CN109522712B - Method, storage medium, device and system for detecting system acceleration - Google Patents
Method, storage medium, device and system for detecting system acceleration Download PDFInfo
- Publication number
- CN109522712B CN109522712B CN201811287857.0A CN201811287857A CN109522712B CN 109522712 B CN109522712 B CN 109522712B CN 201811287857 A CN201811287857 A CN 201811287857A CN 109522712 B CN109522712 B CN 109522712B
- Authority
- CN
- China
- Prior art keywords
- system time
- function
- self
- time
- realization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method, a storage medium, equipment and a system for detecting the acceleration of a system, which relate to the field of network security, wherein the method comprises the steps of calling a system time function of a Windows operating system to obtain system time, wherein the system time function comprises timeGetTime and GetTickCount; creating a first self-realization function of a system time function timeGetTime, and acquiring system time; establishing a second self-realization function of a system time function GetTickCount to acquire system time; and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated. The invention can realize the effective judgment of whether the operating system is accelerated.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, a storage medium, a device, and a system for detecting system acceleration.
Background
For the Windows operating system, some illegal persons can accelerate the program of the client by illegal means, so that the program is unbalanced and even the server is damaged, and the acceleration principle is to hook the system time function by inline hook, so that an accelerated time is returned for all the time-obtaining functions in the program. For example, for a lottery drawing program, the client program is accelerated, and it is likely that the client program will issue a lottery drawing command first, and violate the randomness of the lottery drawing to be fair away, whereas for the game program, if the client program is accelerated, the movement of the character in the game will be faster than that of other characters, and the game experience of others will be affected.
In the existing detection of whether the operating system is accelerated, whether a time function is hook is detected generally, and whether the operating system is subjected to illegal acceleration processing is further judged, but some illegal persons modify specific time after hook, and when the time function is checked whether the hook is present, the modified code is restored, so that the check is bypassed, and the check of whether the operating system is accelerated is not accurate enough.
Disclosure of Invention
In view of the defects in the prior art, an object of the present invention is to provide a method for detecting whether an operating system is accelerated, which can achieve effective determination of whether the operating system is accelerated. The invention also correspondingly provides a storage medium, equipment and a system for detecting the acceleration of the operating system.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows:
the first aspect of the present invention provides a method for detecting whether an operating system is accelerated, which is used to detect whether Windows operation is accelerated, and includes the following steps:
calling a system time function of the Windows operating system to acquire system time, wherein the system time function comprises timeGetTime and GetTickCount;
creating a first self-realization function of a system time function timeGetTime, and acquiring system time;
establishing a second self-realization function of a system time function GetTickCount to acquire system time;
and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
With reference to the first aspect, in a first possible implementation manner, the system time function, the system time obtained by the first self-implementation function, and the system time obtained by the second self-implementation function are all the time elapsed from the start of the operating system to the present.
With reference to the first aspect, in a second possible implementation manner, the creating a first self-implementation function of the system time function timeGetTime to obtain the system time includes the specific steps of:
s21: acquiring a handle of a system module winmm.dll where a system time function timeGetTime is located;
s22: acquiring the address of a memory where a system time function timeGetTime is located;
s23: based on the obtained address, reading the code offset of 0x12 bytes of the system time function timeGetTime, and then obtaining the system time.
With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner, the specific step of step S23 is:
s231: based on the obtained address, reading a memory code with a code offset of 0x12 bytes of a system time function timeGetTime, and judging whether the memory code with the offset of 0x12 bytes is 0x52B, if so, going to S232, and if not, going to S233;
s232: acquiring system time;
s233: acquiring a handle of a system module kernel32.dll, and acquiring a function address of a system time function timeGetTime in the system module kernel 32.dll;
s234: based on the obtained function address, a system time function timeGetTime is obtained, and then the system time stored at the 0x2b 0x6a 0x 000 x1b 0x680x2710 feature in the system time function timeGetTime code is obtained.
With reference to the first aspect, in a fourth possible implementation manner, the creating a second self-implementation function of the system time function gettimeckcount to obtain the system time includes:
s31: reading time data shared by an operating system;
s32: calling a system function GetVersionEx to obtain the version number of the current operating system;
s33: and acquiring the corresponding system time in the time data based on the acquired version number of the operating system.
With reference to the first aspect, in a fifth possible implementation manner, before the invoking a system time function of the Windows operating system and obtaining the system time, the method further includes: calling API functions timeBeginPeriod and timeEndPeriod of the operating system to set time acquisition precision, and then calling a system time function of the Windows operating system to acquire system time.
A second aspect of the invention provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
calling a system time function of the Windows operating system to acquire system time, wherein the system time function comprises timeGetTime and GetTickCount;
creating a first self-realization function of a system time function timeGetTime, and acquiring system time;
establishing a second self-realization function of a system time function GetTickCount to acquire system time;
and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
A third aspect of the present invention provides an electronic apparatus, comprising:
the system comprises a calling unit, a processing unit and a processing unit, wherein the calling unit is used for calling a system time function of the Windows operating system to acquire system time, and the system time function comprises timeGetTime and GetTickCount;
the first creating unit is used for creating a first self-realization function of a system time function timeGetTime and acquiring the system time;
the second creating unit is used for creating a second self-realization function of the system time function GetTickCount and acquiring the system time;
and the comparison unit is used for comparing the system time acquired by the system time function with the system time acquired by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time acquired by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
A fourth aspect of the present invention provides a system for detecting that an operating system is accelerated, comprising:
the system comprises a calling module, a judging module and a processing module, wherein the calling module is used for calling a system time function of the Windows operating system to acquire system time, and the system time function comprises timeGetTime and GetTickCount;
the system comprises a first establishing module, a second establishing module and a third establishing module, wherein the first establishing module is used for establishing a first self-realization function of a system time function timeGetTime and acquiring system time;
the second creating module is used for creating a second self-realization function of the system time function GetTickCount and acquiring the system time;
and the comparison module is used for comparing the system time acquired by the system time function with the system time acquired by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time acquired by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
With reference to the fourth aspect, in a first possible implementation manner, the system time function, the system time obtained by the first self-implementation function, and the system time obtained by the second self-implementation function are all the time elapsed from the start of the operating system to the present.
Compared with the prior art, the invention has the advantages that: the method comprises the steps of obtaining system time by calling a system time function of a Windows operating system, then creating a first self-realization function of a system time function timeGetTime and a second self-realization function of the system time function GetTickCount, and obtaining the system time.
Drawings
FIG. 1 is a flow chart of a method for detecting an operating system being accelerated in an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method for detecting whether an operating system is accelerated, which is characterized in that system time obtained by a time function of the operating system is compared with system time obtained by a self-realization function with the same function of the system time function, so that whether the time is accelerated or not is judged, and whether the operating system is accelerated illegally or not is further judged. The embodiment of the invention also correspondingly provides a storage medium, electronic equipment and a system for detecting the acceleration of the operating system.
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that the operating system in the embodiment of the present invention refers to a Windows operating system.
Referring to fig. 1, an embodiment of a method for detecting that an operating system is accelerated according to an embodiment of the present invention includes:
s1: and calling a system time function of the Windows operating system to acquire system time, wherein the system time function comprises timeGetTime and GetTickCount.
In the embodiment of the invention, the time functions of the Windows operating system mainly comprise timeGetTime, GetTickCount, QueryPerformanceCount and GetSystemTime, and most programs only use timeGetTime and GetTickCount, so that in the embodiment of the invention, verification is carried out only on the time functions TimeGetTime and GetTickCount, and whether the system time obtained through the system time functions TimeGetTime and GetTickCount is the same as the system time obtained from the realization function with the same function of the system time function is judged.
Certainly, in some rare cases, if the system time function called by the program is a query performance counter or a GetSystemTime, the determination of whether the system is accelerated at this time is similar to the technical solution disclosed in the embodiment of the present invention, and specifically:
calling a system time function QueryPerformancecounter or GetSystemTime to acquire system time, if the system time function used by a program is the QueryPerformancecounter, creating a self-realization function of the system time function QueryPerformancecounter to acquire the system time, and then comparing and judging the system time acquired by the system time function with the time acquired by the self-realization function; if the system time function used by the program is GetSystemTime, a self-realization function of the GetSystemTime is established, the system time is acquired, and then the system time acquired by the system time function is respectively compared with the time acquired by the self-realization function and judged.
Creating a self-realization function of a system time function QueryPerformancecounter, and acquiring system time, wherein the self-realization function comprises the following specific steps: firstly, calling a function QueryPerformancefrequency to acquire the clock frequency of an internal timer of an operating system, wherein the function QueryPerformancefrequency is used for returning the frequency of a high-precision counter supported by hardware, then calling the function QueryPerformancecounter respectively before and after a defined event occurs, the system can be defined as being started before the event occurs, the current time can be defined as being current after the event occurs, and the accurate time of the event is calculated by using the difference between the two counts and the clock frequency, namely the current system time.
And establishing a self-realization function of a system time function GetSystemTime, acquiring the system time, specifically, directly calling the function GetSystemTime when in use, returning the standard time of the Green West, and converting to obtain the current system time.
In the embodiment of the invention, the system time function timeGetTime is a function provided by a Windows operating system and used for acquiring time, the function prototype is DWORDtimeGetTime (), the function has no parameters, the return value is a DWORD type numerical value, the function counts the system time in milliseconds, and the counted time is the time from the system starting to the current time.
In the embodiment of the invention, a system time function GetTickCount is a function provided by a Windows operating system and used for acquiring time, the same function is used for timing the time from the start of the operating system to the current time, the unit is millisecond, the prototype of the function is DWORDGetTickCount (), the function has no parameter, and the return value is a DWORD type numerical value.
S2: and creating a first self-realization function of a system time function timeGetTime, and acquiring the system time.
The first self-realization function and the second self-realization function in the embodiment of the invention need to realize the logic at the application layer as much as possible, and do not need to realize the function of the drive layer, because usually, an illegal person realizes the acceleration function through hook, and only carries out hook on the logic at the application layer, and does not modify the function of the drive layer.
In the embodiment of the invention, the first self-realization function is used for simulating the system time function timeGetTime to acquire the system time, and the system time is not acquired directly through the system time function timeGetTime.
S3: establishing a second self-realization function of a system time function GetTickCount to acquire system time;
in the embodiment of the invention, the second self-realization function is used for simulating the system time function GetTickCount to acquire the system time, and the system time is not acquired directly through the system time function GetTickCount.
S4: and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated. The system time function, the first self-realization function and the second self-realization function are all the time from the start of the operating system to the current time. The system time function can acquire the system time, and the first self-realization function and the second self-realization function can acquire the system time, when the operating system is subjected to illegal acceleration processing, the system time acquired by the system time function is not correct system time and is advanced compared with the correct system time, and the system time acquired by the first self-realization function and the second self-realization function is correct system time from beginning to end, so that whether the operating system is accelerated can be judged.
In the embodiment of the present invention, there are two called system time functions of the Windows operating system, which are respectively a system time function timeGetTime and a system time function gettimeckcount, so that 2 system times are obtained in step S1, then a first self-implementation function obtains a system time, a second self-implementation function obtains a system time, and 4 system times are obtained in total, and if and only if the 4 system times are the same, it indicates that an illegal person does not modify the system time, and implements the acceleration function.
Optionally, on the basis of the embodiment corresponding to fig. 1, in a first optional embodiment of the method for detecting that the operating system is accelerated according to the embodiment of the present invention, a first self-implementation function of a system time function timeGetTime is created, and the obtaining of the system time is performed, where the specific steps are as follows:
s21: and acquiring a handle of a system module winmm. Dll, Windows Multimedia API describes Windows Multimedia-related application program interface.
