CN109766145A - A kind of method that function hot patch is realized by HOOK technology under Windows - Google Patents
A kind of method that function hot patch is realized by HOOK technology under Windows Download PDFInfo
- Publication number
- CN109766145A CN109766145A CN201910059783.3A CN201910059783A CN109766145A CN 109766145 A CN109766145 A CN 109766145A CN 201910059783 A CN201910059783 A CN 201910059783A CN 109766145 A CN109766145 A CN 109766145A
- Authority
- CN
- China
- Prior art keywords
- function
- dll
- patch
- hook
- technology under
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of methods for realizing function hot patch by HOOK technology under Windows, it is related to field of communication technology, the following steps are included: preparing two patch DLL, one of them is the true patch DLL containing replacement function, another is to contain the false patch DLL for jumping function;Two patch DLL are injected into target process;System function is modified, it is made to jump to replacement function;Execution jumps function, jumps back to system function, continues the execution of system function API.The present invention also improves the accuracy of HOOK while reducing the loss of unnecessary performance.
Description
Technical field
The present invention relates to realize that function is vulcanized by HOOK technology under field of communication technology more particularly to a kind of Windows
The method of fourth.
Background technique
HOOK mechanism is also known as Hook Mechanism, and hook mechanism is a platform of windows messaging treatment mechanism, using journey
Sub- journey (call back function) can be arranged above to monitor certain message of specified window in sequence, and the window monitored can be
What other processes were created.After message reaches, it is handled before target window processing function.Hook Mechanism allows using journey
Sequence intercepts and captures processing window message or particular event.
After the prior art, in the case where the API calls of HOOK Windows, adapter system api function is simultaneously complete
After corresponding processing, needs to recall original API calls, at this moment need to be implemented anti-HOOK process, go back original system API
Function.Every calling primary system function, the execution function replacement required/function reduction;When system function API is performed a plurality of times
When, function replacement/function reduction can be repeatedly executed at predetermined intervals, and influence the performance of entire target process;In addition, when system function API exists
It is called in multithreading, can have system function API and be reduced in a flash, the function call of target process has called directly original
There is system function, HOOK is caused to miss, the accuracy of HOOK reduces.
Summary of the invention
The purpose of the present invention is to provide under a kind of Windows by HOOK technology realize function hot patch method,
While reducing the loss of unnecessary performance, the accuracy of HOOK is also improved.
To achieve the above object, the invention provides the following technical scheme:
A kind of method that function hot patch is realized by HOOK technology under Windows, which is characterized in that including following step
It is rapid:
S1 prepares two patch DLL, one of them is the true patch DLL containing replacement function, another is containing jumping
The false patch DLL of function;
Two patch DLL are injected into target process by S2;
S3 modifies system function, it is made to jump to replacement function;
S4, execution jump function, jump back to system function, continue the execution of system function API.
Further, the particular content of the S3 are as follows: first five byte of modification system function sendto is that the first jmp refers to
It enables, jumps to replacement function MySendTo.
Further, preceding 5 bytes for jumping function are preceding 5 bytes before system function sendto modification, are jumped
Turn the 6th to the 10th byte of function as the 2nd jmp instruction, jumps to the 6th byte of system function sendto.
Further, further include S5 after the S4, when HOOK function no longer needs, execute that DLL is counter injects, two are mended
Fourth DLL is removed from target process.
Further, the anti-execution injected of the DLL is by calling UnhookWindowsHookEx function to realize.
Further, patch DLL injection is realized by calling SetWindowsHookEx function in the S2.
Compared with prior art, the beneficial effects of the present invention are: the present invention is solved replaces repeatedly in function replacement process
The problem at original function scene is changed and gone back, after can accomplishing DLL load, only does linear function replacement, the energy original function of HOOK subtracts
Few unnecessary performance loss;In addition the application can call original system function, under multi-thread environment, HOOK accuracy
100%, because being happened without function reduction.
Detailed description of the invention
Fig. 1 is the HOOK flow chart of the prior art;
Fig. 2 is HOOK flow chart of the invention;
Target process loads the memory map of the sendto function of w2_32.dll before Fig. 3 is prior art HOOK;
The function that target process loads w2_32.dll and patch DLL after Fig. 4 is prior art HOOK jumps figure;
The function that target process loads w2_32.dll and two patch DLL after Fig. 5 is HOOK of the present invention jumps figure.
Specific embodiment
The following is a clear and complete description of the technical scheme in the embodiments of the invention, it is clear that described embodiment
Only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, the common skill in this field
Art personnel every other embodiment obtained without making creative work belongs to the model that the present invention protects
It encloses.
Please refer to Fig. 1, the process of existing HOOK the following steps are included:
S1, prepares a patch DLL (such as MyHook.dll), set in DLL comprising replacement function (for example include
MySendto function);
S2, DLL injection: by calling SetWindowsHookEx function, patch DLL is injected into Windows system
In target process (such as a.exe), target process loads the memory map of the sendto function of w2_32.dll before being HOOK such as Fig. 3
(ws2_32.dll is a grid DLL, has network operation in a Windows application, can all default and load this
dll);
S4, function replacement: after patch DLL injection, preceding 5 bytes of modified objective function address (such as sendto), benefit
It is instructed with JMP (jumping), jumps to modified function.As shown in figure 4, first five byte of system function sendto is modified
For jmp to replacement function MySendTo.When target process a.exe calling system API sendto in this way, execution can be jumped
Replacement function MySendTo;
Function reduction: S5 after replacement function (MySendTo) has done corresponding processing, needs to execute system API again
Sendto sends message.Since sendto has been replaced by MySendTo at this time, so needing system function API
5 bytes of the function address of sendto are reduced to the content before step 3 modification, otherwise can fall into endless loop calling
MySendTo.After having called system function API sendto, need to execute the function replacement of S3 again, otherwise HOOK function is just
Finish.Therefore existing HOOK needs ceaselessly to execute function replacement/function reduction, when system function API is performed a plurality of times
When, function replacement/function reduction is repeatedly executed at predetermined intervals, and influences the performance of target process.And when multithreading calls, it is possible to be
System function API is reduced in a flash, and the function call of target process has called directly original system function, and HOOK is caused to leak
Fall, i.e. the accuracy of HOOK reduces;
S6, DLL are counter to be injected: when HOOK function no longer needs, can be executed by executing UnhookWindowsHookEx
DLL is counter to be injected, and patch DLL is removed from target process a.exe.
Referring to figure 2., the present embodiment provides under a kind of Windows by HOOK technology realize function hot patch method,
The following steps are included:
S1 prepares two patch DLL (MyHook.dll and MyHook2.dll), and wherein MyHook.dll is to contain replacement
The true patch DLL of function (MySendto function), MyHook2.dll are containing the false benefit for jumping function (MySendTo2 function)
Fourth DLL;
S2, DLL injection: by calling SetWindowsHookEx function that two patch DLL are injected into target process
(a.exe) in, target process loads the memory map of the sendto function of w2_32.dll before being HOOK such as Fig. 3;
S3, function replacement: modification system function makes it jump to replacement function;Specifically referring to figure 5., system is modified
First five byte of function sendto is the first jmp instruction, it is made to jump to replacement function MySendTo.Such target process
When a.exe calling system API sendto, it can jump and execute replacement function MySendTo.
S4, execution jump function, jump back to system function, continue the execution of system function API.Replacement function
(MySendTo) it after having done corresponding processing, needs to execute system API sendto again and sends message.Due at this time
Sendto has been replaced by MySendTo, can be executed by executing the function (MySendTo2) in false patch DLL to reach
The effect of system function sendto.Please continue to refer to Fig. 5, preceding 10 bytes of the MySendTo2 function of false patch DLL are modified,
Wherein preceding 5 bytes are revised as preceding 5 bytes before system function sendto modification, and the 6th to the 10th byte is that the 2nd jmp refers to
It enables, it is made to jump to the 6th byte of system function sendto;After modification, the HOOK function of false patch DLL is called
(MySendTo2) it is equivalent to call original system function API (sendto).The operation of existing function reduction is eliminated,
It improves the performance of target process while can prevent from causing HOOK to be missed because of reduction.
S5, when HOOK function no longer needs, by calling UnhookWindowsHookEx function to execute, DLL is counter to be injected,
Two patch DLL are removed from target process.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie
In the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter
From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power
Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims
Variation is included within the present invention.
Claims (6)
1. a kind of method for realizing function hot patch by HOOK technology under Windows, which comprises the following steps:
S1 prepares two patch DLL, one of them is the true patch DLL containing replacement function, another is containing jumping function
False patch DLL;
Two patch DLL are injected into target process by S2;
S3 modifies system function, it is made to jump to replacement function;
S4, execution jump function, jump back to system function, continue the execution of system function API.
2. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist
In the particular content of the S3 are as follows: first five byte of modification system function sendto is the first jmp instruction, jumps to replacement
Function MySendTo.
3. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist
Preceding 5 bytes before, preceding 5 bytes for jumping function are system function sendto modification jump the 6th of function to the
10 bytes are the 2nd jmp instruction, jump to the 6th byte of system function sendto.
4. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist
In, further include S5 after the S4, when HOOK function no longer needs, execute that DLL is counter injects, by two patch DLL from target into
It is removed in journey.
5. the method for realizing function hot patch by HOOK technology under Windows according to claim 4, feature exist
In the anti-execution injected of the DLL is by calling UnhookWindowsHookEx function to realize.
6. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist
In patch DLL injection is by calling SetWindowsHookEx function to realize in the S2.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910059783.3A CN109766145A (en) | 2019-01-22 | 2019-01-22 | A kind of method that function hot patch is realized by HOOK technology under Windows |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910059783.3A CN109766145A (en) | 2019-01-22 | 2019-01-22 | A kind of method that function hot patch is realized by HOOK technology under Windows |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109766145A true CN109766145A (en) | 2019-05-17 |
Family
ID=66454943
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910059783.3A Pending CN109766145A (en) | 2019-01-22 | 2019-01-22 | A kind of method that function hot patch is realized by HOOK technology under Windows |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109766145A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113328995A (en) * | 2021-05-06 | 2021-08-31 | 深圳市联软科技股份有限公司 | Flow proxy method and system for android |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101587455A (en) * | 2008-12-11 | 2009-11-25 | 南京南瑞继保电气有限公司 | Method for checking memory leak for vxWorks operating system |
CN101799763A (en) * | 2009-02-10 | 2010-08-11 | 华为技术有限公司 | Method, device and system for patching kernel on line |
CN102156661A (en) * | 2010-02-11 | 2011-08-17 | 华为技术有限公司 | Method, device and system for online activating patches |
CN104809018A (en) * | 2015-05-18 | 2015-07-29 | 烽火通信科技股份有限公司 | Method and system for injecting hotfix into software of embedded system |
CN105573788A (en) * | 2015-12-15 | 2016-05-11 | 华为技术有限公司 | Patch processing method and device as well as patch generation method and device |
CN107193538A (en) * | 2016-03-14 | 2017-09-22 | 无锡天脉聚源传媒科技有限公司 | A kind of improved method and device for hooking up technology |
-
2019
- 2019-01-22 CN CN201910059783.3A patent/CN109766145A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101587455A (en) * | 2008-12-11 | 2009-11-25 | 南京南瑞继保电气有限公司 | Method for checking memory leak for vxWorks operating system |
CN101799763A (en) * | 2009-02-10 | 2010-08-11 | 华为技术有限公司 | Method, device and system for patching kernel on line |
CN102156661A (en) * | 2010-02-11 | 2011-08-17 | 华为技术有限公司 | Method, device and system for online activating patches |
CN104809018A (en) * | 2015-05-18 | 2015-07-29 | 烽火通信科技股份有限公司 | Method and system for injecting hotfix into software of embedded system |
CN105573788A (en) * | 2015-12-15 | 2016-05-11 | 华为技术有限公司 | Patch processing method and device as well as patch generation method and device |
CN107193538A (en) * | 2016-03-14 | 2017-09-22 | 无锡天脉聚源传媒科技有限公司 | A kind of improved method and device for hooking up technology |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113328995A (en) * | 2021-05-06 | 2021-08-31 | 深圳市联软科技股份有限公司 | Flow proxy method and system for android |
CN113328995B (en) * | 2021-05-06 | 2023-03-24 | 深圳市联软科技股份有限公司 | Flow proxy method and system for android |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105677404A (en) | Zookeeper-based configuration updating method and device | |
CN102750153B (en) | A kind of regression test case collection construction method based on programing change | |
CN101959193A (en) | Information safety detection method and a mobile terminal | |
CN109408393A (en) | Application testing method, device and equipment and computer readable storage medium | |
CN105022620B (en) | A kind of applied software development method based on mobile platform | |
CN107992322B (en) | DSP code self-updating method for radar signal processor | |
RU2017114358A (en) | PREPARING SETTINGS AND UPDATES FOR SOFTWARE SYSTEMS | |
CN109766145A (en) | A kind of method that function hot patch is realized by HOOK technology under Windows | |
CN106528065B (en) | A kind of thread acquisition methods and equipment | |
CN111444065A (en) | AspectJ-based mobile terminal performance index monitoring method | |
CN104123492A (en) | Windows process protection method | |
CN105354061A (en) | Method and system for protecting MCU working program | |
CN108255735A (en) | Associated environment test method, electronic device and computer readable storage medium | |
CN109766690B (en) | ROP and variant attack dynamic detection method based on multi-strategy instruction detection | |
CN105260184B (en) | A kind of adjustment method and device for restoring image file | |
CN107870777A (en) | A kind of hot patch implementation method and device, terminal | |
CN111638990B (en) | Memory leakage processing method and device and storage medium | |
US20130125110A1 (en) | Software installation | |
US7143274B2 (en) | Setting breakpoint for postponed interrupt processing in subsequent area while executing interrupt-exclusive task area to avoid slow down | |
CN110502284A (en) | LED light flickering method, device and the readable storage medium storing program for executing of single-chip microcontroller | |
CN104010078B (en) | Method and device for processing intercepted information through terminal | |
CN105893238A (en) | Code debugging method and device | |
CN109101243A (en) | A kind of iOS relies on the synchronous method and terminal in library | |
CN107479864B (en) | Platform transplanting method and device for MapReduce computing framework | |
CN107402768B (en) | Reusable and extensible Android application development method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190517 |
|
RJ01 | Rejection of invention patent application after publication |