CN107943517A - The hook method and device of terminal applies - Google Patents
The hook method and device of terminal applies Download PDFInfo
- Publication number
- CN107943517A CN107943517A CN201711015703.1A CN201711015703A CN107943517A CN 107943517 A CN107943517 A CN 107943517A CN 201711015703 A CN201711015703 A CN 201711015703A CN 107943517 A CN107943517 A CN 107943517A
- Authority
- CN
- China
- Prior art keywords
- instruction
- short jump
- function
- object function
- jump instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/3005—Arrangements for executing specific machine instructions to perform operations for flow control
- G06F9/30069—Instruction skipping instructions, e.g. SKIP
Abstract
The invention discloses a kind of hook method and device of terminal applies, it is related to technical field of information processing, main purpose is to propose a kind of new hooking function mode, it may be possible to realizes in machine code instruction lower draw-bar function, so as to the success rate of enhancing hook function.The described method includes:In the application call object function of mobile terminal, the short jump instruction that new function is jumped to from object function is identified, new function is the function of object function hook;If the memory range that short jump instruction is redirected meets default memory range, the machine code instruction of object function is replaced with into the short jump instruction, to jump to the memory address according to short jump instruction application, and performs new function;After new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform machine code instruction;After machine code instruction has been performed, short jump instruction is write, to realize rebound object function.The present invention is suitable for the hook of terminal applies.
Description
Technical field
The present invention relates to technical field of information processing, more particularly to a kind of hook method and device of terminal applies.
Background technology
Hook (hook) technology is that a kind of to replace under DOS the system mechanism of " interruption ", hook is provided in Windows
Function is a part for windows messaging treatment mechanism, and by setting " hooking function ", application program can be in system to all
Message, event are filtered, and access the message that can not be accessed under normal circumstances.The essence of hooking function is one section handling
The program of system message, is called by system, it is linked into system.
At present, it is typically only capable to realize 8 byte instruction hooking functions, such as based on realizing 8 bytes under Xposed frames
Instruct hooking function.However, hooking function through the above way, under many situation environment, hooking function can fail, and cause to hang
The success rate of hook function is relatively low.It is therefore proposed that a kind of new hooking function mode is a technical problem to be solved urgently.
The content of the invention
In view of this, the present invention provides a kind of hooking function method and device, and main purpose is to propose a kind of new extension
Hook function fashion, can ensure the success hooking function under machine code instruction, so as to the success rate of enhancing hook function.
According to one aspect of the present invention, there is provided a kind of hook method of terminal applies, including:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects
Instruction, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and performs
The new function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform described
Machine code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
According to another aspect of the present invention, there is provided a kind of hooking device of terminal applies, including:
Recognition unit, in the application call object function of mobile terminal, identifying and being jumped to from the object function
The short jump instruction of new function, the new function are the function for treating the object function hook;
Replacement unit, if meeting for the memory range that the short jump instruction that the recognition unit identifies is redirected pre-
If memory range, then the machine code instruction of the object function is replaced with into the short jump instruction, to jump to according to
The memory address of short jump instruction application, and perform the new function;
Translation unit, for after the new function has been performed, however, it is determined that needs continue to call the object function, then turn over
Translate and perform the machine code instruction;
Writing unit, for after the machine code instruction has been performed, the short jump instruction being write, to realize rebound institute
State object function.
According to another aspect of the invention, there is provided a kind of computer-readable recording medium, is stored thereon with computer program,
The program realizes following steps when being executed by processor:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects
Instruction, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and performs
The new function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform described
Machine code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
According to further aspect of the present invention, there is provided a kind of hooking device of terminal applies, including memory, processor and deposit
The computer program that can be run on a memory and on a processor is stored up, the processor realizes following step when performing described program
Suddenly:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects
Instruction, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and performs
The new function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform described
Machine code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
By above-mentioned technical proposal, the present invention provides a kind of hook method and device of terminal applies, and at present can only be real
Existing 8 byte instructions hook is compared, and the present invention provides a kind of new hook mode, in the application call object function of mobile terminal
When, it can identify the short jump instruction that new function is jumped to from the object function, the new function is to treat the object function
The function of hook;, can be by the target if the memory range that the short jump instruction is redirected meets default memory range
The machine code instruction of function replaces with the short jump instruction, with jumping to the memory according to the short jump instruction application
Location, and perform the new function;After the new function has been performed, however, it is determined that needs continue to call the object function, then turn over
Translate and perform the machine code instruction;After the machine code instruction has been performed, the short jump instruction can be write, to realize
Object function described in rebound, so as to realize in machine code instruction lower draw-bar function, and then be capable of enhancing hook function into
Power.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Attached drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole attached drawing, identical component is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of hook method flow diagram of terminal applies provided in an embodiment of the present invention;
Fig. 2 shows the hook method flow diagram of another terminal applies provided in an embodiment of the present invention;
Fig. 3 shows the hook method flow diagram of another terminal applies provided in an embodiment of the present invention;
Fig. 4 shows a kind of structure diagram of the hooking device of terminal applies provided in an embodiment of the present invention;
Fig. 5 shows the structure diagram of the hooking device of another terminal applies provided in an embodiment of the present invention;
Fig. 6 shows a kind of entity structure schematic diagram of the hooking device of terminal applies provided in an embodiment of the present invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
As stated in the Background Art, it is typically only capable to realize 8 byte instruction hooking functions at present, such as based on Xposed frames
Under realize 8 byte instruction hooking functions.However, hooking function through the above way, under many situation environment, hooking function
It can fail, cause the success rate of hooking function relatively low.It is therefore proposed that a kind of new hooking function mode is urgently to be resolved hurrily at present
Technical problem.
To solve the above-mentioned problems, an embodiment of the present invention provides a kind of hook method of terminal applies, as shown in Figure 1,
The described method includes:
101st, in the application call object function of mobile terminal, identify from the object function and jump to the short of new function
Jump instruction.