In the embodiment of the present invention, the first self-implementation function is used to implement the function of the system time function timeGetTime by relying on the system time function. Acquiring a handle of a system module winmm.dll where a system time function timeGetTime is located, wherein the specific execution code is as follows:
DWORD MytimeGetTime()
HMODULE hModule=GetModuleHandle(“winmm.dll”);
s22: the method comprises the steps of obtaining the address of a memory where a system time function timeGetTime is located, wherein specific execution codes of the process are as follows: DWORD address ═ GetRecaddres (hModule, "timeGetTime"). Wherein, hModule represents the handle of the system module winmm. dll where the time function timeGetTime is located.
S23: based on the obtained address, reading the code offset of 0x12 bytes of the system time function timeGetTime, and then obtaining the system time. Reading a memory code with a code offset of 0x12 bytes of a system time function timeGetTime, wherein the specific execution code is as follows: DWORD dwCode ═ address +0x 12.
Optionally, on the basis of the first optional embodiment corresponding to fig. 1, in a second optional embodiment of the method for detecting that the operating system is accelerated according to the embodiment of the present invention, the specific step of step S23 is:
s231: based on the obtained address, reading a memory code with a code offset of 0x12 bytes of a system time function timeGetTime, and judging whether the memory code with the offset of 0x12 bytes is 0x52B, if so, going to S232, and if not, going to S233;
s232: and acquiring the system time.
In the embodiment of the present invention, when the memory code at the offset of 0x12 bytes is 0x52B, the system time is directly obtained, and the execution code for obtaining the system time is:
DWORD dwPtr=*(DWORD*)(dwFunc+sizeof(WORD));
firstly, defining a pointer dwPtr, and then reading time in shared data of a system, wherein DWORD represents a 32-bit unsigned integer in C + + language usage and is used for the condition that a return value does not have a negative number, dwFunc represents the beginning, sizeof () is an operator for judging the data type or the expression length, and WORD in a code represents the system time;
int64n64_time=*(int64*)(0x7FFE0000+0x8);
thus, n64_ time is a time base, and then:
dwTime=(DWORD)((n64_time-*(int64*)(dwPtr))/10000)+*(DWORD*)(dwPtr+sizeof(int64));
the specific time is dwTime, and the time elapsed from the system being started to the present time is obtained by subtracting the difference from the read value of n64_ time. int64 represents a 64-bit integer data type; 0x7FFE0000 is a user data page shared in the Windows operating system; 0x8 represents 8 in hexadecimal.
S233: acquiring a handle of a system module kernel32.dll, and acquiring a function address of a system time function timeGetTime in the system module kernel 32.dll; the code for obtaining the handle of the system module kernel32.dll is as follows:
HMODULE hMod=GetModuleHandle(“kernel32.dll”);
the kernel32.dll is a system module, the system module kernel32.dll and the system module winmm.dll both contain a system time function timeGetTime, and the system time function timeGetTime in the system module kernel32.dll is obtained in the step.
The code for acquiring the function address of the system time function timeGetTime in the system module kernel32.dll is as follows:
DWORD address=GetProcAddress(hModule,“timeGetTime”)。
here hModule stands for the handle of the system module kernel32. dll.
S234: based on the obtained function address, a system time function timeGetTime is obtained, and then the system time stored at the 0x2b 0x6a 0x 000 x1b 0x680x2710 feature in the system time function timeGetTime code is obtained.
In the embodiment of the present invention, the stored feature of 0x2b 0x6a 0x 000 x1b 0x680x2710 in the system time function timeGetTime code is the system time, if the feature is not found in the previous code of the system time function timeGetTime, the subsequent code can be continuously searched, the total search logic does not exceed 0x60 bytes, and the search execution code is:
writing a for loop to traverse matching codes, matching the codes within 0x60 bytes, and then judging whether the code characteristics of the acquired system function are the following characteristics: 0x2b 0x6a 0x 000 x1b 0x680x2710, and if so, system time acquisition is performed in a manner similar to that described above.
Optionally, on the basis of the embodiment corresponding to fig. 1, in a third optional embodiment of the method for detecting that the operating system is accelerated according to the embodiment of the present invention, a second self-implementation function of the system time function gettimekcount is created, and the obtaining of the system time is performed, where the specific steps are as follows:
s31: reading time data shared by an operating system, wherein the execution code of the process is as follows:
DWORD dwTickCountM=*(DWORD*)(0x7FFE0000+0x4);
the DWORD represents a 32-bit unsigned integer in the C + + language usage and is used for the condition that a return value does not have a negative number; dwticncountm represents the time accuracy of the return, typically 1 ms; 0x7FFE0000 is a user data page shared in the Windows operating system; 0x4 represents 4 in hexadecimal.
S32: calling a system function GetVersionEx to acquire the version number of the current operating system, specifically, firstly defining an OSVERSIONINFOOSvi, executing DWORDMYGetTickCount (), and then calling the system function GetVersionEx to acquire the version number of the current operating system: GetVersionEx (& osvi).
S33: and acquiring the corresponding system time in the time data based on the acquired version number of the operating system.
In the embodiment of the invention, if the version of the operating system is Windows 2003, Vista, 7 or 8, the data with the offset of 0x320 is directly read, and the system time is obtained; if the operating system version is other, executing the following codes:
DWORD dwTickCountLow=*(DWORD*)(0x7FFE0000+0);
int64n64_time=(int64)dwTickCountLow*dwTickCountMulti;
DWORD dwTickCount=(DWORD)(n64_time>>24);
Return dwTickCount;
firstly, reading the time count of the status, finally obtaining the acquired dwTickCount, and finishing the acquisition of the system time.
Optionally, on the basis of the embodiment corresponding to fig. 1, in a fourth optional embodiment of the method for detecting that the operating system is accelerated according to the embodiment of the present invention, before the system time function of the Windows operating system is called and the system time is obtained, the method further includes: calling API (Application programming interface) functions timeBeginPeriod and timeEndPeriod of an operating system to set time acquisition precision, and calling a system time function of the Windows operating system to acquire system time. The functions timeBeginPeriod and timeEndPeriod are both functions used for setting time precision in the Windows operating system, and when in specific use, a number is added behind the function to represent the precision, for example, timeBeginPeriod (1) represents that the set time precision is 1 millisecond.
Because the Windows operating system is not a real-time system, any time obtained may be inaccurate due to multithread interruption, so that the functions of obtaining time are all packaged in API functions timebeginnperiod and timeEndPeriod, which means that time is read with the precision of 1 millisecond, and the specific execution code is as follows:
timeBeginPeriod(1);
DWORD dwSystemTime1=timeGetTime();
timeEndPeriod(1);
timeBeginPeriod(1);
DWORD dwMyTime1=MytimeGetTime();
timeEndPeriod(1);
timeBeginPeriod(1);
DWORD dwSystemTime2=GetTickCount();
timeEndPeriod(1);
timeBeginPeriod(1);
DWORD dwMyTime2=MyGetTickCount();
timeEndPeriod(1);
if dwSystemTime1 and dwMyTime1 are the same, and dwSystemTime2 and dwMyTime2 are the same, then the operating system is not accelerated. Of course, there may be an error in the comparison determination of the system time, so the error may be taken into account in the determination.
The method for detecting the acceleration of the operating system comprises the steps of calling a system time function of a Windows operating system to obtain system time, then creating a first self-realization function of the system time function timeGetTime and a second self-realization function of the system time function GetTickCount to obtain the system time, and comparing the system time obtained by the time function of the operating system with the system time obtained by the self-realization function with the same function of the system time function to judge whether the time is accelerated or not and further judge whether the operating system is accelerated illegally or not and ensure the accuracy of judgment because the time obtained by the system time function is still correct even if the operating system is accelerated.
