03-03 | 2016-03-03 | Virtual function table hijacking bypass security detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105808251A CN105808251A (en) | 2016-07-27 |
| CN105808251B true CN105808251B (en) | 2021-02-02 |
Family
ID=56466638
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610121933.5A Active CN105808251B (en) | 2016-03-03 | 2016-03-03 | Virtual function table hijacking bypass security detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105808251B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295325B (en) * | 2016-08-12 | 2020-02-07 | 武汉斗鱼网络科技有限公司 | Hook method and system for acquiring content of display card |
| CN106339300A (en) * | 2016-08-12 | 2017-01-18 | 武汉斗鱼网络科技有限公司 | Method and system for acquiring FPS of third-party game |
| CN106295326B (en) * | 2016-08-12 | 2020-02-07 | 武汉斗鱼网络科技有限公司 | Inline hook method and system for acquiring content of display card |
| CN107194250A (en) * | 2017-03-31 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | The integrity checking method and device of internal storage code |
| CN107545182B (en) * | 2017-09-06 | 2019-11-15 | 武汉斗鱼网络科技有限公司 | Around the method and system of function call chain detection in a kind of IOS application |
| CN108446149B (en) * | 2018-02-28 | 2021-07-20 | 北京凌宇智控科技有限公司 | Third-party dynamic library interface interception method and system |
| CN108880785B (en) * | 2018-05-25 | 2021-07-23 | 武汉斗鱼网络科技有限公司 | Method, device, terminal and readable medium for detecting C + + virtual table quilt hook |
| CN108762934B (en) * | 2018-06-02 | 2021-09-07 | 武汉泽塔云科技股份有限公司 | Remote graphic transmission system and method and cloud server |
| CN109086183B (en) * | 2018-07-12 | 2022-08-16 | 武汉斗鱼网络科技有限公司 | Application program monitoring method and device, electronic equipment and storage medium |
| CN109857650B (en) * | 2019-01-14 | 2022-07-01 | 珠海金山网络游戏科技有限公司 | Game performance monitoring method and system |
| CN115952017B (en) * | 2023-03-09 | 2023-05-23 | 腾讯科技(深圳)有限公司 | Memory processing method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102163143A (en) * | 2011-04-28 | 2011-08-24 | 北京北大众志微系统科技有限责任公司 | A method realizing prediction of value association indirect jump |
| CN103823683A (en) * | 2014-02-27 | 2014-05-28 | 北京六间房科技有限公司 | Video recording device and method |
| CN104881610A (en) * | 2015-06-16 | 2015-09-02 | 北京理工大学 | Method for defending hijacking attacks of virtual function tables |
-
2016
- 2016-03-03 CN CN201610121933.5A patent/CN105808251B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102163143A (en) * | 2011-04-28 | 2011-08-24 | 北京北大众志微系统科技有限责任公司 | A method realizing prediction of value association indirect jump |
| WO2012145992A1 (en) * | 2011-04-28 | 2012-11-01 | 北京北大众志微系统科技有限责任公司 | Method for implementing value-associated indirect jump prediction |
| CN103823683A (en) * | 2014-02-27 | 2014-05-28 | 北京六间房科技有限公司 | Video recording device and method |
| CN104881610A (en) * | 2015-06-16 | 2015-09-02 | 北京理工大学 | Method for defending hijacking attacks of virtual function tables |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105808251A (en) | 2016-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105808251B (en) | Virtual function table hijacking bypass security detection method and system | |
| CN105354143A (en) | Test method and device for application programs | |
| US20110055848A1 (en) | Launching an midp-based target application from a launcher application | |
| CN103268449B (en) | A kind of high speed detection method and system of mobile phone malicious code | |
| CN103176795B (en) | A kind of based on the application process of plug-in part technology in distribution of information software data filters | |
| CN106203102B (en) | A kind of checking and killing virus method and device of the whole network terminal | |
| CN106331065A (en) | Proxy application for host system with service container and system | |
| CN104268015A (en) | Implementation method of high-availability timer of embedded equipment and timer | |
| CN113312624A (en) | Java Web application memory Trojan detection method, terminal device and storage medium | |
| CN106295340A (en) | A kind of program file recovery system and method | |
| CN102968321A (en) | Application program installation device and application program installation method | |
| CN106373571A (en) | Voice control method and device | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| KR101754720B1 (en) | Device for detecting malicious code in non executable file and method thereof | |
| CN101963924B (en) | Process communication method, device and operating system | |
| CN106293967A (en) | A kind of method and system of long-range injecting codes | |
| US10579794B1 (en) | Securing a network device by automatically identifying files belonging to an application | |
| CN102902564B (en) | Method and the device of patch are installed | |
| CN106372508B (en) | Malicious document processing method and device | |
| KR102226218B1 (en) | Apparatus and method for extracting feature information to identify an application created by cross-platform development framework | |
| CN108446144A (en) | A kind of application program launching method, device, terminal and storage medium | |
| CN109144575A (en) | Device, method, electronic equipment and the memory of cross operating system operation application | |
| CN109348303B (en) | Bullet screen message distribution method, bullet screen message distribution device, terminal and storage medium | |
| CN106295325A (en) | A kind of hook method and system for obtaining video card content | |
| CN108171014B (en) | Method and system for detecting RTF suspicious file and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |