CN109766145A - A kind of method that function hot patch is realized by HOOK technology under Windows - Google Patents

A kind of method that function hot patch is realized by HOOK technology under Windows Download PDF

Info

Publication number
CN109766145A
CN109766145A CN201910059783.3A CN201910059783A CN109766145A CN 109766145 A CN109766145 A CN 109766145A CN 201910059783 A CN201910059783 A CN 201910059783A CN 109766145 A CN109766145 A CN 109766145A
Authority
CN
China
Prior art keywords
function
dll
patch
hook
technology under
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910059783.3A
Other languages
Chinese (zh)
Inventor
李宗宇
赵飞
郑晓峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yun Meng Meng Technology Co Ltd
Original Assignee
Hangzhou Yun Meng Meng Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yun Meng Meng Technology Co Ltd filed Critical Hangzhou Yun Meng Meng Technology Co Ltd
Priority to CN201910059783.3A priority Critical patent/CN109766145A/en
Publication of CN109766145A publication Critical patent/CN109766145A/en
Pending legal-status Critical Current

Links

Landscapes

  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of methods for realizing function hot patch by HOOK technology under Windows, it is related to field of communication technology, the following steps are included: preparing two patch DLL, one of them is the true patch DLL containing replacement function, another is to contain the false patch DLL for jumping function;Two patch DLL are injected into target process;System function is modified, it is made to jump to replacement function;Execution jumps function, jumps back to system function, continues the execution of system function API.The present invention also improves the accuracy of HOOK while reducing the loss of unnecessary performance.

Description

A kind of method that function hot patch is realized by HOOK technology under Windows
Technical field
The present invention relates to realize that function is vulcanized by HOOK technology under field of communication technology more particularly to a kind of Windows The method of fourth.
Background technique
HOOK mechanism is also known as Hook Mechanism, and hook mechanism is a platform of windows messaging treatment mechanism, using journey Sub- journey (call back function) can be arranged above to monitor certain message of specified window in sequence, and the window monitored can be What other processes were created.After message reaches, it is handled before target window processing function.Hook Mechanism allows using journey Sequence intercepts and captures processing window message or particular event.
After the prior art, in the case where the API calls of HOOK Windows, adapter system api function is simultaneously complete After corresponding processing, needs to recall original API calls, at this moment need to be implemented anti-HOOK process, go back original system API Function.Every calling primary system function, the execution function replacement required/function reduction;When system function API is performed a plurality of times When, function replacement/function reduction can be repeatedly executed at predetermined intervals, and influence the performance of entire target process;In addition, when system function API exists It is called in multithreading, can have system function API and be reduced in a flash, the function call of target process has called directly original There is system function, HOOK is caused to miss, the accuracy of HOOK reduces.
Summary of the invention
The purpose of the present invention is to provide under a kind of Windows by HOOK technology realize function hot patch method, While reducing the loss of unnecessary performance, the accuracy of HOOK is also improved.
To achieve the above object, the invention provides the following technical scheme:
A kind of method that function hot patch is realized by HOOK technology under Windows, which is characterized in that including following step It is rapid:
S1 prepares two patch DLL, one of them is the true patch DLL containing replacement function, another is containing jumping The false patch DLL of function;
Two patch DLL are injected into target process by S2;
S3 modifies system function, it is made to jump to replacement function;
S4, execution jump function, jump back to system function, continue the execution of system function API.
Further, the particular content of the S3 are as follows: first five byte of modification system function sendto is that the first jmp refers to It enables, jumps to replacement function MySendTo.
Further, preceding 5 bytes for jumping function are preceding 5 bytes before system function sendto modification, are jumped Turn the 6th to the 10th byte of function as the 2nd jmp instruction, jumps to the 6th byte of system function sendto.
Further, further include S5 after the S4, when HOOK function no longer needs, execute that DLL is counter injects, two are mended Fourth DLL is removed from target process.
Further, the anti-execution injected of the DLL is by calling UnhookWindowsHookEx function to realize.
Further, patch DLL injection is realized by calling SetWindowsHookEx function in the S2.
Compared with prior art, the beneficial effects of the present invention are: the present invention is solved replaces repeatedly in function replacement process The problem at original function scene is changed and gone back, after can accomplishing DLL load, only does linear function replacement, the energy original function of HOOK subtracts Few unnecessary performance loss;In addition the application can call original system function, under multi-thread environment, HOOK accuracy 100%, because being happened without function reduction.
Detailed description of the invention
Fig. 1 is the HOOK flow chart of the prior art;
Fig. 2 is HOOK flow chart of the invention;
Target process loads the memory map of the sendto function of w2_32.dll before Fig. 3 is prior art HOOK;
The function that target process loads w2_32.dll and patch DLL after Fig. 4 is prior art HOOK jumps figure;
The function that target process loads w2_32.dll and two patch DLL after Fig. 5 is HOOK of the present invention jumps figure.
Specific embodiment
The following is a clear and complete description of the technical scheme in the embodiments of the invention, it is clear that described embodiment Only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, the common skill in this field Art personnel every other embodiment obtained without making creative work belongs to the model that the present invention protects It encloses.
Please refer to Fig. 1, the process of existing HOOK the following steps are included:
S1, prepares a patch DLL (such as MyHook.dll), set in DLL comprising replacement function (for example include MySendto function);
S2, DLL injection: by calling SetWindowsHookEx function, patch DLL is injected into Windows system In target process (such as a.exe), target process loads the memory map of the sendto function of w2_32.dll before being HOOK such as Fig. 3 (ws2_32.dll is a grid DLL, has network operation in a Windows application, can all default and load this dll);
S4, function replacement: after patch DLL injection, preceding 5 bytes of modified objective function address (such as sendto), benefit It is instructed with JMP (jumping), jumps to modified function.As shown in figure 4, first five byte of system function sendto is modified For jmp to replacement function MySendTo.When target process a.exe calling system API sendto in this way, execution can be jumped Replacement function MySendTo;
Function reduction: S5 after replacement function (MySendTo) has done corresponding processing, needs to execute system API again Sendto sends message.Since sendto has been replaced by MySendTo at this time, so needing system function API 5 bytes of the function address of sendto are reduced to the content before step 3 modification, otherwise can fall into endless loop calling MySendTo.After having called system function API sendto, need to execute the function replacement of S3 again, otherwise HOOK function is just Finish.Therefore existing HOOK needs ceaselessly to execute function replacement/function reduction, when system function API is performed a plurality of times When, function replacement/function reduction is repeatedly executed at predetermined intervals, and influences the performance of target process.And when multithreading calls, it is possible to be System function API is reduced in a flash, and the function call of target process has called directly original system function, and HOOK is caused to leak Fall, i.e. the accuracy of HOOK reduces;
S6, DLL are counter to be injected: when HOOK function no longer needs, can be executed by executing UnhookWindowsHookEx DLL is counter to be injected, and patch DLL is removed from target process a.exe.
Referring to figure 2., the present embodiment provides under a kind of Windows by HOOK technology realize function hot patch method, The following steps are included:
S1 prepares two patch DLL (MyHook.dll and MyHook2.dll), and wherein MyHook.dll is to contain replacement The true patch DLL of function (MySendto function), MyHook2.dll are containing the false benefit for jumping function (MySendTo2 function) Fourth DLL;
S2, DLL injection: by calling SetWindowsHookEx function that two patch DLL are injected into target process (a.exe) in, target process loads the memory map of the sendto function of w2_32.dll before being HOOK such as Fig. 3;
S3, function replacement: modification system function makes it jump to replacement function;Specifically referring to figure 5., system is modified First five byte of function sendto is the first jmp instruction, it is made to jump to replacement function MySendTo.Such target process When a.exe calling system API sendto, it can jump and execute replacement function MySendTo.
S4, execution jump function, jump back to system function, continue the execution of system function API.Replacement function (MySendTo) it after having done corresponding processing, needs to execute system API sendto again and sends message.Due at this time Sendto has been replaced by MySendTo, can be executed by executing the function (MySendTo2) in false patch DLL to reach The effect of system function sendto.Please continue to refer to Fig. 5, preceding 10 bytes of the MySendTo2 function of false patch DLL are modified, Wherein preceding 5 bytes are revised as preceding 5 bytes before system function sendto modification, and the 6th to the 10th byte is that the 2nd jmp refers to It enables, it is made to jump to the 6th byte of system function sendto;After modification, the HOOK function of false patch DLL is called (MySendTo2) it is equivalent to call original system function API (sendto).The operation of existing function reduction is eliminated, It improves the performance of target process while can prevent from causing HOOK to be missed because of reduction.
S5, when HOOK function no longer needs, by calling UnhookWindowsHookEx function to execute, DLL is counter to be injected, Two patch DLL are removed from target process.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims Variation is included within the present invention.

Claims (6)

1. a kind of method for realizing function hot patch by HOOK technology under Windows, which comprises the following steps:
S1 prepares two patch DLL, one of them is the true patch DLL containing replacement function, another is containing jumping function False patch DLL;
Two patch DLL are injected into target process by S2;
S3 modifies system function, it is made to jump to replacement function;
S4, execution jump function, jump back to system function, continue the execution of system function API.
2. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist In the particular content of the S3 are as follows: first five byte of modification system function sendto is the first jmp instruction, jumps to replacement Function MySendTo.
3. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist Preceding 5 bytes before, preceding 5 bytes for jumping function are system function sendto modification jump the 6th of function to the 10 bytes are the 2nd jmp instruction, jump to the 6th byte of system function sendto.
4. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist In, further include S5 after the S4, when HOOK function no longer needs, execute that DLL is counter injects, by two patch DLL from target into It is removed in journey.
5. the method for realizing function hot patch by HOOK technology under Windows according to claim 4, feature exist In the anti-execution injected of the DLL is by calling UnhookWindowsHookEx function to realize.
6. the method for realizing function hot patch by HOOK technology under Windows according to claim 1, feature exist In patch DLL injection is by calling SetWindowsHookEx function to realize in the S2.
CN201910059783.3A 2019-01-22 2019-01-22 A kind of method that function hot patch is realized by HOOK technology under Windows Pending CN109766145A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910059783.3A CN109766145A (en) 2019-01-22 2019-01-22 A kind of method that function hot patch is realized by HOOK technology under Windows

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910059783.3A CN109766145A (en) 2019-01-22 2019-01-22 A kind of method that function hot patch is realized by HOOK technology under Windows

Publications (1)

Publication Number Publication Date
CN109766145A true CN109766145A (en) 2019-05-17

Family

ID=66454943

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910059783.3A Pending CN109766145A (en) 2019-01-22 2019-01-22 A kind of method that function hot patch is realized by HOOK technology under Windows

Country Status (1)

Country Link
CN (1) CN109766145A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113328995A (en) * 2021-05-06 2021-08-31 深圳市联软科技股份有限公司 Flow proxy method and system for android

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587455A (en) * 2008-12-11 2009-11-25 南京南瑞继保电气有限公司 Method for checking memory leak for vxWorks operating system
CN101799763A (en) * 2009-02-10 2010-08-11 华为技术有限公司 Method, device and system for patching kernel on line
CN102156661A (en) * 2010-02-11 2011-08-17 华为技术有限公司 Method, device and system for online activating patches
CN104809018A (en) * 2015-05-18 2015-07-29 烽火通信科技股份有限公司 Method and system for injecting hotfix into software of embedded system
CN105573788A (en) * 2015-12-15 2016-05-11 华为技术有限公司 Patch processing method and device as well as patch generation method and device
CN107193538A (en) * 2016-03-14 2017-09-22 无锡天脉聚源传媒科技有限公司 A kind of improved method and device for hooking up technology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587455A (en) * 2008-12-11 2009-11-25 南京南瑞继保电气有限公司 Method for checking memory leak for vxWorks operating system
CN101799763A (en) * 2009-02-10 2010-08-11 华为技术有限公司 Method, device and system for patching kernel on line
CN102156661A (en) * 2010-02-11 2011-08-17 华为技术有限公司 Method, device and system for online activating patches
CN104809018A (en) * 2015-05-18 2015-07-29 烽火通信科技股份有限公司 Method and system for injecting hotfix into software of embedded system
CN105573788A (en) * 2015-12-15 2016-05-11 华为技术有限公司 Patch processing method and device as well as patch generation method and device
CN107193538A (en) * 2016-03-14 2017-09-22 无锡天脉聚源传媒科技有限公司 A kind of improved method and device for hooking up technology

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113328995A (en) * 2021-05-06 2021-08-31 深圳市联软科技股份有限公司 Flow proxy method and system for android
CN113328995B (en) * 2021-05-06 2023-03-24 深圳市联软科技股份有限公司 Flow proxy method and system for android

Similar Documents

Publication Publication Date Title
CN105677404A (en) Zookeeper-based configuration updating method and device
CN102750153B (en) A kind of regression test case collection construction method based on programing change
CN101959193A (en) Information safety detection method and a mobile terminal
CN109408393A (en) Application testing method, device and equipment and computer readable storage medium
CN105022620B (en) A kind of applied software development method based on mobile platform
CN107992322B (en) DSP code self-updating method for radar signal processor
RU2017114358A (en) PREPARING SETTINGS AND UPDATES FOR SOFTWARE SYSTEMS
CN109766145A (en) A kind of method that function hot patch is realized by HOOK technology under Windows
CN106528065B (en) A kind of thread acquisition methods and equipment
CN111444065A (en) AspectJ-based mobile terminal performance index monitoring method
CN104123492A (en) Windows process protection method
CN105354061A (en) Method and system for protecting MCU working program
CN108255735A (en) Associated environment test method, electronic device and computer readable storage medium
CN109766690B (en) ROP and variant attack dynamic detection method based on multi-strategy instruction detection
CN105260184B (en) A kind of adjustment method and device for restoring image file
CN107870777A (en) A kind of hot patch implementation method and device, terminal
CN111638990B (en) Memory leakage processing method and device and storage medium
US20130125110A1 (en) Software installation
US7143274B2 (en) Setting breakpoint for postponed interrupt processing in subsequent area while executing interrupt-exclusive task area to avoid slow down
CN110502284A (en) LED light flickering method, device and the readable storage medium storing program for executing of single-chip microcontroller
CN104010078B (en) Method and device for processing intercepted information through terminal
CN105893238A (en) Code debugging method and device
CN109101243A (en) A kind of iOS relies on the synchronous method and terminal in library
CN107479864B (en) Platform transplanting method and device for MapReduce computing framework
CN107402768B (en) Reusable and extensible Android application development method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190517

RJ01 Rejection of invention patent application after publication