Wherein, the new function can be the function for treating the object function hook, and the object function can be
The application programming interface function (Application Programming Interface, API) of windows, specifically can be with
In windows invocation target functions, the identification of the short jump instruction is carried out, the short jump instruction can be technical staff
Previously according to object function write-in, to realize the hooking function in the case of short redirect.For example, object function is A, hook
Function is B, and C is the short jump instruction that memory address jumps to the hooking function B from object function.Jumping to and performing extension
After hook function B, object function A is continued to execute if desired, can jump back to object function, to continue to call performance objective function
A。
It should be noted that technical staff can be previously written the short jump instructions of arm based on 32-bit operating system, be based on
The short jump instructions of thumb, the short jump instruction based on 64 bit manipulation systems of 32-bit operating system, the short jump instructions of arm
It can be the short jump instruction under arm instruction modes, can be instructed represent with b in memory, the short jump instructions of thumb can be
Short jump instruction under thumb instruction modes, can be instructed with b.w represent in memory, under 64 bit manipulation systems, in order to unite
Short jump instruction and the short jump instructions of thumb under one arm instruction modes, enhancing hook function effect, can use b in memory
Instruction represents short jump instruction.
If the 102, the memory range that the short jump instruction is redirected meets default memory range, by the object function
Machine code instruction replace with the short jump instruction, to jump to the memory address according to the short jump instruction application, and
Perform the new function.
Wherein, preset memory range to determine with specific reference to the type of the jump instruction, if for example, the short jump instruction
For the short jump instructions of arm based on 32-bit operating system, the default memory range can be that memory range is less than 32M, if base
Can be that memory range is less than 16M in the short jump instructions of the thumb of 32-bit operating system, the default memory range, if being based on
The short jump instruction of 64 bit manipulation systems, the default memory range can be that memory range is less than 128M.By described short
When the memory range that jump instruction is redirected meets default memory range, then the short jump instruction is replaced, can be to avoid short jump
Turn cross the border, i.e., it is short redirect cross the border when, do not perform hooking function.
It should be noted that the machine code instruction can be the object function preceding 4 byte instructions, application it is interior
It can be after the short jump instruction is recognized to deposit address, be application according to the short jump instruction.Jumping to application
Memory address when, the hooking function can be jumped to by Ldr/Ldr.w.Specifically, institute can be performed by processor
State new function.
103rd, after the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform
The machine code instruction.
In embodiments of the present invention, can continue to call the authority of the object function by detecting whether to exist, or
Detect whether to need the operation behavior for monitoring the object function, to determine the need for continuing calling the object function.If
Detection needs not continue to call the object function, can directly terminate the object function.Translate the machine code instruction
Process can be that the machine code instruction is translated into the binary code that processor can perform.
104th, after the machine code instruction has been performed, the short jump instruction is write, to realize target letter described in rebound
Number.
It should be noted that the short jump instruction can be write, for example, the machine behind machine code instruction address
Code instruction is preceding 4 byte instructions, and described short redirect can be write after the memory address of+4 bytes of object function first address
Instruction.
A kind of hook method of terminal applies of offer of the embodiment of the present invention, with that can only realize that 8 byte instructions are hung at present
Hook function is compared, and the embodiment of the present invention provides a kind of new hooking function mode, in the application call object function of mobile terminal
When, it can identify the short jump instruction that new function is jumped to from the object function, the new function is to treat the object function
The function of hook;, can be by the target if the memory range that the short jump instruction is redirected meets default memory range
The machine code instruction of function replaces with the short jump instruction, with jumping to the memory according to the short jump instruction application
Location, and perform the new function;After the new function has been performed, however, it is determined that needs continue to call the object function, then turn over
Translate and perform the machine code instruction;After the machine code instruction has been performed, the short jump instruction can be write, to realize
Object function described in rebound, so as to realize the success hooking function under machine code instruction, and then being capable of enhancing hook function
Success rate.Further, since adding new function in terminal applies, operating system can be in the case of without root, root
According to the needs of user oneself reality, using new function, some functions of terminal applies are modified, added or deleted, to carry
The function of high terminal applies, makes the functional diversities of terminal applies, can adapt to the different demands of different user.Meanwhile pass through
The mode of new function is added in terminal applies, Initiative Defense attack can be played the role of, lifts the security of terminal applies.
Further, in order to better illustrate the process of the hook method of above-mentioned terminal applies, as to above-described embodiment
Refinement and extension, an embodiment of the present invention provides the hook method of another terminal applies, as shown in Fig. 2, but not limited to this,
Shown in specific as follows:
201st, in the application call object function of mobile terminal, identify from the object function and jump to the short of new function
Jump instruction.
Wherein, the new function can be the function for treating the object function hook, and the short jump instruction can be base
In the short jump instructions of the arm of 32-bit operating system, the short jump instructions of the thumb based on 32-bit operating system, based on 64 bit manipulations
The short jump instruction of system.
For the embodiment of the present invention, it is described identification from the object function jump to the short jump instruction of new function the step of
It is specifically as follows:It is the jump instruction based on 32-bit operating system to identify the short jump instruction, or based on 64 bit manipulation systems
The jump instruction of system, if the identification short jump instruction is the jump instruction based on 32-bit operating system, identifies the short jump
It is b instructions or b.W instructions to turn instruction as the jump instruction based on 32-bit operating system, if described based on 32-bit operating system
Jump instruction instructs for b, it is determined that the short jump instruction, which can be that the arm based on 32-bit operating system is short, redirects finger
Order;If the identification short jump instruction is the b.W instructions based on 32-bit operating system, it is determined that the short jump instruction be based on
The short jump instructions of thumb of 32-bit operating system;If the identification short jump instruction is the b instructions based on 64 bit manipulation systems,
Then determine that the short jump instruction is the short jump instruction based on 64 bit manipulation systems.
Specifically, when short jump instruction jump instruction short for arm based on 32-bit operating system, the step of identification
It is specifically as follows:If the identification short jump instruction is the b instructions based on 32-bit operating system, it is determined that the short jump instruction
For the short jump instructions of arm based on 32-bit operating system.
When short jump instruction jump instruction short for thumb based on 32-bit operating system, the step of identification, is specific
Can be:If the identification short jump instruction is the b.W instructions based on 32-bit operating system, it is determined that the short jump instruction is
The short jump instructions of thumb based on 32-bit operating system.
When the short jump instruction is the short jump instruction based on 64 bit manipulation systems, the identification process is specifically wrapped
Include:If the identification short jump instruction is the b instructions based on 64 bit manipulation systems, it is determined that the short jump instruction is based on 64
The short jump instruction of bit manipulation system.
202nd, the target memory address size and the short jump instruction for obtaining the object function redirect memory address
Length.
203rd, by the difference for redirecting memory address length and the target memory address size, it is determined as described short redirect
The redirected memory range of instruction.
204th, protection mprotect functions are changed by calling, memory attribute is revised as to readable, writeable, executable category
Property.
It should be noted that by the way that memory attribute to be revised as to readable, writeable, executable attribute, it is ensured that holding
Go after preceding 4 byte instructions, be successfully written the short jump instruction for jumping back to the object function.
If the 205, the memory range that the short jump instruction is redirected meets default memory range, by the object function
Preceding 4 byte instructions replace with the short jump instruction, to jump to the memory address according to the short jump instruction application,
And perform the new function.
It is corresponding with the step 201, when the identification short jump instruction redirects for the arm based on 32-bit operating system is short
During instruction, the default memory range can be that memory range is less than 32M, and the step 205 can specifically include:It is if described
The memory range that the short jump instructions of arm are redirected is less than the memory range of 32M, then replaces the machine code instruction of the object function
It is changed to the short jump instructions of the arm.
When identifying short for thumb based on the 32-bit operating system jump instruction of the short jump instruction, it is described it is default in
Deposit and may range from memory range and be less than 16M, the step 205 can specifically include:If the short jump instructions of thumb are jumped
The memory range turned is less than the memory range of 16M, then the machine code instruction of the object function is replaced with the short jumps of the thumb
Turn instruction.
When it is the short jump instruction based on 64 bit manipulation systems to identify the short jump instruction, the default memory range
Can be that memory range is less than 128M, the step 205 can specifically include:If described redirected based on 64 the short of bit manipulation system
The redirected memory range of instruction is less than the memory range of 128M, then replaces with the machine code instruction of the object function described
The short jump instructions of arm.
206th, by calling cache flush cacheflush functions flush buffers.
It should be noted that by calling cache flush cacheflush functions flush buffers, can ensure successfully to jump
The object function is returned, performs the object function.
207th, after the machine code instruction has been performed, the short jump instruction is write, to realize target letter described in rebound
Number.
It should be noted that command code (opcode) default-length of the short jump instructions of thumb is equal to 2, as opcode high 5
Position, and high-value is in 0x1D~0x1F sections, then opcode is equal to 4, and after writing short jump instruction, byte may not be right
Together, in order to avoid not lining up the abnormal conditions such as the collapse of generation because of byte, before the short jump instruction is write, the method
It can also include:Judge whether the raw address corresponding to the object function aligns;If not lining up, pass through nop instructions of aliging
Described address is alignd.Then, after described address of aliging, the short jump instruction is write, to realize target letter described in rebound
Number.
Attending to anything else in addition, technical scheme can be applied using upper, such as by above-mentioned hooking function scheme, it is right
The some functions of application of attending to anything else are modified, add or delete, and to improve the function for application of attending to anything else, the function for the application that makes to attend to anything else is more
Sample, can adapt to the different demands of different user.It can be applied on javahook, the embodiment of the present invention does not limit.
Technical scheme can change the primary ART hook mechanism of service framework, in situation of the operating system without Root
Under, realize the enhancing to application function.Wherein, ART virtual machine libraries compare Dalvik virtual machine, use precompilation techniques
Just-In-Time technology in (Adead-of-Time compile) substitution Dalvik, is applied when installing first time, byte
Code will be compiled into machine code in advance, become really locally applied, such words, the startup (first) and execution of application
It will become quicker.ART hook associated documents can include Java functions and corresponding Java function codes data,
The Java functions can be realizing the enhancing to application function.Application in embodiments of the present invention can be system application,
Third-party application, application etc. of attending to anything else, are specifically as follows game application, shopping application, Video Applications, search application etc..
Executive agent for the embodiment of the present invention can be to be used for realization in the case where operating system is without Root more
The optimizing application device of new opplication function.Determine application where operating system use ART virtual machine library patterns after, can to
It is adapted on the primary ART hook associated documents of service framework, changes function therein so that service framework plug-in unit is needing
When being updated to the function of application, the code data of the new life ART hook associated documents can be relied on.
In embodiments of the present invention, in order to realize that service framework plug-in unit can be called in newborn ART hook associated documents
The code of service framework plug-in unit, it is necessary to be first adapted to, then by the code after adaptation and new life ART hook by code data
Associated documents are injected into application so that when service framework plug-in unit is realized and strengthens function to application using new ART hook machines
System, does not use primary ART hook mechanism, and then realizes and update application function in the case where operating system is without Root.Together
When, by way of adding new function in terminal applies, Initiative Defense attack can be played the role of, lift terminal applies
Security.
It should be noted that in order to realize the function of enhancing terminal applies in itself, operation system can be substituted for by Root
The application process processing file (app process) of system, this document is the startup file of all systems and third-party application;Compared with
The ART virtual machine libraries mechanism of generally use is when application needs to start in new operating system, it is also necessary to is answered using above-mentioned this
File is handled with process, loads new ART virtual machine library libart.so files, and then can be based on by Xposed plug-in units
Libart.so file datas are modified, add or delete to some functions of application, to strengthen the function of terminal applies.