An embodiment of a storage medium provided in an embodiment of the present invention includes: the storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
calling a system time function of the Windows operating system to acquire system time, wherein the system time function comprises timeGetTime and GetTickCount;
creating a first self-realization function of a system time function timeGetTime, and acquiring system time;
establishing a second self-realization function of a system time function GetTickCount to acquire system time;
and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
Optionally, on the basis of the above storage medium embodiment, in a first optional embodiment of the storage medium provided by the embodiment of the present invention, the storage medium may adopt any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer-readable storage medium may be, for example but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Alternatively, on the basis of the above embodiment of the storage medium and the first alternative embodiment, in a second alternative embodiment of the storage medium provided by the embodiment of the present invention, the computer-readable signal medium may include a data signal propagating in a baseband or as a part of a carrier wave, in which a computer-readable program code is carried. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Optionally, on the basis of the above embodiment of the storage medium and the first and second alternative embodiments, in a third alternative embodiment of the storage medium provided by the embodiment of the present invention, the computer program code for performing the operations of the present invention may be written in one or more programming languages, or a combination thereof, the programming languages including an object oriented programming language, such as Java, Smalltalk, C + +, and further including a conventional procedural programming language, such as "C" programming language or a similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
Referring to fig. 2, an embodiment of an electronic device provided in an embodiment of the present invention includes:
the system comprises a calling unit, a processing unit and a processing unit, wherein the calling unit is used for calling a system time function of the Windows operating system to acquire system time, and the system time function comprises timeGetTime and GetTickCount;
the first creating unit is used for creating a first self-realization function of a system time function timeGetTime and acquiring the system time;
the second creating unit is used for creating a second self-realization function of the system time function GetTickCount and acquiring the system time;
and the comparison unit is used for comparing the system time acquired by the system time function with the system time acquired by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time acquired by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
An embodiment of a system for detecting that an operating system is accelerated according to an embodiment of the present invention includes:
the system comprises a calling module, a judging module and a processing module, wherein the calling module is used for calling a system time function of the Windows operating system to acquire system time, and the system time function comprises timeGetTime and GetTickCount;
the system comprises a first establishing module, a second establishing module and a third establishing module, wherein the first establishing module is used for establishing a first self-realization function of a system time function timeGetTime and acquiring system time;
the second creating module is used for creating a second self-realization function of the system time function GetTickCount and acquiring the system time;
and the comparison module is used for comparing the system time acquired by the system time function with the system time acquired by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time acquired by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
The system time function, the first self-realization function and the second self-realization function are all the time from the start of the operating system to the current time.
The system for detecting the acceleration of the operating system in the embodiment of the invention acquires the system time by calling the system time function of the Windows operating system, then creates the first self-realization function of the system time function timeGetTime and the second self-realization function of the system time function GetTickCount, and acquires the system time, so that even if the operating system is accelerated, the time acquired by the first self-realization function and the second self-realization function is still the correct system time, and on the basis, the system time acquired by the time function of the operating system is compared with the system time acquired by the self-realization function with the same function as the system time function, thereby judging whether the time is accelerated, further judging whether the operating system is accelerated illegally, and ensuring the accuracy of the judgment.
The present invention is not limited to the above-described embodiments, and it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements are also considered to be within the scope of the present invention. Those not described in detail in this specification are within the skill of the art.
Claims (10)
1. A method for detecting whether an operating system is accelerated, the method for detecting whether Windows operations are accelerated, the method comprising the steps of:
calling a system time function of the Windows operating system to acquire system time, wherein the system time function comprises timeGetTime and GetTickCount;
creating a first self-realization function of a system time function timeGetTime, and acquiring system time;
creating a second self-realization function of the system time function GetTickCount for obtaining the system time, wherein the first self-realization function is used for simulating the system time function TimeGetTime to obtain the system time, and the second self-realization function is used for simulating the system time function GetTickCount to obtain the system time;
and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
2. A method for detecting that an operating system is accelerated, as recited in claim 1, wherein: the system time function, the first self-realization function and the second self-realization function are all the time from the start of the operating system to the current time.