In order to be better understood from the embodiment of the present invention, following application scenarios are additionally provided, but not limited to this, as shown in figure 3,
Step 1, in the application call object function of mobile terminal, identify from the object function and redirect the short of new function
Jump instruction, if recognizing the b instructions based on 32-bit operating system, determines that the b instructions are the arm based on 32-bit operating system
Short jump instruction, the memory range redirected are less than 32M, then jump to step 4.
Step 2, in the application call object function of mobile terminal, refer to if recognizing the b.w based on 32-bit operating system
Order, determines that the b.w instructions are the short jump instructions of thumb based on 32-bit operating system, the memory range redirected is less than
16M, then jump to step 4;
Step 3, in the application call object function of mobile terminal, if recognize based on 64 bit manipulation systems b instruction,
Determine that the b instructions are the short jump instruction based on 64 bit manipulation systems, the memory range redirected is less than 128M, then jumps to
Step 4;
Step 4, preceding 4 byte instructions of the object function are replaced with it is short described in step 1, step 2 or step 3
Jump instruction;
Step 5, jump to memory address according to the short jump instruction application, and performs the new function;
Step 6, judge whether to continue invocation target function;If continuing to call, step 7 is jumped to;If not continuing to call,
Then terminate the object function;
Step 7, preceding 4 byte instructions of the translation object function are simultaneously performed;
Step 8, after preceding 4 byte instructions have been performed, if the object function raw address instruction do not line up, pass through
The Nop instruction alignment raw address, and short jump instruction b/b.w instructions are write on the position of object function first address+4,
Object function described in step 9, rebound.
The hook method of another kind terminal applies provided in an embodiment of the present invention, with that can only realize 8 byte instructions at present
Hooking function is compared, and the embodiment of the present invention provides a kind of new hooking function mode, in the application call target letter of mobile terminal
During number, it can identify from the object function and jump to the short jump instruction based on 32-bit operating system of new function, based on 64
The short jump instruction of bit manipulation system, the short jump instruction based on 32-bit operating system can be the short jump instructions of arm,
The short jump instructions of thumb;If the memory range that above-mentioned short jump instruction is redirected meets corresponding default memory range,
Then preceding 4 byte instructions of the object function can be replaced with above-mentioned short jump instruction, above-mentioned short finger is redirected to jump to
The memory address of application is made, and performs the new function;After the new function has been performed, however, it is determined that need to continue described in calling
Object function, then translate and perform the machine code instruction;After the machine code instruction has been performed, target letter described in rebound
Number, so as to realize under 32-bit operating system, such as 32-bit operating system arm patterns, thumb patterns and 64 bit manipulation systems
Success hooking function when uniting that lower 4 bytes are short to be redirected, and then it is capable of the success rate of enhancing hook function.
Further, the specific implementation as Fig. 1, an embodiment of the present invention provides a kind of hooking device of terminal applies,
As shown in figure 4, described device includes:Recognition unit 31, replacement unit 32, translation unit 33 and writing unit 34.
The recognition unit 31, can be used for, in the application call object function of mobile terminal, identifying from the target
Function jumps to the short jump instruction of new function, and the new function is the function for treating the object function hook.The identification is single
Member 31 is the main functional modules of the short jump instruction that identification jumps to new function from the object function in the present apparatus, and this
The nucleus module of device, works for triggering the replacement unit 42.
The replacement unit 32, if can be used for the short jump instruction that the recognition unit 31 identifies redirected it is interior
Deposit scope and meet default memory range, then the machine code instruction of the object function is replaced with into the short jump instruction, to jump
The memory address according to the short jump instruction application is gone to, and performs the new function.The replacement unit 32 is the present apparatus
The middle machine code instruction by the object function replaces with the main functional modules of the short jump instruction, and the core of the present apparatus
Core module.
The translation unit 33, can be used for after the new function has been performed, however, it is determined that needs continue to call the mesh
Scalar functions, then translate and perform the machine code instruction.The translation unit 33 is to translate and perform the machine in the present apparatus
The main functional modules of code instruction.
Said write unit 34, can be used for after the machine code instruction has been performed, and write the short jump instruction, with
Realize object function described in rebound.Said write unit 34 is the rebound institute in the present apparatus after the machine code instruction has been performed
State the main functional modules of object function.
The recognition unit 31, if specifically can be used for the identification short jump instruction is the b based on 32-bit operating system
Instruction, it is determined that the short jump instruction is the short jump instructions of arm based on 32-bit operating system.
The replacement unit 32, if specifically can be used for the memory range that the short jump instructions of the arm are redirected is less than 32M
Memory range, then the machine code instruction of the object function is replaced with into the short jump instructions of the arm.
The recognition unit 31, if specifically can be used for the identification short jump instruction is based on 32-bit operating system
B.W is instructed, it is determined that the short jump instruction is the short jump instructions of thumb based on 32-bit operating system.
The replacement unit 32, is less than if specifically can be used for the memory range that the short jump instructions of the thumb are redirected
The memory range of 16M, then replace with the short jump instructions of the thumb by the machine code instruction of the object function.
The recognition unit 31, if specifically can be used for the identification short jump instruction is the b based on 64 bit manipulation systems
Instruction, it is determined that the short jump instruction is the short jump instruction based on 64 bit manipulation systems.
The replacement unit 32, if the memory redirected specifically for the short jump instruction based on 64 bit manipulation systems
Scope is less than the memory range of 128M, then replaces with the machine code instruction of the object function and described be based on 64 bit manipulation systems
Short jump instruction.
The replacement unit 32, if specifically can be used for preceding 4 bytes that the machine code instruction is the object function
Instruction, then replace with the short jump instruction by preceding 4 byte instructions of the object function.
As shown in figure 5, for the feelings such as the embodiment of the present invention, the collapse exception produced in order to avoid short jump instruction write-in
Condition, described device further include:Judging unit 35 and alignment unit 36.
The judging unit 35, if for can be to identify the short jump instruction as the thumb based on 32-bit operating system
Short jump instruction, then after the machine code instruction has been performed, judge whether the raw address corresponding to the object function aligns.
The judging unit 35 is that the main functional modules whether raw address corresponding to the object function aligns are judged in the present apparatus.
The alignment unit 36, if the machine code instruction institute for that can judge the object function with the judging unit 35
Corresponding address does not line up, then described address is alignd by nop instructions of aliging.The alignment unit 46 is passed through in the present apparatus
The nop that aligns instructs the main functional modules that described address is alignd.
The jump back instruction 34, specifically can be used for after described address of aliging, and write the short jump instruction, to realize
Object function described in rebound.
For the embodiment of the present invention, in order to determine memory range that the short jump instruction is redirected, described device is also wrapped
Include:Acquiring unit 37 and determination unit 38.
The acquiring unit 37, the target memory address size that can be used for obtaining the object function and described short redirects
Instruction redirects memory address length.The acquiring unit is that the target memory address length of the object function is obtained in the present apparatus
Degree and the main functional modules for redirecting memory address length of the short jump instruction.
The determination unit 38, can be used for by it is described redirect memory address length and the target memory address size it
Difference, is determined as the memory range that the short jump instruction is redirected.The determination unit 48 is by described redirect in the present apparatus
The difference of address size and the target memory address size is deposited, is determined as the master for the memory range that the short jump instruction is redirected
Want function module.
For the embodiment of the present invention, in order to be successfully written the short jump instruction for jumping back to the object function, institute
Device is stated to further include:Change unit 39.
The modification unit 39, can be used for changing protection mprotect functions by calling, memory attribute is revised as
Readable, writeable, executable attribute.The modification unit 39 is to change protection mprotect functions by calling in the present apparatus,
Memory attribute is revised as to the main functional modules of readable, writeable, executable attribute.
For the embodiment of the present invention, in order to ensure successfully object function described in rebound, the object function, the dress are performed
Put and further include:Refresh unit 30.
The refresh unit 30, can be used for by calling cache flush cacheflush functions flush buffers.It is described
Refresh unit 30 is the main functional modules by calling cache flush cacheflush functions flush buffers in the present apparatus.
It should be noted that each functional unit involved by a kind of hooking device of terminal applies provided in an embodiment of the present invention
Other it is corresponding describe, may be referred to the corresponding description in Fig. 1, details are not described herein.
Based on above-mentioned method as shown in Figure 1, correspondingly, the embodiment of the present invention additionally provides a kind of computer-readable storage medium
Matter, is stored thereon with computer program, which realizes following steps when being executed by processor:In the application call of mobile terminal
During object function, the short jump instruction that new function is jumped to from the object function is identified, the new function is to treat the target
The function of function hook;If the memory range that the short jump instruction is redirected meets default memory range, by the target
The machine code instruction of function replaces with the short jump instruction, with jumping to the memory according to the short jump instruction application
Location, and perform the new function;After the new function has been performed, however, it is determined that needs continue to call the object function, then turn over
Translate and perform the machine code instruction;After the machine code instruction has been performed, the short jump instruction is write, to realize rebound
The object function.
Based on the embodiment of the above-mentioned hooking device of method and terminal applies as shown in Figure 4 as shown in Figure 1, the present invention is implemented
Example additionally provides a kind of entity structure of the hooking device of terminal applies, as shown in fig. 6, the device includes:Processor 41, storage
Device 42 and it is stored in the computer program that can be run on memory 42 and on a processor, wherein memory 42 and processor 41
It is arranged at when the processor 41 performs described program in bus 43 and realizes following steps:In the application call mesh of mobile terminal
During scalar functions, the short jump instruction that new function is jumped to from the object function is identified, the new function is to treat the target letter
The function of number hook;If the memory range that the short jump instruction is redirected meets default memory range, by the target letter
Several machine code instructions replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application,
And perform the new function;After the new function has been performed, however, it is determined that needs continue to call the object function, then translate simultaneously
Perform the machine code instruction;After the machine code instruction has been performed, the short jump instruction is write, to realize described in rebound
Object function.
By the above-mentioned technical proposal of the present invention, 32-bit operating system can be solved, lower 4 bytes of 64 bit manipulation systems are short
The hooking function problem redirected, ensures 32-bit operating system, and lower 4 bytes of 64 bit manipulation systems are short successfully to link up with letter when redirecting
Number, so that the success rate of enhancing hook function.It is right before short jump instruction is write by the case of 4 byte-aligneds
The neat raw address, can avoid because byte does not line up the abnormal conditions such as the collapse of generation.By calling modification protection
Memory attribute, is revised as readable, writeable, executable attribute, can ensure to be successfully written or replace by mprotect functions
It is short to redirect function, in addition, by calling cache flush cacheflush functions flush buffers, can ensure successfully described in rebound
Object function.Further, since adding new function in terminal applies, operating system can be in the case of without root, root
According to the needs of user oneself reality, using new function, some functions of terminal applies are modified, added or deleted, to carry
The function of high terminal applies, makes the functional diversities of terminal applies, can adapt to the different demands of different user at the same time, by
The mode of new function is added in terminal applies, is capable of the effect of Initiative Defense attack, lifts the security of terminal applies.