3. A method for detecting that an operating system is accelerated, as recited in claim 1, wherein: the method comprises the following specific steps of establishing a first self-realization function of a system time function timeGetTime, and acquiring system time:
s21: acquiring a handle of a system module winmm.dll where a system time function timeGetTime is located;
s22: acquiring the address of a memory where a system time function timeGetTime is located;
s23: based on the obtained address, reading the code offset of 0x12 bytes of the system time function timeGetTime, and then obtaining the system time.
4. A method for detecting that an operating system is accelerated, as claimed in claim 3, characterized in that: the specific steps of step S23 are:
s231: based on the obtained address, reading a memory code with a code offset of 0x12 bytes of a system time function timeGetTime, and judging whether the memory code with the offset of 0x12 bytes is 0x52B, if so, going to S232, and if not, going to S233;
s232: acquiring system time;
s233: acquiring a handle of a system module kernel32.dll, and acquiring a function address of a system time function timeGetTime in the system module kernel 32.dll;
s234: based on the obtained function address, a system time function timeGetTime is obtained, and then the system time stored at the 0x2b 0x6a 0x 000 x1b 0x680x2710 feature in the system time function timeGetTime code is obtained.
5. A method for detecting that an operating system is accelerated, as recited in claim 1, wherein: the second self-realization function of creating the system time function GetTickCount is used for acquiring the system time, and the specific steps are as follows:
s31: reading time data shared by an operating system;
s32: calling a system function GetVersionEx to obtain the version number of the current operating system;
s33: and acquiring the corresponding system time in the time data based on the acquired version number of the operating system.
6. A method for detecting that an operating system is accelerated, as recited in claim 1, wherein: when the system time function of the Windows operating system is called and before the system time is acquired, the method further comprises the following steps: calling API functions timeBeginPeriod and timeEndPeriod of the operating system to set time acquisition precision, and then calling a system time function of the Windows operating system to acquire system time.
7. A storage medium having a computer program stored thereon, characterized in that: the computer program when executed by a processor implementing the steps of:
calling a system time function of the Windows operating system to acquire system time, wherein the system time function comprises timeGetTime and GetTickCount;
creating a first self-realization function of a system time function timeGetTime, and acquiring system time;
creating a second self-realization function of the system time function GetTickCount for obtaining the system time, wherein the first self-realization function is used for simulating the system time function TimeGetTime to obtain the system time, and the second self-realization function is used for simulating the system time function GetTickCount to obtain the system time;
and comparing the system time obtained by the system time function with the system time obtained by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time obtained by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
8. An electronic device, characterized in that the electronic device comprises:
the system comprises a calling unit, a processing unit and a processing unit, wherein the calling unit is used for calling a system time function of the Windows operating system to acquire system time, and the system time function comprises timeGetTime and GetTickCount;
the first creating unit is used for creating a first self-realization function of a system time function timeGetTime and acquiring the system time;
the second creating unit is used for creating a second self-realization function of the system time function GetTickCount for obtaining the system time, the first self-realization function is used for simulating the system time function timeGetTime for obtaining the system time, and the second self-realization function is used for simulating the system time function GetTickCount for obtaining the system time;
and the comparison unit is used for comparing the system time acquired by the system time function with the system time acquired by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time acquired by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
9. A system for detecting that an operating system is accelerated, comprising:
the system comprises a calling module, a judging module and a processing module, wherein the calling module is used for calling a system time function of the Windows operating system to acquire system time, and the system time function comprises timeGetTime and GetTickCount;
the system comprises a first establishing module, a second establishing module and a third establishing module, wherein the first establishing module is used for establishing a first self-realization function of a system time function timeGetTime and acquiring system time;
the second creation module is used for creating a second self-realization function of the system time function GetTickCount to acquire the system time, the first self-realization function is used for simulating the system time function timeGetTime to acquire the system time, and the second self-realization function is used for simulating the system time function GetTickCount to acquire the system time;
and the comparison module is used for comparing the system time acquired by the system time function with the system time acquired by the first self-realization function and the second self-realization function respectively, if the system time is the same as the system time acquired by the first self-realization function, the operating system is not accelerated, otherwise, the operating system is accelerated.