The present invention also provides following technical solution:
The hook method of A1, a kind of terminal applies, including:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects
Instruction, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and performs
The new function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform described
Machine code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
A2, the method as described in A1, it is described to identify the short jump instruction that new function is jumped to from the object function, specifically
Including:
If the identification short jump instruction is the b instructions based on 32-bit operating system, it is determined that the short jump instruction is
The short jump instructions of arm based on 32-bit operating system;
If the memory range that the short jump instruction is redirected meets default memory range, by the object function
Machine code instruction replace with the short jump instruction, specifically include:
If the memory range that the short jump instructions of arm are redirected is less than the memory range of 32M, by the object function
Machine code instruction replace with the short jump instructions of the arm.
A3, the method as described in A1, it is described to identify the short jump instruction that new function is jumped to from the object function, specifically
Including:
If the identification short jump instruction is the b.W instructions based on 32-bit operating system, it is determined that the short jump instruction
For the short jump instructions of thumb based on 32-bit operating system;
If the memory range that the short jump instruction is redirected meets default memory range, by the object function
Machine code instruction replace with the short jump instruction, specifically include:
If the memory range that the short jump instructions of thumb are redirected is less than the memory range of 16M, by the target letter
Several machine code instructions replaces with the short jump instructions of the thumb.
A4, the method as described in A1, it is described to identify the short jump instruction that new function is jumped to from the object function, specifically
Including:
If the identification short jump instruction is the b instructions based on 64 bit manipulation systems, it is determined that the short jump instruction is
Short jump instruction based on 64 bit manipulation systems;
If the memory range that the short jump instruction is redirected meets default memory range, by the object function
Machine code instruction replace with the short jump instruction, specifically include:
If the memory range that the short jump instruction based on 64 bit manipulation systems is redirected is less than the memory range of 128M,
The machine code instruction of the object function is then replaced with into the short jump instruction based on 64 bit manipulation systems.
A5, such as A1-A4 any one of them methods, the machine code instruction refer to for preceding 4 bytes of the object function
Order, the machine code instruction by the object function replace with the short jump instruction, specifically include:
Preceding 4 byte instructions of the object function are replaced with into the short jump instruction.
A6, such as A1 or A3 any one of them methods, if the identification short jump instruction is based on 32-bit operating system
The short jump instructions of thumb, short jump instruction described in said write, with before realizing object function described in rebound, the method is also
Including:
Judge whether the raw address corresponding to the object function aligns;
If not lining up, by aliging, described address is alignd in nop instructions;
Short jump instruction described in said write, to realize object function described in rebound, specifically includes:
After described address of aliging, the short jump instruction is write, to realize object function described in rebound.
A7, such as A1-A4 any one of them methods, if the memory range that the short jump instruction is redirected meets in default
Scope is deposited, then before the machine code instruction of the object function being replaced with the short jump instruction, the method further includes:
The target memory address size and the short jump instruction for obtaining the object function redirect memory address length;
By the difference for redirecting memory address length and the target memory address size, it is determined as the short jump instruction
The memory range redirected.
A8, such as A1-A4 any one of them methods, the machine code instruction by the object function replace with described short
Before jump instruction, the method further includes:
Protection mprotect functions are changed by calling, memory attribute is revised as to readable, writeable, executable attribute.
A9, such as A1-A4 any one of them methods, the machine code instruction by the object function replace with described short
After jump instruction, the method further includes:
By calling cache flush cacheflush functions flush buffers.
B10, a kind of hooking device of terminal applies, including:
Recognition unit, in the application call object function of mobile terminal, identifying and being jumped to from the object function
The short jump instruction of new function, the new function are the function for treating the object function hook;
Replacement unit, if meeting for the memory range that the short jump instruction that the recognition unit identifies is redirected pre-
If memory range, then the machine code instruction of the object function is replaced with into the short jump instruction, to jump to according to
The memory address of short jump instruction application, and perform the new function;
Translation unit, for after the new function has been performed, however, it is determined that needs continue to call the object function, then turn over
Translate and perform the machine code instruction;
Writing unit, for after the machine code instruction has been performed, writing the jump instruction, to realize described in rebound
Object function.
B11, the device as described in B10,
The recognition unit, if specifically for identifying that the short jump instruction instructs for the b based on 32-bit operating system,
It is the short jump instructions of arm based on 32-bit operating system to determine the short jump instruction;
The replacement unit, if being less than the memory of 32M specifically for the memory range that the short jump instructions of the arm are redirected
Scope, then replace with the short jump instructions of the arm by the machine code instruction of the object function.
B12, the device as described in B10,
The recognition unit, if specifically for identifying that the short jump instruction instructs for the b.W based on 32-bit operating system,
Then determine that the short jump instruction is the short jump instructions of thumb based on 32-bit operating system;
The replacement unit, if being less than specifically for the memory range that the short jump instructions of the thumb are redirected in 16M
Scope is deposited, then the machine code instruction of the object function is replaced with into the short jump instructions of the thumb.
B13, the device as described in B10,
The recognition unit, if specifically for identifying that the short jump instruction instructs for the b based on 64 bit manipulation systems,
It is the short jump instruction based on 64 bit manipulation systems to determine the short jump instruction;
The replacement unit, if the memory model redirected specifically for the short jump instruction based on 64 bit manipulation systems
The memory range less than 128M is enclosed, then the machine code instruction of the object function is replaced with into the short jump instruction.
B14, such as B10-B13 any one of them devices,
The replacement unit, if being preceding 4 byte instructions of the object function specifically for the machine code instruction,
Preceding 4 byte instructions of the object function are replaced with into the short jump instruction.
B15, such as any one of B10 or B12, described device further include:Judging unit and alignment unit,
The judging unit, if for identifying that the short jump instruction redirects for the thumb based on 32-bit operating system is short
Instruction, then after the machine code instruction has been performed, judge whether the raw address corresponding to the object function aligns;
The alignment unit, if judging the ground corresponding to the machine code instruction of the object function for the judging unit
Location does not line up, then described address is alignd by nop instructions of aliging;
The jump back instruction, specifically for after described address of aliging, the short jump instruction being write, to realize rebound institute
State object function.
B16, such as B10-B13 any one of them devices, described device further include:
Acquiring unit, for obtaining the target memory address size of the object function and redirecting for the short jump instruction
Memory address length;
Determination unit, for by the difference for redirecting memory address length and the target memory address size, being determined as
The memory range that the short jump instruction is redirected.
B17, such as B10-B13 any one of them devices, described device further include:
Change unit, for by call change protection mprotect functions, by memory attribute be revised as it is readable, writeable,
Executable attribute.
B18, such as B10-B13 any one of them devices, described device further include:
Refresh unit, for by calling cache flush cacheflush functions flush buffers.
C19, a kind of computer-readable recording medium, are stored thereon with computer program, when which is executed by processor
Realize following steps:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects
Instruction, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and performs
The new function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform described
Machine code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
D20, a kind of hooking device of terminal applies, including memory, processor and storage on a memory and can located
The computer program run on reason device, the processor realize following steps when performing described program:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects
Instruction, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and performs
The new function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform described
Machine code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, details are not described herein.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) are realized in the hooking device of terminal applies according to embodiments of the present invention
The some or all functions of some or all components.The present invention is also implemented as being used to perform method as described herein
Some or all equipment or program of device (for example, computer program and computer program product).Such reality
The program of the existing present invention can store on a computer-readable medium, or can have the form of one or more signal.
Such signal can be downloaded from internet website and obtained, and either be provided or in the form of any other on carrier signal
There is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
Claims (10)
1. a kind of hook method of terminal applies, it is characterised in that including:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects finger
Order, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine code of the object function
Instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and described in execution
New function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform the machine
Code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
2. according to the method described in claim 1, it is characterized in that, the identification jumps to new function from the object function
Short jump instruction, specifically includes:
If the identification short jump instruction is the b instructions based on 32-bit operating system, it is determined that the short jump instruction be based on
The short jump instructions of arm of 32-bit operating system;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, specifically includes:
If the memory range that the short jump instructions of arm are redirected is less than the memory range of 32M, by the machine of the object function
Device code instruction replaces with the short jump instructions of the arm.
3. according to the method described in claim 1, it is characterized in that, the identification jumps to new function from the object function
Short jump instruction, specifically includes:
If the identification short jump instruction is the b.W instructions based on 32-bit operating system, it is determined that the short jump instruction is base
In the short jump instructions of the thumb of 32-bit operating system;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, specifically includes:
If the memory range that the short jump instructions of thumb are redirected is less than the memory range of 16M, by the object function
Machine code instruction replaces with the short jump instructions of the thumb.
4. according to the method described in claim 1, it is characterized in that, the identification jumps to new function from the object function
Short jump instruction, specifically includes:
If the identification short jump instruction is the b instructions based on 64 bit manipulation systems, it is determined that the short jump instruction be based on
The short jump instruction of 64 bit manipulation systems;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine of the object function
Device code instruction replaces with the short jump instruction, specifically includes:
, will if the memory range that the short jump instruction based on 64 bit manipulation systems is redirected is less than the memory range of 128M
The machine code instruction of the object function replaces with the short jump instruction based on 64 bit manipulation systems.
A kind of 5. hooking device of terminal applies, it is characterised in that including:
Recognition unit, in the application call object function of mobile terminal, identifying from the object function and jumping to new letter
Several short jump instructions, the new function are the function for treating the object function hook;
Replacement unit, if the memory range that the short jump instruction for recognition unit identification is redirected meets in default
Scope is deposited, then the machine code instruction of the object function is replaced with into the short jump instruction, to jump to according to the short jump
Turn the memory address of instruction application, and perform the new function;
Translation unit, for after the new function has been performed, however, it is determined that needs continue to call the object function, then translate simultaneously
Perform the machine code instruction;
Writing unit, for after the machine code instruction has been performed, writing the jump instruction, to realize target described in rebound
Function.
6. device according to claim 5, it is characterised in that
The recognition unit, if specifically for identifying that the short jump instruction instructs for the b based on 32-bit operating system, it is determined that
The short jump instruction is the short jump instructions of arm based on 32-bit operating system;
The replacement unit, if being less than the memory model of 32M specifically for the memory range that the short jump instructions of the arm are redirected
Enclose, then the machine code instruction of the object function is replaced with into the short jump instructions of the arm.
7. device according to claim 5, it is characterised in that
The recognition unit, if specifically for identifying that the short jump instruction instructs for the b.W based on 32-bit operating system, really
The fixed short jump instruction is the short jump instructions of thumb based on 32-bit operating system;
The replacement unit, if being less than the memory model of 16M specifically for the memory range that the short jump instructions of the thumb are redirected
Enclose, then the machine code instruction of the object function is replaced with into the short jump instructions of the thumb.
8. device according to claim 5, it is characterised in that
The recognition unit, if specifically for identifying that the short jump instruction instructs for the b based on 64 bit manipulation systems, it is determined that
The short jump instruction is the short jump instruction based on 64 bit manipulation systems;
The replacement unit, if the memory range redirected specifically for the short jump instruction based on 64 bit manipulation systems is small
In the memory range of 128M, then the machine code instruction of the object function is replaced with into the short jump instruction.
9. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that the program is held by processor
Following steps are realized during row:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects finger
Order, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine code of the object function
Instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and described in execution
New function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform the machine
Code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
10. a kind of hooking device of terminal applies, including memory, processor and storage are on a memory and can be on a processor
The computer program of operation, it is characterised in that the processor realizes following steps when performing described program:
In the application call object function of mobile terminal, identify that jumping to the short of new function from the object function redirects finger
Order, the new function are the function for treating the object function hook;
If the memory range that the short jump instruction is redirected meets default memory range, by the machine code of the object function
Instruction replaces with the short jump instruction, to jump to the memory address according to the short jump instruction application, and described in execution
New function;
After the new function has been performed, however, it is determined that needs continue to call the object function, then translate and perform the machine
Code instruction;
After the machine code instruction has been performed, the short jump instruction is write, to realize object function described in rebound.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711015703.1A CN107943517A (en) | 2017-10-26 | 2017-10-26 | The hook method and device of terminal applies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711015703.1A CN107943517A (en) | 2017-10-26 | 2017-10-26 | The hook method and device of terminal applies |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107943517A true CN107943517A (en) | 2018-04-20 |
Family
ID=61935663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711015703.1A Pending CN107943517A (en) | 2017-10-26 | 2017-10-26 | The hook method and device of terminal applies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107943517A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110597571A (en) * | 2018-06-12 | 2019-12-20 | 杨力祥 | Protection method for non-immediate data skip and corresponding computing device |
| CN111352629A (en) * | 2018-12-24 | 2020-06-30 | 北京奇虎科技有限公司 | Optimization method and device for program call |
| CN115952491A (en) * | 2022-12-30 | 2023-04-11 | 北京基调网络股份有限公司 | Method, device, electronic equipment and medium for hook target function |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838074A (en) * | 2006-02-22 | 2006-09-27 | 北京金山软件有限公司 | Method and system for acquiring function parameter on 64-bit windows operating system |
| CN102156661A (en) * | 2010-02-11 | 2011-08-17 | 华为技术有限公司 | Method, device and system for online activating patches |
| CN103530184A (en) * | 2013-10-24 | 2014-01-22 | 华为技术有限公司 | Method and device for online patch activation |
| CN103885750A (en) * | 2014-04-04 | 2014-06-25 | 深圳市大成天下信息技术有限公司 | Device and method for hooking new function in objective function and electronic device |
| CN104598809A (en) * | 2015-02-13 | 2015-05-06 | 北京奇虎科技有限公司 | Program monitoring method and defending method thereof, as well as relevant device |
| CN107193538A (en) * | 2016-03-14 | 2017-09-22 | 无锡天脉聚源传媒科技有限公司 | A kind of improved method and device for hooking up technology |
-
2017
- 2017-10-26 CN CN201711015703.1A patent/CN107943517A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838074A (en) * | 2006-02-22 | 2006-09-27 | 北京金山软件有限公司 | Method and system for acquiring function parameter on 64-bit windows operating system |
| CN102156661A (en) * | 2010-02-11 | 2011-08-17 | 华为技术有限公司 | Method, device and system for online activating patches |
| CN103530184A (en) * | 2013-10-24 | 2014-01-22 | 华为技术有限公司 | Method and device for online patch activation |
| CN103885750A (en) * | 2014-04-04 | 2014-06-25 | 深圳市大成天下信息技术有限公司 | Device and method for hooking new function in objective function and electronic device |
| CN104598809A (en) * | 2015-02-13 | 2015-05-06 | 北京奇虎科技有限公司 | Program monitoring method and defending method thereof, as well as relevant device |
| CN107193538A (en) * | 2016-03-14 | 2017-09-22 | 无锡天脉聚源传媒科技有限公司 | A kind of improved method and device for hooking up technology |
Non-Patent Citations (1)
| Title |
|---|
| HITS: "Android Arm Inline Hook", 《HTTP://ELE7ENXXH.COM/ANDROID-ARM-INLINE-HOOK.HTML》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110597571A (en) * | 2018-06-12 | 2019-12-20 | 杨力祥 | Protection method for non-immediate data skip and corresponding computing device |
| CN111352629A (en) * | 2018-12-24 | 2020-06-30 | 北京奇虎科技有限公司 | Optimization method and device for program call |
| CN115952491A (en) * | 2022-12-30 | 2023-04-11 | 北京基调网络股份有限公司 | Method, device, electronic equipment and medium for hook target function |
| CN115952491B (en) * | 2022-12-30 | 2023-09-29 | 北京基调网络股份有限公司 | Method, device, electronic equipment and medium for hook objective function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107908444A (en) | The hook method and device of terminal applies | |
| US9021584B2 (en) | System and method for assessing danger of software using prioritized rules | |
| JP5602597B2 (en) | Method, computer program, and system for memory optimization of virtual machine code by segmenting foreign information | |
| CN109753806A (en) | Server protection method and device | |
| US8850573B1 (en) | Computing device with untrusted user execution mode | |
| CN105574411A (en) | Dynamic unshelling method, device and equipment | |
| CN107943517A (en) | The hook method and device of terminal applies | |
| CN107480476B (en) | Android native layer instruction compiling virtualization shell adding method based on ELF infection | |
| CN102981874B (en) | Computer processing system and registration table reorientation method | |
| US11210196B1 (en) | Systems and methods for locally streaming applications in a computing system | |
| CN105426310A (en) | Method and apparatus for detecting performance of target process | |
| CN104036019A (en) | Method and device for opening webpage links | |
| CN104572197B (en) | A kind for the treatment of method and apparatus of startup item | |
| CN104699503A (en) | Method and device for replacing function execution logic in Android system | |
| CN105335197A (en) | Starting control method and device for application program in terminal | |
| CN111428241A (en) | Multi-security access policy control method and computing device | |
| CN103309666B (en) | A kind of software running control method and device | |
| US9262301B2 (en) | Observability control with observability information file | |
| US8769498B2 (en) | Warning of register and storage area assignment errors | |
| US8589899B2 (en) | Optimization system, optimization method, and compiler program | |
| CN109190367A (en) | Utilize the method and device of sandbox operation application program installation kit | |
| CN110717181B (en) | Non-control data attack detection method and device based on novel program dependency graph | |
| CN107885529A (en) | The hook method and device of terminal applies | |
| EP3692456B1 (en) | Binary image stack cookie protection | |
| CN107861807A (en) | The optimization method and device of routine call |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180420 |