10. A system for detecting that an operating system is accelerated, as recited in claim 9, wherein: the system time function, the first self-realization function and the second self-realization function are all the time from the start of the operating system to the current time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811287857.0A CN109522712B (en) | 2018-10-31 | 2018-10-31 | Method, storage medium, device and system for detecting system acceleration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811287857.0A CN109522712B (en) | 2018-10-31 | 2018-10-31 | Method, storage medium, device and system for detecting system acceleration |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109522712A CN109522712A (en) | 2019-03-26 |
| CN109522712B true CN109522712B (en) | 2020-10-16 |
Family
ID=65773587
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811287857.0A Active CN109522712B (en) | 2018-10-31 | 2018-10-31 | Method, storage medium, device and system for detecting system acceleration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109522712B (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040088690A1 (en) * | 2002-08-27 | 2004-05-06 | Hayim Shaul | Method for accelerating a computer application by recompilation and hardware customization |
| KR101421633B1 (en) * | 2013-04-02 | 2014-07-23 | 주식회사 잉카인터넷 | Speed Hack Detection System and Method |
| CN105224294A (en) * | 2014-06-06 | 2016-01-06 | 深圳市天趣网络科技有限公司 | A kind of game accelerated method and device |
| CN106230644B (en) * | 2016-08-31 | 2020-01-21 | 北京像素软件科技股份有限公司 | Client acceleration detection method |
| CN107203721A (en) * | 2017-03-01 | 2017-09-26 | 广西发发科技有限公司 | A kind of anti-cheating system of current game |
| CN107247611A (en) * | 2017-07-06 | 2017-10-13 | 广州威道网络科技有限公司 | A kind of acceleration method and system of web game |
-
2018
- 2018-10-31 CN CN201811287857.0A patent/CN109522712B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109522712A (en) | 2019-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017032265A1 (en) | Application push method and apparatus, and a serving device | |
| US20150067884A1 (en) | Method and system for protecting software | |
| US10395033B2 (en) | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks | |
| JP6448795B2 (en) | Method, apparatus, and terminal device for setting fingerprint sensor interrupt threshold | |
| CN105357204B (en) | Method and device for generating terminal identification information | |
| WO2017080289A1 (en) | Method and device for fingerprint registration and mobile terminal | |
| US10691390B2 (en) | Method and device for video rendering | |
| CN112749028B (en) | Network traffic processing method, related equipment and readable storage medium | |
| US11210127B2 (en) | Method and apparatus for processing request | |
| US20210042150A1 (en) | Method-call-chain tracking method, electronic device, and computer readable storage medium | |
| CN106155806A (en) | A kind of multi-task scheduling method and server | |
| CN109246234B (en) | Image file downloading method and device, electronic equipment and storage medium | |
| US20090089555A1 (en) | Methods and apparatus for executing or converting real-time instructions | |
| CN106789973B (en) | Page security detection method and terminal equipment | |
| TWI656453B (en) | Detection system and detection method | |
| CN113641544B (en) | Method, apparatus, device, medium and product for detecting application state | |
| CN109522712B (en) | Method, storage medium, device and system for detecting system acceleration | |
| US9842018B2 (en) | Method of verifying integrity of program using hash | |
| US20150154103A1 (en) | Method and apparatus for measuring software performance | |
| WO2017054731A1 (en) | Method and device for processing hijacked browser | |
| US9350723B2 (en) | Determination and classification of defense measures in web applications | |
| CN111382017A (en) | Fault query method, device, server and storage medium | |
| CN111061621B (en) | Method, device and equipment for verifying program performance and storage medium | |
| CN114610577A (en) | Target resource locking method, device, equipment and medium | |
| CN112487414B (en) | Method, device, equipment and storage medium for acquiring process command line |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |