CN112416366A - Method, device and equipment for dynamically hooking Java language hooks - Google Patents

Method, device and equipment for dynamically hooking Java language hooks Download PDF

Info

Publication number
CN112416366A
CN112416366A CN201910786023.2A CN201910786023A CN112416366A CN 112416366 A CN112416366 A CN 112416366A CN 201910786023 A CN201910786023 A CN 201910786023A CN 112416366 A CN112416366 A CN 112416366A
Authority
CN
China
Prior art keywords
function
address
target
target mapping
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910786023.2A
Other languages
Chinese (zh)
Inventor
孙渊磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910786023.2A priority Critical patent/CN112416366A/en
Publication of CN112416366A publication Critical patent/CN112416366A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/52Binary to binary
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms
    • G06F8/315Object-oriented languages

Abstract

The application discloses a method, a device and equipment for dynamically hooking Java language hooks, wherein the method comprises the following steps: firstly, determining a first function identifier of a first function, and searching a corresponding relation record corresponding to the first function identifier from a target mapping relation, wherein the target mapping relation is stored in a memory in advance and comprises a corresponding relation between the function identifier and a function address; then, the first function address in the correspondence record is modified to a second function address, so that the second function is called based on the second function address when the first instruction set is executed. Therefore, the compiler obtains the target mapping relationship through the compiling technology instruction set provided by the embodiment of the application, and when the instruction set is operated in the same process, the simple and flexible hook hanging can be realized on the basis of not changing the target application program through the target mapping relationship generated in the compiling process.

Description

Method, device and equipment for dynamically hooking Java language hooks
Technical Field
The present application relates to the field of computer processing technologies, and in particular, to a method, an apparatus, and a device for dynamically hooking a Java language.
Background
Java, as an object-oriented programming language, has the characteristics of powerful functions, simplicity and easiness in use, and can write desktop applications, Web applications, distributed system applications, embedded system applications and the like. Generally, a developer may write a Java program as required, and compile the Java program into a bytecode file, where the bytecode file is interpreted and executed in a Java virtual machine, and translate a middle code of the bytecode into a machine code that can be executed by a Central Processing Unit (CPU). Therefore, the process of processing and executing the Java language is complex, the execution efficiency is low, and at present, in order to improve the efficiency, some compilers adopt static compilation for the Java language, that is, directly compile the Java program into machine codes which can be executed by a CPU, and can run independently without depending on a virtual machine, and the process of executing the Java program without generating bytecode or requiring an interpreter to interpret is not needed.
Hooking means intercepting an original function to be called originally in a target application program through a hook program, and modifying an entry address of the original function into an entry address of a calling hook function so as to call a function of the hook function before executing and calling the original function, thereby modifying or expanding a corresponding function of the target application program. In order to flexibly insert a hook program, remove the hook program and change the hook program in the process of program running, a dynamic hook mechanism is generally adopted.
After static compiling of the Java language, dynamic hooking is usually realized by a patching mode, and the mode needs to rewrite a program, so that not only is the technical requirement on a developer high, but also a target file corresponding to a main program needs to be modified, and the stability of the program is deteriorated.
Disclosure of Invention
Based on this, the embodiment of the application provides a method, a device and equipment for dynamically hooking a hook in a Java language, and for the static compiling condition of the Java language, the simple and convenient dynamic hook hooking can be realized.
In a first aspect, in an embodiment of the present application, a method for implementing dynamic hooking in a Java language is provided, where the method is provided for a user in a class or library form, and a simple and convenient dynamic hooking in a static compiling scene of the Java language can be implemented by compiling and running the newly provided class or library. In specific implementation, first, a first function identifier of a first function may be determined, and a corresponding relationship record corresponding to the first function identifier is searched from a target mapping relationship, where the target mapping relationship is stored in a memory in advance, and the target mapping relationship includes a corresponding relationship between the function identifier and a function address; then, the first function address in the corresponding relation record is modified into a second function address, so that the second function is called based on the second function address when the first instruction set is executed. Therefore, the function address corresponding to the original function can be replaced by the address of the hook function at the position where the hook needs to be hung through the target mapping relation of each function identifier and the function address stored in the compiling process, so that the hook function can be called before the original function is executed based on the instruction set corresponding to the target application program, the hook function can be simply and flexibly hooked in the running process on the basis of not changing the target application program, and the stability and the expandability of the program are improved.
In some possible implementation manners of the first aspect, the first function identifier may be a first function ID uniquely identifying the first function, and the finding of the corresponding relationship record corresponding to the first function identifier from the target mapping relationship specifically includes: and searching the corresponding relation record corresponding to the first function ID from the target mapping relation by a table look-up method.
As an example, a first function identifier of the first function is determined, specifically: obtaining a class element of the first function according to the class literal quantity of the first function; a first function ID is determined based on the class element of the first function. The determining the first function ID based on the class element of the first function specifically includes: the method comprises the following steps that firstly, the name of a program package and the name of a class of a first function are obtained according to class elements of the first function; secondly, obtaining description information of the first function based on the class element, the name of the first function, the name of the program package, the name of the class and the parameter type list; and thirdly, calculating a first function ID of the first function according to the description information of the first function. Therefore, the first function ID is determined based on the literal quantity of the first function provided by the user, and a data basis is provided for modifying the first function address corresponding to the first function ID and realizing hook hanging at the position of the first function.
In a second aspect, in this embodiment of the application, when the target application includes a function for calling the first function and currently needs to call the hook function before calling the first function, the compiling process of the dynamic hook in the Java language may specifically include: the compiler may compile a Java language target application program file to obtain a target mapping relationship including a correspondence between a function identifier and a function address, a first instruction set for calling a first function in the target mapping relationship, and a second instruction set for instructing a second function to be executed at a location of the first function. Therefore, the compiler obtains the target mapping relation through compiling the target application program and the hook program file, and obtains the target mapping relation before obtaining the first instruction set and the second instruction set, so that when the first instruction set and the second instruction set are operated in the same process subsequently, the function address corresponding to the original function can be replaced by the address of the hook function through the target mapping relation of the function identifiers and the function addresses stored in the compiling process, and therefore based on the instruction set corresponding to the target application program, the hook function can be called before the original function is executed, on the basis of not changing the target application program, the hook function is simply and flexibly hooked in the operating process, and the stability and the expandability of the program are improved.
In a possible implementation manner of the second aspect, the compiling a target application file of a Java language by the compiler to obtain a target mapping relationship may specifically include: the compiler calculates function identifiers corresponding to the functions according to the description information of the functions, wherein the description information comprises: a full name and parameter type list of functions; the compiler searches function addresses corresponding to the functions based on the shared library; and then, correspondingly storing the function identification and the function address of each function by the compiler to obtain a target mapping relation, wherein the target mapping relation comprises the corresponding relation between the first function identification and the first function address. It is understood that the target mapping relationship may be generated by the class loader through a parent proxy mechanism; the target mapping relationship may include a first target mapping relationship and a second target mapping relationship, where the first target mapping relationship is a correspondence relationship between a function identifier and a function address corresponding to a defined function, and the second target mapping relationship is a correspondence relationship between a function identifier and a function address corresponding to an undefined function. Therefore, by the method for obtaining the target mapping relationship in the embodiment, the target mapping relationship is established, so that subsequent function calling becomes convenient and quick, convenience is provided for modifying the function address, and a simple and convenient implementation mode is provided for subsequently executing the dynamic hook of the embodiment of the application.
In other possible implementation manners of the second aspect, the first instruction set obtained by the compiler may include a first instruction, a second instruction, and a third instruction, where the first instruction is used to obtain a first address of the target mapping relationship; a second instruction, configured to obtain a destination address of a table entry corresponding to the first function in the target mapping relationship according to the first address and an offset address of the known first function in the target mapping relationship; and the third instruction is used for reading the table entry corresponding to the first function according to the destination address and calling the corresponding function based on the function address in the table entry. Therefore, the first instruction set is generated by compiling according to the embodiment of the application, so that the function can be accurately called based on the target mapping relation when the first instruction set is operated, and convenience is provided for effectively realizing corresponding functions in the target application program.
In yet other possible implementation manners of the second aspect, the compiler obtains a second instruction set, where the second instruction set is used to instruct to obtain a first function identifier of the first function, and modify a first function address corresponding to the first function identifier in the target mapping relationship into a second function address. Therefore, the second instruction set generated by the embodiment of the application can ensure that the function address corresponding to the function of the position of the hook to be hung in the target mapping relation is effectively modified when the second instruction set is operated, and a data base is provided for simply and conveniently realizing dynamic hook hanging.
In a third aspect, in this embodiment of the present application, an operation process of a dynamic hook in Java language may specifically include: firstly, target equipment receives a target mapping relation, a first instruction set and a second instruction set which are compiled by a compiler, wherein the target mapping relation comprises a corresponding relation between function identifications and function addresses, the first instruction set is used for indicating that the corresponding functions are called based on the function addresses corresponding to the first function identifications, and the second instruction set is used for indicating that second functions are executed at the positions of the first functions; then, the target device runs a second instruction set to obtain a first function identifier of the first function, and modifies a first function address corresponding to the first function identifier in the target mapping relationship into a second function address; then, the target device runs the first instruction set, obtains a second function address corresponding to the first function identifier, and calls a second function based on the second function address. Therefore, based on the first instruction set, the second instruction set and the target mapping relationship obtained by the compiler through the static compilation in the first aspect, when the first instruction set and the second instruction set are run in the same process, the function address corresponding to the original function can be replaced by the address of the hook function at the position where the hook needs to be hung through the target mapping relationship of each function identifier and function address stored in the compilation process, and based on the instruction set corresponding to the target application program, the hook function can be called before the original function is executed, so that on the basis of not changing the target application program, the hook function is simply and flexibly hooked in the running process, and the stability and the expandability of the program are improved.
In some possible implementations of the third aspect, the first instruction set may be further executed by adopting different measures according to whether the first function is a dummy function. Specifically, in one case, if the first function is a non-virtual function, the target device runs the first instruction set to obtain a second function address corresponding to the first function identifier, which specifically includes: and the target equipment searches for a target mapping relation and obtains a second function address which is stored corresponding to the first function identifier. In another case, if the first function is an imaginary function, the method further includes: the target equipment modifies a first function entry address corresponding to the first function identifier in the virtual function table into a second function address; then, in this embodiment of the present application, the target device runs the first instruction set to obtain a second function address corresponding to the first function, specifically: and the target equipment searches a function entry address corresponding to the first function in the virtual function table to obtain a second function address. Therefore, whether the virtual function or the non-virtual function is adopted, simple and convenient dynamic hooking can be completed by running the instruction set compiled by the compiling technology provided by the embodiment of the application, so that the expandability of the target application program is improved.
In other possible implementation manners of the third aspect, the running, by the target device, the second instruction set to obtain a first function identifier of the first function, and modifying a first function address corresponding to the first function identifier in the target mapping relationship into a second function address may include: the target equipment calculates a first function identifier of the first function according to the description information of the first function; the target equipment searches a table item corresponding to the first function identifier in the target mapping relation; and the target equipment modifies the first function address in the table entry into a second function address. The calculation method for calculating the first function identifier of the first function according to the description information of the first function needs to be consistent with the calculation method for calculating the function identifier when the target mapping relationship is compiled and generated in the first aspect, that is, the developer writing the hook program file knows the calculation method in step 3011, and writes the program code for performing the function identifier based on the known calculation method in the hook program file, so that when the target device runs the second instruction set in the target file, the first function identifier corresponding to the description information of the first function can be calculated based on the calculation method.
In yet other possible implementations of the third aspect, the target device executing the first instruction set, obtaining a second function address corresponding to the first function identifier, and calling the second function based on the second function address includes: the target equipment acquires a first address of a target mapping relation; the target equipment adds the offset address of the first function in the target mapping relation on the initial address to obtain a target address; the target equipment obtains a table entry corresponding to a first function in the target mapping relation according to the destination address; and the target equipment calls a second function based on a second function address corresponding to the first function identifier in the current table entry.
In other possible implementations of the third aspect, the target mapping relationship is generated by the class loader through a parent proxy mechanism; the target mapping relation comprises a first target mapping relation and a second target mapping relation, wherein the first target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the defined function, and the second target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the undefined function.
In yet other possible implementations of the third aspect, the method further includes: the target device stores description information of the first function and a first function address. Then, in one case, the method further comprises: in response to the hook removal request, the target device calculates a first function identifier of the first function based on the stored description information of the first function; and the target equipment modifies the second function address corresponding to the first function identifier in the target mapping relation into the first function address. In another case, the method further comprises: and when the process is terminated or the first instruction set is operated completely, the target equipment modifies the second function address in the target mapping relation into the first function address. Therefore, flexible hook hanging and hook unloading on the target application program are realized, and the expandability of the target application program is improved.
In a fourth aspect, an embodiment of the present application further provides a compiler, including: the Java language target application program file compiling device comprises a first compiling unit, a second compiling unit and a third compiling unit, wherein the first compiling unit is used for compiling a target application program file of a Java language to obtain a target mapping relation and a first instruction set, the target mapping relation comprises a corresponding relation between function identifications and function addresses, and the first instruction set is used for indicating that corresponding functions are called based on the function addresses corresponding to the first function identifications; and the second compiling unit is used for compiling the hook program file to obtain a second instruction set, wherein the second instruction set is used for indicating that the second function is executed at the position of the first function.
In a possible implementation manner of the fourth aspect, the first compiling unit includes: the calculation subunit is used for calculating the function identifier corresponding to each function according to the description information of each function; wherein the description information includes: a full name and parameter type list of functions; the searching subunit is used for searching function addresses corresponding to the functions based on the shared library; and the storage subunit is used for correspondingly storing the function identifier and the function address of each function to obtain a target mapping relationship, wherein the target mapping relationship comprises a corresponding relationship between the first function identifier and the first function address.
It is to be understood that the first instruction set includes a first instruction, a second instruction, and a third instruction, where the first instruction is used to obtain a first address of a target mapping relationship; a second instruction, configured to obtain a destination address of a table entry corresponding to the first function in the target mapping relationship according to the first address and an offset address of the known first function in the target mapping relationship; and the third instruction is used for reading the table entry corresponding to the first function according to the destination address and calling the corresponding function based on the function address in the table entry. And the second instruction set is used for indicating to obtain the first function identifier of the first function and modifying the first function address corresponding to the first function identifier in the target mapping relation into a second function address.
The target mapping relation is generated by the class loader through a parent agent mechanism; the target mapping relation comprises a first target mapping relation and a second target mapping relation, wherein the first target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the defined function, and the second target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the undefined function.
It should be noted that the compiler provided by the fourth aspect corresponds to the method provided by the second aspect, so that reference may be made to the description of the method provided by the second aspect for various possible implementations and technical effects achieved by the compiler provided by the fourth aspect.
In a fifth aspect, there is also provided a target device, including: the system comprises an acquisition unit, a compiler and a control unit, wherein the acquisition unit is used for receiving a target mapping relation, a first instruction set and a second instruction set which are compiled by the compiler, the target mapping relation comprises a corresponding relation between function identifiers and function addresses, the first instruction set is used for indicating that the corresponding functions are called based on the function addresses corresponding to the first function identifiers, and the second instruction set is used for indicating that a second function is executed at the position of the first function; the first operation unit is used for operating the second instruction set, obtaining a first function identifier of the first function, and modifying a first function address corresponding to the first function identifier in the target mapping relation into a second function address; and the second operation unit is used for operating the first instruction set, obtaining a second function address corresponding to the first function identifier, and calling a second function based on the second function address.
In a possible implementation manner of the fifth aspect, in one case, if the first function is a non-virtual function, the second operation unit is specifically configured to: and searching a target mapping relation to obtain a second function address which is stored corresponding to the first function identifier. In another case, if the first function is an imaginary function, the target device further includes: a first modifying unit, configured to modify a first function entry address corresponding to the first function identifier in the virtual function table into a second function address; the second operation unit is specifically configured to: and searching a function entry address corresponding to the first function in the virtual function table to obtain a second function address.
In another possible implementation manner of the fifth aspect, the first operation unit includes: the calculating subunit is used for calculating a first function identifier of the first function according to the description information of the first function; the searching subunit is configured to search, in the target mapping relationship, a table entry corresponding to the first function identifier; and the modifying subunit is used for modifying the first function address in the table entry into a second function address.
In another possible implementation manner of the fifth aspect, the second operation unit includes: the first acquisition subunit is used for acquiring the first address of the target mapping relation; the increasing subunit is used for increasing the offset address of the first function in the target mapping relation on the initial address to obtain a destination address; the second obtaining subunit is configured to obtain, according to the destination address, a table entry corresponding to the first function in the target mapping relationship; and the calling subunit is used for calling the second function based on the second function address corresponding to the first function identifier in the current table entry.
It is understood that the target mapping relationship is generated by the class loader through the parent proxy mechanism; the target mapping relation comprises a first target mapping relation and a second target mapping relation, wherein the first target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the defined function, and the second target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the undefined function.
In yet another possible implementation manner of the fifth aspect, the target device further includes: and the storage unit is used for storing the description information and the first function address of the first function. In one case, the target device further includes: the calculation unit is used for responding to the hook unloading request and calculating a first function identifier of the first function based on the stored description information of the first function; and the second modification unit is used for modifying a second function address corresponding to the first function identifier in the target mapping relation into the first function address. In another case, the second modifying unit is further configured to: and when the process is terminated or the first instruction set is completely operated, modifying the second function address in the target mapping relation into the first function address.
It should be noted that the target device provided by the fifth aspect corresponds to the method provided by the third aspect, so that reference may be made to the description of the method provided by the third aspect for various possible implementations and achieved technical effects of the target device provided by the fifth aspect.
In a sixth aspect, an embodiment of the present application further provides an apparatus, including: the searching unit is used for determining a first function identifier of a first function and searching a corresponding relation record corresponding to the first function identifier from a target mapping relation, wherein the target mapping relation is stored in a memory in advance and comprises a corresponding relation between the function identifier and a function address; and the modifying unit is used for modifying the first function address in the corresponding relation record into a second function address so as to call the second function based on the second function address when the first instruction set is operated.
In some possible implementation manners of the sixth aspect, the first function identifier is a first function ID uniquely identifying the first function, and the search unit is specifically configured to: and searching the corresponding relation record corresponding to the first function ID from the target mapping relation by a table look-up method.
As an example, the modifying unit includes: a first obtaining subunit, configured to obtain a class element of the first function according to a class literal quantity of the first function; a determining subunit that determines the first function ID based on the class element of the first function. Wherein, the determining the sub-unit specifically comprises: a second obtaining subunit, configured to obtain, according to the class element of the first function, a name of the package and a name of the class of the first function; a third obtaining subunit, configured to obtain description information of the first function based on the class element, the name of the first function, the name of the package, the name of the class, and the parameter type list; and the calculating subunit is used for calculating a first function ID of the first function according to the description information of the first function.
It should be noted that the apparatus provided by the sixth aspect corresponds to the method provided by the first aspect, so that reference may be made to the description of the method provided by the first aspect for various possible implementations and technical effects achieved by the apparatus provided by the sixth aspect.
In a seventh aspect, an embodiment of the present application further provides an apparatus, where the apparatus includes a memory and a processor; wherein the memory is used for storing program codes; the processor is configured to run an instruction in the program code, so that the device executes the method for dynamically hooking the Java language in any implementation manner of the first to third aspects.
In an eighth aspect, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute the method for dynamically hooking a Java language in any implementation manner of the first to third aspects.
In a ninth aspect, an embodiment of the present application further provides a computer program product, which when run on a computer, causes the computer to execute the method for dynamically hooking in the Java language according to any implementation manner of the foregoing first to third aspects.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic diagram of a system framework involved in an application scenario in an embodiment of the present application;
FIG. 2a is a schematic diagram of an application scenario in an embodiment of the present application;
FIG. 2b is a diagram illustrating another application scenario in an embodiment of the present application;
FIG. 2c is a schematic diagram of another application scenario in the embodiment of the present application;
fig. 2d is a schematic structural diagram of a mobile phone 200 according to an embodiment of the present application;
fig. 2e is a schematic structural diagram of a server 300 according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for dynamically hooking Java language in an embodiment of the present application;
FIG. 4 is a schematic flowchart of an example of step 301 in the embodiment of the present application;
FIG. 5 is a flowchart illustrating another method for dynamically hooking Java language in the present application;
FIG. 6 is a flowchart illustrating an example of step 502 in an embodiment of the present application;
FIG. 7 is a flowchart illustrating an exemplary process of updating a virtual function table according to an embodiment of the present application;
FIG. 8 is a flowchart illustrating an example of step 503 in the present embodiment;
FIG. 9 is a flowchart illustrating a method for dynamically unhooking Java language in an embodiment of the present application;
FIG. 10 is a flowchart illustrating a method for dynamically unhooking Java language according to an embodiment of the present application;
FIG. 11 is a block diagram of a compiler according to an embodiment of the present application;
FIG. 12 is a schematic structural diagram of a target device in an embodiment of the present application;
FIG. 13 is a schematic structural diagram of an apparatus according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of another apparatus in the embodiment of the present application.
Detailed Description
Hooking means intercepting an original function to be called originally in an original target application program through a hook program, and modifying an entry address of the original function into an entry address of a calling hook function so as to call a function of the hook function before executing and calling the original function, thereby modifying or expanding a function corresponding to the target application program. And in the process of program operation, the operations of inserting a hook program, removing the hook program and changing the hook program can be called dynamic hooking. And a dynamic hook mechanism is adopted to realize dynamic hook hanging, so that the functions of the target application program can be flexibly modified and expanded.
In a Java virtual machine scenario, a process of executing a Java program by the Java virtual machine may specifically include: firstly, a Java program is compiled into a bytecode, which is an intermediate code and cannot be recognized and processed by a Central Processing Unit (CPU) in many scenarios, and then, the bytecode needs to be interpreted and executed by an interpreter, and translated into a machine code that can be executed by the CPU. In this scenario, Metadata describing the function is stored in the Java virtual machine, and is called a Method Metadata. The method element may include description information of the function, and specifically may include: the name of the method (or the name of the function), the name of the class to which the method belongs, the name of the package, the list of parameter types and the address of the method entry (or the address of the function), etc. The vendor may store only part of the description information, for example: only the method signature and the method entry address of the method element are stored, and the method signature comprises a method name and a parameter type list, so that the method entry address can still be obtained based on the method element in the explanation execution process, and the method is called based on the method entry address.
In the scene of the Java virtual machine executing the Java program, dynamic hook hanging can be realized based on the characteristic that the Java virtual machine obtains a method entry address based on the method element during interpretation and execution. The specific process can comprise the following steps: firstly, a method element can be obtained through reflection operation in a Java virtual machine, and hook hanging at the position before the method is realized by modifying the method entry address of the method element as the entry address of a hook function; then, when the bytecode corresponding to the Java program is interpreted and executed in the Java virtual machine, based on the method entry address of the method element after it has been modified, the hook function can be called with the "method entry address" of the method element (i.e., the entry address of the hook function), so that hooking at the position before the method is realized.
The dynamic hooking sub-method for obtaining the method entry address based on the method element and modifying the method entry address into the entry address of the hook function needs to be performed when the Java virtual machine is interpreted. However, at present, in order to simplify the process of processing and executing the Java language, a compiler (e.g., warfarin compiler) may adopt static compilation for the Java language, that is, directly compile the Java program into machine code that can be executed by a CPU, and the machine code can be independently run without relying on a Java virtual machine, and does not generate bytecode or require an interpreter to perform an interpretation and execution process, thereby having higher execution efficiency. Therefore, the dynamic hook sub-mode fails in the static compiling scene of the Java language.
In the static Java language compiling scenario, a compiler compiles a Java program to obtain an object file, where each function or method in the Java program corresponds to a part of an instruction set in the object file, where the instruction set may be a set of consecutive instructions that can be executed by a processor in the object file or in a memory, and generally includes a function prolog (english: prolog) and a function epilogue (english: epilogue), where prolog is used to store context information, for example: the system comprises a register, a stack pointer of a function and a return address, wherein the return address is used for indicating the address of the next instruction to be executed after the returned function is returned; epilogue is used to restore context. It should be noted that, for the same-style compiler, the formats of prologue and epilogue in the generated target file are fixed; the formats of prologue and epilogue in the generated target file may be the same or different for different compilers.
In the embodiment of the present application, the target application file or the hook program file both refer to a file storing source code, and the source code refers to a main program or a hook program edited by a managed language such as Java. The object file is a file generated by compiling a source code in an object application program file or a hook program file, and a plurality of groups of instruction sets in the object file can be directly identified and processed by the CPU.
In the static compilation scenario of the Java language, dynamic hooking is usually implemented in a patching manner, and specifically implemented in the following two manners:
in a first possible manner, dynamic hooking may be implemented by a "springboard" function (english: trampoline), that is, one to two lines of instructions in prologue and epilogue are deleted and patched into trampoline, which not only needs to compensate the functions of saving context information and restoring context of prologue and epilogue, but also carries a number or an identifier corresponding to the hooking function, so as to ensure that the hooking function is called by the number or the identifier. Therefore, in the patching mode, to rewrite trampoline, not only the content of the original target file needs to be damaged, but also the function corresponding to the damaged content needs to be compensated, so that the implementation difficulty is high, and the stability of the program is easily reduced.
In a second possible manner, dynamic hooking may also be implemented by using a "skid" code segment (english: slid), that is, a compiler inserts a plurality of null instructions (NOPs) before prologue of each function, and in the program running process, patches may be applied to the null instructions according to actual requirements, so as to call a hook function before calling the original method. Although the patching method makes up the deficiencies of the first possible method without destroying the content of the original target file or considering the compensation of the functions of saving context information and restoring context of prologue and epilogue, the method needs to recompile the program after patching to insert a 'slide board' code segment (instruction set) so as to realize the patching operation on the 'slide board' in the running period, which causes the compiling process of the program to be complicated, and a plurality of NOPs are inserted before prolongation of each function, which causes the volume of the target file to be increased and increases the pressure on computer resources. For example: the following instructions are added before each prologue:
b #32// unconditional jump 32 bytes (indicating a jump of 7NOP instructions described below)
7NOPs (24bytes)//7 null instructions (also called no-operation instructions)
When a hook needs to be hooked at this location, a patch may be patched at the null instruction, i.e., "B # 32" and "7 NOPs (24 bytes)" are replaced with the following instructions:
STP X0, X30, [ SP, # -16 ]! V/saving X0 and Link Register (LR) (Save function return Address) to the current Stack frame
LDR W0, #12// Loading function ID into W0 (the lower 32 bits of the X0 register) (note: immediate #12 is merely an example)
LDR X16, #12// Loading hook function relative Address into X16 register
BLR X16// Call hook function
LDP X0, X30, [ SP ], #16// restoring X0 and LR registers from the current stack frame
Therefore, in the static compiling scene of the Java language, by dynamically hooking the hook in any one of the two patching modes, the implementation process is very complicated, the technical requirement on a developer is high, and the target file corresponding to the main program needs to be modified, so that the program stability is poor.
Based on this, embodiments of the present application provide a method and an apparatus for dynamically hooking a hook in a Java language, where in a process of running a machine code compiled in a static state in the Java language, on the premise of not changing an original main program, by storing a target mapping relationship between each function identifier and a function address in a compiling process, when a target application includes a function for calling a first function and a hook function needs to be called before the first function is called currently, a function address corresponding to an original function at a position where the hook needs to be hooked in the target mapping relationship is replaced with an address of the hook function based on an instruction set corresponding to the hook program in a running process, so that the instruction set corresponding to the target application is run in the process, that is, the hook function can be called before the original function is executed, and on the basis of not changing the target application, the hook function can be simply called in the running process, The flexible hook improves the stability and the expandability of the program.
It should be noted that the method provided by the embodiment of the present application may be provided to a user in the form of a class or a library, and a simple and convenient dynamic hooking in a static compilation scene of a Java language may be implemented by compiling and running the newly provided class or library.
Before describing the method provided by the embodiment of the present application, a scenario to which the embodiment of the present application is applicable is described in an exemplary manner.
As an example, taking the network architecture shown in fig. 1, taking hooking a hook on a target application of an android as an example, the method provided in the embodiment of the present application is specifically described. Referring to fig. 1, the architecture may include a server 110, a target device 120, and a user 130, where the server 110 includes a compiler 111, the compiler 111 may compile a source program file and a hook program file of a Java program to obtain a target file, and the target file may include a target mapping relationship, a first instruction set, and a second instruction set, where the target mapping relationship includes a correspondence between a function identifier and a function address, the first instruction set is used to instruct a function address corresponding to the first function identifier to call a corresponding function, and the second instruction set is used to instruct a second function to be executed at a location of the first function. The target device 120 includes a CPU 121, where the CPU 121 is configured to run an instruction set in a target file generated by compiling by the compiler 111 in the server 110, and specifically may run a second instruction set, obtain a first function identifier of a first function, and modify a first function address corresponding to the first function identifier in the target mapping relationship into a second function address; the first instruction set may also be run to obtain a second function address corresponding to the first function identifier in the modified target mapping relationship or in the updated virtual function table, and the second function may be called based on the second function address. The user 130 may input the hook trigger and configuration operation on the input module 122 of the target device 120, and the display module 123 of the target device 120 may also display the effect generated by the hook for the user 130. It can be understood that the server 110 in this scenario may be a cloud server or an entity server device, the target device 120 may be a mobile phone, a Personal Computer (PC), a tablet Computer, a server, and the like, and the target device 120 may be capable of communicating with the server 110 and processing a target file compiled by the server 110. The device for inputting the target application program file and the hook program file may be the same device as the target device for running the target file, or may be two different devices, which specifically implements the network architecture in the embodiment of the present application, and is not specifically limited in the embodiment of the present application.
A brief description of several possible implementation scenarios for embodiments of the present application follows.
In one scenario, as shown in fig. 2a, the source code in the target application file 201 and the hook program file 202 may be compiled together, the hook program code is called at the entry position of the main program code, and a shared library file 203 is generated after the compilation. The scenario may be, for example, fragment-Oriented Programming (AOP), which is a technology for implementing unified maintenance of program functions through a precompilation mode and a dynamic agent in a runtime, and is a derivative paradigm of functional Programming, and each part of service logic may be isolated by using AOP, so that the coupling degree between each part of service logic is reduced, the reusability of a program is improved, and the development efficiency is improved.
In another scenario, as shown in fig. 2b, in the embodiment of the present application, when the target application file 201 is loaded and executed by an incubator process (e.g., android zygate) 209 shared by the application programs, the shared library file 204 generated by the source code of the compiled hook program file 202 is loaded. This scenario may be applied, for example, to intercept sensitive interface calls, detecting whether an application sends user privacy information onto the network.
In another scenario, as shown in fig. 2c, the source codes of the target application file 201 and the hook program file 202 may be compiled into different apk 205 and apk 206, respectively, and the apk 205 and the apk 206 are configured to run in the same process 208 by means of android Instrumentation. This scenario may be applied, for example, to white-box testing.
It can be understood that, referring to fig. 2d, an architecture schematic diagram of a terminal device such as a mobile phone executing the embodiment of the present application may take the mobile phone 200 as an example, and may include: a Radio Frequency (RF) circuit 210, a memory 220, an input unit 230, a display unit 240, an audio circuit 260, a wireless fidelity (WiFi) module 220, a processor 280, and a power supply 280. Those skilled in the art will appreciate that the configuration of the handset 200 shown in figure 2d is not intended to be limiting and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
In addition, as shown in fig. 2e, an architecture diagram of the server 300 in the embodiment of the present application may be implemented, and may include: at least one processor 310, at least one memory 320, at least one transceiver 330, and at least one network interface 340. The processor 310, the memory 320, the transceiver 330 and the network interface 340 are connected, for example, by a bus, and in this embodiment, the connection may include various interfaces, transmission lines or buses, which is not limited in this embodiment. The network interface 340 is used to enable the server 300 to connect to other devices via a communication link. The processor 310 may include, but is not limited to, at least one of the following: various types of computing devices that run software, such as a CPU, microprocessor, Digital Signal Processor (DSP), Microcontroller (MCU), or artificial intelligence processor, may each include one or more cores for executing software instructions to perform operations or processing. The processor 310 may include a compiler 311 for executing statically compiled program code. The processor 310 may be a single semiconductor chip or integrated with other circuits to form a SoC (system on chip) or integrated with other circuits (such as codec circuit, hardware acceleration circuit, or various buses and interface circuits), or may be integrated as an ASIC built-in processor, which may be packaged separately or together with other circuits. The processor may further include necessary hardware accelerators such as Field Programmable Gate Arrays (FPGAs), PLDs (programmable logic devices), or logic circuits implementing dedicated logic operations, in addition to cores for executing software instructions to perform operations or processes. The memory 320 may include at least one of the following types: read-only memory (ROM) or other types of static memory devices that may store static information and instructions, Random Access Memory (RAM) or other types of dynamic memory devices that may store information and instructions, and Electrically erasable programmable read-only memory (EEPROM). In some scenarios, the memory may also be, but is not limited to, a compact disk-read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 320 may be separate and connected to the processor 310, or the memory 320 may be integrated with the processor 310, for example, in a chip. The memory 320 can store program codes for executing the technical solutions of the embodiments of the present application, and the processor 310 controls the execution of the program codes, and various executed computer program codes can also be regarded as drivers of the processor 310. For example, the processor 310 is configured to execute the computer program code stored in the memory 320, so as to implement the technical solution in the embodiment of the present application. The transceiver 330 may be used to support the reception or transmission of radio frequency signals between the access network equipment and the terminal, and the transceiver 330 may be connected to the antenna 350. The transceiver 330 includes a transmitter Tx and a receiver Rx.
It should be noted that, in the embodiment of the present application, the target application file and the hook program file may be written by a user on a PC, the compiling process may be executed on a terminal with a compiling function, such as a server, a mobile phone, a PC, and the like, and the processes of executing the instruction set to hook and executing the hook function may be executed on a target device, such as a mobile phone, a PC, and the like. The server can be a cloud server, an entity server device or a PC.
It is to be understood that the above scenario is only one example of a scenario provided in the embodiment of the present application, and the embodiment of the present application is not limited to this scenario.
The following describes a specific implementation manner of a method for dynamically hooking a Java language in an embodiment of the present application in detail by using an embodiment with reference to the accompanying drawings.
Fig. 3 is a flowchart illustrating a method for dynamically hooking a Java language in an embodiment of the present application. Referring to fig. 3, the method includes a compiler compiling process of a target application program file and a hook program file, and may include, for example:
step 301, a compiler compiles a target application program file of Java language to obtain a target mapping relationship and a first instruction set, where the target mapping relationship includes a correspondence between function identifiers and function addresses, and the first instruction set is used to instruct to call corresponding functions based on the function addresses corresponding to the first function identifiers.
Step 302, a compiler compiles a hook program file to obtain a second instruction set, wherein the second instruction set is used for instructing to execute a second function at the position of the first function.
It can be understood that a developer can write a target application program file in the Java language according to development requirements; developers can write hook program files according to requirements. When the compiler on the server side statically compiles the Java language, in one case, the compiler may compile a target application file and a hook program file at the same time to generate a target file, where the target file includes: a target mapping relationship, a first instruction set, and a second instruction set. In another case, the compiler may also compile a target application program file and a hook program file, respectively, to generate a first target file corresponding to the compiled target application program file and a second target file corresponding to the hook program file, where the first target file includes: the target mapping relation and the first instruction set, and the second target file comprises a second instruction set. The object file is a so-format file, and the object file comprises an instruction set which can be executed by a CPU in the terminal equipment. It should be noted that, no matter whether the target application program file and the hook program file are compiled simultaneously or separately, the dynamic hook sub-function provided by the embodiment of the present application can be performed as long as the corresponding target files run in the same process.
It should be noted that, in one case, the source codes in the target application file and the hook program file may be compiled together, the hook program code is called at the entry position of the main program code, and a shared library file is generated after the compilation. The situation can be applied to fragment-Oriented Programming (called AOP for short), the AOP is a technology for realizing the unified maintenance of program functions through a precompilation mode and a dynamic agent in a running period, is a derivative normal form of functional Programming, and can isolate all parts of business logic by utilizing the AOP, so that the coupling degree between all parts of the business logic is reduced, the reusability of a program is improved, and the development efficiency is improved. In another case, the library file generated by compiling the hook program code may be loaded by a common hatcher process (e.g., zygate) of the application program, and when the target application program file is executed, the hook is hung by a process of loading the target application program hatched from the shared library file generated by the source code of the compiled hook program file. This scenario can be applied to intercept sensitive interface calls, detecting whether an application sends user privacy information to the network. In another case, the target application file and the hook program file may also be 2 program files, which are compiled separately, that is, the hook program and the main program are compiled separately into an apk file, two apks are configured by means of android Instrumentation, and the apk runs in the same process. This case can be applied to the white-box test.
It is understood that after the object application program file of the Java program is statically compiled, an instruction set for instructing to call each function is obtained. The first instruction set may be an instruction set of a statically compiled target file of a target application program file of a Java program, and is used to instruct to call a first function. For example: if the target application program file indicates to call the function a, the function B, and the function C, then the instruction set corresponding to the target application program file may include a subset of instructions indicating to call the function a: prologue 1, intermediate instruction 1 and epilogue 1, and the same way, may also include instructions to call the corresponding subset of instructions of function B: prologue 2, intermediate instruction 2 and epilogue 2, and may further include a sub-set of instructions indicating that the calling function C corresponds to: prologue 3, intermediate instruction 3, and epilogue 3. Assuming that function a is indicated in the target application file to call function D, intermediate instruction 1 may be used to indicate that function D is called, enabling function D to be called in function a.
The second instruction set may be a part of instructions in a hook program file statically compiled instruction set written in Java language. For example: assuming that the hook program is to hang the hook function E at the position where the function a calls the function D in the main program, the second instruction set corresponding to the hook program file includes an instruction set for hanging the hook function E: prologue 4, an intermediate instruction 4 and epilogue 4, where the intermediate instruction 4 may be used to modify a function address corresponding to a function D in a target mapping relationship into a function address of a function E. It should be noted that the hook program file and the hook program mentioned below refer to code for hooking a hook on a main program, and the hook can be hung on the main program by running the second instruction set compiled from the hook program file, so that when the first instruction set compiled from the main program is run, a corresponding hook function is called instead of the main function.
The target mapping relationship comprises a corresponding relationship between a function identifier and a function address, the function identifier can uniquely represent the function, and the function address can be called to the function.
As an example, the process of compiling the target application file in the Java language to obtain the target mapping relationship in step 301, referring to fig. 4, may be specifically implemented by the following steps 3011 to 3013:
step 3011, the compiler calculates function identifiers corresponding to the functions according to the description information of the functions; wherein the description information includes: function full name and parameter type list;
step 3012, the compiler searches function addresses corresponding to the functions based on the shared library;
step 3013, the compiler stores the function identifier and the function address of each function correspondingly to obtain a target mapping relationship, where the target mapping relationship includes a corresponding relationship between the first function identifier and the first function address.
It is understood that the functions each have description information for describing the characteristics of the function, including the full name of the function, the parameter type list, and the like, all represented by character strings. The full name of the function (english: full-qualified method name) refers to information that can uniquely identify the function in the program, and may include a name of the function, a name of a class to which the function belongs, and a name of a package to which the function belongs, for example: for the background color function in Java language, the function name is: getBacbackground () and the function of this function is named: com, huawei, android, DrawedWindow, getBacckound () that defines the full name of the class to which the background color taking function belongs. A list of types of parameters, including the type of each parameter defined in the function, such as: variable, integer, etc.
In the compiling process, the compiler can represent the unique identification of the function through the character string of the description information, but the method is not simple and convenient enough, so that the description information can also be used for calculating a value corresponding to the description information through a preset calculation method, the value is called as a function identification, and the function identification can simply, conveniently and uniquely identify the function. The preset calculation method may be MD5 or a Secure Hash Algorithm (english: Secure Hash Algorithm, SHA for short). For example: the function identifier may be a hash value obtained by hashing the description information.
In the specific implementation, in the compiling stage, the relative address of the function in the target file can be searched, the relative address is used as the function address, the function identifier is correspondingly stored, and the target mapping relation including the corresponding relation between the plurality of groups of function addresses and function identifiers is generated. As an example, the expression form of the target mapping relationship may be a target mapping relationship table, where the target mapping relationship table includes a plurality of entries, each entry corresponds to a function (also referred to as a method), and the entry includes a function identifier and a function address of the function. For example: the target mapping relationship table may be as shown in table 1 below:
TABLE 1
Figure RE-GDA0002268218540000131
Figure RE-GDA0002268218540000141
Wherein, the target mapping relation table comprises: entry (ID) corresponding to function 11Table entry (ID) corresponding to address 1) and function 22Entry (ID) corresponding to address 2), … …, function NNAnd address N), where N is an integer greater than or equal to 2.
It should be noted that the target mapping relationship may specifically include: the system comprises a first target mapping relation and a second target mapping relation, wherein the first target mapping relation is the corresponding relation between a function identifier and a function address corresponding to a defined function, and the second target mapping relation is the corresponding relation between a function identifier and a function address corresponding to an undefined function. The corresponding relations included in the first target mapping relation may be corresponding relations between function identifiers and function relative addresses corresponding to functions which have been defined and loaded in the software module; the corresponding relations included in the second target mapping relation may be the corresponding relations of function identifiers and function addresses corresponding to functions that are not defined inside the software module, but in the compiling stage, since the functions in the second target mapping relation are not in the internal shared library, the relative addresses of the functions cannot be obtained, and therefore, the function addresses in the second target mapping relation are all empty. Therefore, the target mapping relations are respectively established for the defined function and the undefined function in the compiling stage, and the binding speed of the subsequent function can be effectively improved.
It should be noted that, step 3011 and step 3012 are not executed in sequence, and step 3011 may be executed first and then step 3012 is executed, or step 3012 may be executed first and then step 3011 is executed, or step 3011 and step 3012 may be executed at the same time.
The compiler according to the embodiment of the present application may be a component in a device such as a server, a PC, or a mobile phone. The compiler is used for compiling a target application program file and a hook program file which are input by a user on a device such as a PC.
It can be seen that, with the embodiment shown in fig. 3, the compiler, by compiling the target application program and the hook program file, in addition to obtaining the first instruction set and the second instruction set, obtains the target mapping relationship, can conveniently and quickly realize the calling of the function, also provides convenience for modifying the function address, that is, when the first instruction set and the second instruction set are subsequently run in the same process, the function address corresponding to the original function can be replaced by the address of the hook function at the position where the hook needs to be hung through the target mapping relation of the function identifiers and the function addresses stored in the compiling process, so that based on the instruction set corresponding to the target application program, namely, the hook function can be called before the original function is executed, on the basis of not changing the target application program, the simple and flexible hook is used in the operation process, and the stability and the expandability of the program are improved.
Fig. 5 is a flowchart illustrating a method for dynamically hooking a Java language in an embodiment of the present application. Referring to fig. 5, the method includes a process in which a target device receives and runs a compiled set of instructions for a target application file and a hook program file, and may include, for example:
step 501, a target device receives a target mapping relationship, a first instruction set and a second instruction set, wherein the target mapping relationship is compiled by a compiler and includes a corresponding relationship between a function identifier and a function address, the first instruction set is used for instructing to call a corresponding function based on the function address corresponding to the first function identifier, and the second instruction set is used for instructing to execute a second function at the position of the first function.
It should be understood that, in this embodiment of the present application, the target device may refer to a device having a function of executing an instruction set, such as a mobile phone, a server, or a PC, and is not specifically limited in this embodiment of the present application.
It should be noted that the target device may receive the instruction set and the target mapping relationship generated by compiling by the compiler, and in one case, the target device and the device in which the compiler is located may be the same device, and then the device in which the compiler is located may send the target mapping relationship generated by compiling, the first instruction set, and the second instruction set to the target device in an internal communication manner; in another case, the target device and the device where the compiler is located may also be two different devices, and then the device where the compiler is located may send the target mapping relationship, the first instruction set, and the second instruction set generated by the compiling to the target device through the external sending interface, and the target device may receive the target mapping relationship, the first instruction set, and the second instruction set through the external receiving interface.
It should be noted that, for the relevant description of the first instruction set, the second instruction set, and the target mapping relationship in step 501, reference may be made to the specific description in the embodiment shown in fig. 3, and details are not repeated here.
It can be understood that, after the target device receives the first instruction set, the second instruction set, and the target mapping relationship sent by the compiler, the CPU in the target device can execute the first instruction set and the second instruction set. It should be noted that, before executing the function corresponding to the position of the hook, step 502 needs to be executed first to complete the dynamic hook operation, and then step 503 needs to be executed to implement the call of the function at the position. In the embodiment of the present application, taking an example that a hook is hung at a position of a first function in a main program, and the hung hook function is a second function as an example, the description and implementation manner in the embodiment of the present application can be referred to for the implementation of hanging other hook functions at other positions.
In specific implementation, when the instruction set is run on the target device, the instruction set and the target mapping relationship in the target file are first loaded into the memory of the target device, and then the instruction set in the target file can be executed. The functions in the shared library are usually loaded into the memory through a class loader during running, and other programs directly call data corresponding to the functions to be called in the memory when in use.
In the process, function addresses of functions in the target binding relationship may be updated, and a relative address of the function in the target binding relationship at a compiling stage is modified into an absolute address of the function in the memory, where the method for determining the absolute address of the function in the memory may be to obtain a function address corresponding to a function identifier of the function through a linker, fill the function address in the target mapping relationship, and store the function address corresponding to the function identifier of the function. It should be noted that, since the virtual function table may be used for the call of the virtual function, the virtual function table may also be updated based on the update of the target binding relationship, thereby providing a data base for the call of the virtual function.
It should be noted that, in order to make the function binding process more secure, the class loader may determine the classes that the function depends on by parsing the function, and load the relevant classes sequentially by the class loader through a parent-deletion mechanism (english) to generate the target mapping relationship table. The parent proxy mechanism refers to that a child loader sends the load request to its parent loader when parsing and loading the class, and may include the following cases: in case one, if the parent loader determines that the class is defined, the parent loader loads the class and then returns the class to the child loader; in case two, if the parent loader determines that the class is undefined, the parent loader returns to the child loader for loading; in case three, if the function is a child dependent on a parent, the parent loader completes loading the parent, and then notifies the child loader to load the child; the parent proxy mechanism loading case may also include other cases, not enumerated herein. Therefore, the basic function in the system is prevented from being tampered by the sub loader loading the malicious program, and the safety in the function binding process and the system operation process is improved.
Step 502, the target device runs the second instruction set to obtain a first function identifier of the first function, and modifies a first function address corresponding to the first function identifier in the target mapping relationship into a second function address.
As an example, in step 502, a second instruction set is executed, a first function identifier of the first function is obtained, and a first function address corresponding to the first function identifier in the target mapping relationship is modified into a second function address, which is also referred to as a process of dynamically hooking a hook. Referring to fig. 6, the process of dynamically hooking the hook may be specifically implemented by the following steps 5021 to 5023:
step 5021, the target device calculates a first function identifier of the first function according to the description information of the first function;
step 5022, the target device searches a table entry corresponding to the first function identifier in a target mapping relation;
step 5023, the target device modifies the first function address in the table entry into a second function address.
It can be understood that, the calculation manner of calculating the first function identifier of the first function according to the description information of the first function in step 5021 needs to be consistent with the calculation manner of step 3011, that is, a developer writing the hook program file knows the calculation manner in step 3011, and writes program code for performing function identification based on the known calculation manner in the hook program file, so that when the target device runs the second instruction set in the target file, the first function identifier corresponding to the description information of the first function can be calculated based on the calculation manner.
In specific implementation, it is assumed that the second instruction set may include a fourth instruction, a fifth instruction, and a sixth instruction, where the fourth instruction is used to calculate a first function identifier of the first function according to the description information of the first function; the fifth instruction is used for searching the table entry corresponding to the first function identifier from the target mapping relation according to the first function identifier; the sixth instruction is used for modifying the first function address in the table entry into the second function address.
For example: assume that the second set of instructions is where function a calls function 2, hook function E is hung, and the function address of hook function E is address m (where m is an integer greater than 0). The step 202 process may include: calculating the function identifier ID of the function 2 according to the description information of the function 2, namely the full name of the function 2 and the parameter type list of the function 22(ii) a In the target mapping relationship table shown in the above table 1, the lookup function is identified as ID2I.e., the second row in table 1; modifying the function address in the table entry from address 2 of function 2 to address m of hook function E, and obtaining the target mapping relation table as shown in table 2 below:
TABLE 2
Function identification Function address
ID1 Address 1
ID2 Address m
…… ……
IDN Address N
Therefore, by modifying the function address corresponding to the primitive function in the target mapping relationship into the function address of the hook function, a data basis is provided for realizing flexible and simple hooks, and the hook function can be effectively called based on the target mapping relationship when the target device runs the first instruction set.
It should be noted that, in order to facilitate the ordered running of subsequent functions, the embodiment of the present application may further update the target mapping relationship and the virtual function table synchronously after step 502. For updating the target mapping relationship, see the process of updating table 1 to table 2 in the above example. The virtual function Table (abbreviated as V-Table) is a continuous memory, and each memory unit records an address of an unconditional jump instruction (abbreviated as JMP instruction) for embodying the address of a virtual function of the class. As an example, as shown in fig. 7, the process of updating the virtual function table may specifically include:
step 701, the target device determines that the first function is an imaginary function;
step 702, the target device searches a virtual function table based on a shared library, and finds all items matched with a first function address of a first function;
in step 703, the target device modifies the address of the first function recorded in the matching table entry to the address of the second function.
Therefore, the virtual function table can solve the problems of inheritance and coverage, and ensure that the virtual function table truly reflects the actual function, and when a subclass is operated by using a pointer of a parent class, the virtual function table is an indispensable basis for indicating the actually called function, so that the function address in the virtual function table is updated in time, the accuracy of the function address is ensured, and the virtual function table is very important for realizing function calling.
To make the process of step 502 more clear, the following exemplary description describes, in a possible implementation manner, a process in which the target device executes the second instruction set to hook, which may specifically include: the method comprises the following steps that firstly, class elements are obtained according to class literal volumes (class attributes) provided by a user; secondly, obtaining the name of the program package of the function and the name of the class according to the class element; thirdly, combining the class element, the name of the function, the name of the package, the name of the class and a parameter type list to obtain a method element; step four, determining whether the function is a function in a virtual function table according to the method element, namely, firstly judging whether the function is a virtual function, traversing the virtual function table when determining that the function is the virtual function, determining whether a function entry address consistent with the entry address of the method element is included in the virtual function table, if so, determining that the function is the function in the virtual function table, and completing hooking according to the step seven, otherwise, if determining that the function is not the function in the virtual function table, executing the step five and the step six to complete hooking; fifthly, calculating the ID of the function according to the signature of the function (namely the name of the program package, the name of the class and the name of the function) and the parameter type list; sixthly, modifying a function address corresponding to the ID into an address of a hook function according to the ID of the function in a target mapping relation (namely, a first target mapping relation corresponding to a defined function and a second target mapping relation corresponding to an undefined function), and realizing hook hanging; and seventhly, if the function is the function in the virtual function table, modifying the entry address of the original function into the entry address of the hook function, and realizing hook hanging.
It should be noted that the name of the package of the function and the name of the belonging class can be obtained in a variety of ways as follows: the method comprises the steps of firstly, obtaining according to class elements; obtaining according to the method element; the developer writes in the hook subcode directly; the name of the function and the list of parameter types may be obtained by: the method comprises the following steps of firstly, obtaining according to a method element; and in the second mode, the developer directly writes in the hook subcode. It can be understood that, in the above implementation manners, the manner of dynamically hooking may depend on an Application Programming Interface (API) provided by the user for the target device, and the implementation manner may also be changed depending on the difference of the API.
It should be noted that the target mapping relationship may generally include a corresponding relationship between function identifiers and function addresses of all virtual functions, but when a target application file of a subsequent Java program is executed to implement a statically compiled instruction set, only non-virtual functions (including a static function, a Constructor, and a private function) may implement a jump from the target mapping relationship, and the virtual function implements a jump from a virtual function table.
Step 503, the target device runs, the first instruction set, obtains a second function address corresponding to the first function identifier, and calls a second function based on the second function address.
As an example, the first instruction set may include: the system comprises a first instruction, a second instruction and a third instruction, wherein the first instruction is used for acquiring a first address of a target mapping relation; the second instruction is used for obtaining the destination address of the table entry corresponding to the first function in the target mapping relation according to the first address and the offset address of the known first function in the target mapping relation; and the third instruction is used for reading the table entry corresponding to the first function according to the destination address and calling the corresponding function based on the function address in the table entry.
For example: the portion of the first instruction set corresponding to the first function may include a first instruction that is:
adrp X0, __ muid _ func _ def _ tab $ out _ sound __ interface _ external _ containrypt _ consistence _ android _ common _ dex _ classes _ dex +2424// loading the first address of "defined method table" in the target mapping relationship to the X0 register;
the portion of the first instruction set corresponding to the first function may include a second instruction that is:
ldr W0, [ X0, #: lol2: __ muid _ func _ def _ tab $ out _ soong __ intermedia _ external _ contypt _ contrypt _ android _ common _ dex _ classs _ dex +2424]// loading the destination address of the entry where the first function is located from the target address to a W0 (the lower 32 bits of X0) register, where the square bracket indicates that the destination address of the entry where the first function is located is calculated from the head address and the offset address of the first function in the mapping relationship;
the third instruction included in the portion of the first instruction set corresponding to the first function may be:
blr x0// accessing the corresponding function based on the destination address.
In a specific implementation, the first instruction set is executed in step 503, a second function address corresponding to the first function identifier is obtained, and the second function is called based on the second function address, which may be referred to as a function call procedure.
As an example, if the first function is a non-virtual function, as shown in fig. 8, the function calling process may be specifically implemented by the following steps 5031 to 5034:
step 5031, the target device runs the first instruction to obtain the first address of the target mapping relationship;
step 5032, the target device runs a second instruction, and adds the offset address of the first function in the mapping relationship to the first address to obtain a destination address;
step 5033, the target device runs the third instruction, and obtains the entry corresponding to the first function in the target mapping relationship according to the destination address;
in step 5034, the target device calls a second function based on the second function address corresponding to the first function identifier in the current table entry.
For example: assuming that after step 502, the hook function E is hung at the position where the function a calls the function 2, and the obtained target mapping relationship can be referred to in table 2, then, in step 503, first, a first instruction is run, and a first address a of table 2 can be obtained; next, a second instruction is executed, based on the first address a of Table 2 and an offset address known to the compilerb, obtaining a destination address c corresponding to the function 2; then, a third instruction is executed, and the table entry corresponding to the function 2 is determined as the second row of the table 2 according to the destination address c, namely, the ID2-address m "; next, based on the table entry "ID2-address m in address m ", accessing the hook function m. Therefore, on the premise of not changing the original main program, the dynamic hooking on the main program is simply and conveniently realized, and the corresponding function of the Java program is simply and flexibly modified or expanded.
As another example, if the first function is an imaginary function, step 502 may further include, in addition to modifying a function address corresponding to the first function identifier in the target mapping relationship: modifying a first function entry address corresponding to the first function identifier in the virtual function table into a second function address; then, in this step 503, the first instruction set is executed to obtain a second function address corresponding to the first function identifier, which may specifically be: and searching the function entry address corresponding to the first function in the updated virtual function table to obtain a second function address.
It can be understood that the positions of hooks to be hung in the target application program file can be realized through the steps 501 to 503, a hook function can be flexibly hung, and the functions of the original main program can be easily modified and/or expanded through the dynamic hook method on the basis of not changing the target application program file. However, it should be noted that after the hook function is executed, the process may be finished according to the setting in the hook program file, or may return to the original function (i.e., the first function) to continue to be executed from the position of the original function, or may jump to any position after the original function (i.e., not to execute the original function) to execute backwards, which is not specifically limited in the embodiment of the present application.
It can be seen that, with the method provided in this embodiment of the present application, based on the first instruction set, the second instruction set, and the target mapping relationship obtained by statically compiling the compiler through the first aspect, when the first instruction set and the second instruction set are run in the same process, the function address corresponding to the original function may be replaced with the address of the hook function at the position where the hook needs to be hung through the target mapping relationship of each function identifier and function address stored in the compiling process, and based on the instruction set corresponding to the target application program, the hook function may be called before the original function is executed, so that on the basis of not changing the target application program, the hook is simply and flexibly hooked in the running process, and the program stability and extensibility are improved.
It should be noted that, in order to ensure that the hooked hook function can be flexibly detached, so as to implement the call to the original function at the location, in this embodiment of the application, after the embodiment shown in fig. 5 is completed, the method may further include: storing description information and a first function address of a first function, wherein the description information of the first function may include information such as a full name, a parameter type list, a function return value, a class to which the function belongs, and the like of the first function; and filling the first function address into the position corresponding to the first function identifier in the target mapping relation, so as to realize the calling of the first function.
As an example, a process of the hook removing function in the embodiment of the present application may be shown in fig. 9, and specifically may include:
step 901, in response to the hook detach request, the target device calculates a first function identifier of the first function based on the stored description information of the first function;
step 902, the target device modifies a second function address corresponding to the first function identifier in the target mapping relationship into a first function address.
It can be understood that, in the specific implementation manner of the above steps 901 to 902, reference may be made to step 502, that is, the process of unhooking is equivalent to performing step 502 again, and the second function address corresponding to the first function identifier is modified back to the first function address corresponding to the first function.
It should be noted that the hook program for hook detachment corresponding to the above steps 901 to 902 may be placed in the same hook program file as the hook program for hook hanging in the embodiment shown in fig. 5, or may be placed in two different hook program files respectively as the hook program for hook hanging in the embodiment shown in fig. 5, which is not limited in this application embodiment.
As another example, in this embodiment of the application, the process of detaching the hook function may further include: and when the process is terminated or the first instruction set is completely operated, modifying the second function address in the target mapping relation into the first function address. That is, when the process is terminated or the main program is run completely, the hooked hook function will automatically fail, that is, the function address of the intercepted function in the target mapping relationship is recovered.
Therefore, by the method provided by the embodiment of the application, the target mapping relation of each function identifier and each function address is stored in the compiling process, and the function address corresponding to the original function at the position where the hook needs to be hung in the target mapping relation is modified based on the instruction set corresponding to the hook program in the running process, so that the hook function can be called before the original function is executed or the original function is called based on the instruction set corresponding to the target application program in the running process, that is, the hook hanging and hook unloading can be simply and flexibly realized in the running process on the basis of not changing the target application program, and the stability and the expandability of the program are improved.
Referring to fig. 10, a method for dynamically hooking a hook in Java language in an embodiment of the present application may specifically include:
step 1001, determining a first function identifier of a first function, and searching a corresponding relationship record corresponding to the first function identifier from a target mapping relationship, where the target mapping relationship is pre-stored in a memory, and the target mapping relationship includes a corresponding relationship between a function identifier and a function address.
Step 1002, modifying the first function address in the corresponding relation record into a second function address, so that the second function is called based on the second function address when the first instruction set is run.
If the first function identifier is a first function ID uniquely identifying the first function, then the corresponding relationship record corresponding to the first function identifier is searched from the target mapping relationship, specifically: and searching the corresponding relation record corresponding to the first function ID from the target mapping relation by a table look-up method.
As an example, a first function identifier of the first function is determined, specifically: the method comprises the following steps that firstly, class elements of a first function are obtained according to class literal quantity of the first function; and secondly, determining the first function ID based on the class element of the first function. In the second step, determining the first function ID based on the class element of the first function may specifically include: firstly, obtaining the name of a program package and the name of a class of the first function according to the class element of the first function; then, obtaining description information of the first function based on the class element, the name of the first function, the name of the program package, the name of the class and a parameter type list; and finally, calculating a first function ID of the first function according to the description information of the first function.
It should be noted that, for the relevant description and the achieved effect in the method provided in this embodiment, reference may be specifically made to the corresponding descriptions in the embodiments of fig. 3 and fig. 5, and details are not described here again.
In addition, an embodiment of the present application further provides a compiler, and referring to fig. 11, the compiler 1100 may include: a first compiling unit 1101, configured to compile a target application file of a Java language to obtain a target mapping relationship and a first instruction set, where the target mapping relationship includes a correspondence between a function identifier and a function address, and the first instruction set is used to instruct a function address corresponding to the first function identifier to call a corresponding function; the second compiling unit 1102 is configured to compile the hook program file to obtain a second instruction set, where the second instruction set is used to instruct to execute the second function at the location of the first function.
In one possible implementation manner, the first compiling unit 1101 includes: the calculation subunit is used for calculating the function identifier corresponding to each function according to the description information of each function; wherein the description information includes: a full name and parameter type list of functions; the searching subunit is used for searching function addresses corresponding to the functions based on the shared library; and the storage subunit is used for correspondingly storing the function identifier and the function address of each function to obtain a target mapping relationship, wherein the target mapping relationship comprises a corresponding relationship between the first function identifier and the first function address.
It is to be understood that the first instruction set includes a first instruction, a second instruction, and a third instruction, where the first instruction is used to obtain a first address of a target mapping relationship; a second instruction, configured to obtain a destination address of a table entry corresponding to the first function in the target mapping relationship according to the first address and an offset address of the known first function in the target mapping relationship; and the third instruction is used for reading the table entry corresponding to the first function according to the destination address and calling the corresponding function based on the function address in the table entry. And the second instruction set is used for indicating to obtain the first function identifier of the first function and modifying the first function address corresponding to the first function identifier in the target mapping relation into a second function address.
The target mapping relation is generated by the class loader through a parent agent mechanism; the target mapping relation comprises a first target mapping relation and a second target mapping relation, wherein the first target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the defined function, and the second target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the undefined function.
It should be noted that the compiler 1100 corresponds to the method provided in the embodiment shown in fig. 3, and therefore, various possible implementations of the compiler 1100 and the achieved technical effects can be referred to the introduction of the method provided in the embodiment shown in fig. 3.
In addition, an embodiment of the present application further provides a target device, and referring to fig. 12, the target device 1200 includes: an obtaining unit 1201, configured to receive a target mapping relationship, a first instruction set, and a second instruction set, where the target mapping relationship includes a correspondence between function identifiers and function addresses, the first instruction set is used to instruct a function address corresponding to the first function identifier to call a corresponding function, and the second instruction set is used to instruct a second function to be executed at a position of the first function; a first operation unit 1202, configured to operate the second instruction set, obtain a first function identifier of the first function, and modify a first function address corresponding to the first function identifier in the target mapping relationship into a second function address; the second executing unit 1203 is configured to execute the first instruction set, obtain a second function address corresponding to the first function identifier, and call a second function based on the second function address.
In a possible implementation manner, in one case, if the first function is a non-virtual function, the second operation unit 1202 is specifically configured to: and searching a target mapping relation to obtain a second function address which is stored corresponding to the first function identifier. In another case, if the first function is an imaginary function, the target device further includes: a first modifying unit, configured to modify a first function entry address corresponding to the first function identifier in the virtual function table into a second function address; the second operation unit 1202 is specifically configured to: and searching a function entry address corresponding to the first function in the virtual function table to obtain a second function address.
In another possible implementation, the first operation unit 1203 includes: the calculating subunit is used for calculating a first function identifier of the first function according to the description information of the first function; the searching subunit is configured to search, in the target mapping relationship, a table entry corresponding to the first function identifier; and the modifying subunit is used for modifying the first function address in the table entry into a second function address.
In another possible implementation manner, the second operation unit 1202 includes: the first acquisition subunit is used for acquiring the first address of the target mapping relation; the increasing subunit is used for increasing the offset address of the first function in the target mapping relation on the initial address to obtain a destination address; the second obtaining subunit is configured to obtain, according to the destination address, a table entry corresponding to the first function in the target mapping relationship; and the calling subunit is used for calling the second function based on the second function address corresponding to the first function identifier in the current table entry.
It is understood that the target mapping relationship is generated by the class loader through the parent proxy mechanism; the target mapping relation comprises a first target mapping relation and a second target mapping relation, wherein the first target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the defined function, and the second target mapping relation is the corresponding relation between the function identifier and the function address corresponding to the undefined function.
In yet another possible implementation, the target device further includes: and the storage unit is used for storing the description information and the first function address of the first function. In one case, the target device further includes: the calculation unit is used for responding to the hook unloading request and calculating a first function identifier of the first function based on the stored description information of the first function; and the second modification unit is used for modifying a second function address corresponding to the first function identifier in the target mapping relation into the first function address. In another case, the second modifying unit is further configured to: and when the process is terminated or the first instruction set is completely operated, modifying the second function address in the target mapping relation into the first function address.
It should be noted that the target device 1200 corresponds to the method provided in the embodiment shown in fig. 5, so that various possible implementations of the target device 1200 and the achieved technical effects can be referred to the introduction of the method provided in the embodiment shown in fig. 5.
In addition, an apparatus is further provided in an embodiment of the present application, and referring to fig. 13, the apparatus 1300 includes: a searching unit 1301, configured to determine a first function identifier of a first function, and search a corresponding relationship record corresponding to the first function identifier from a target mapping relationship, where the target mapping relationship is stored in a memory in advance, and the target mapping relationship includes a corresponding relationship between a function identifier and a function address; a modifying unit 1302, configured to modify the first function address in the correspondence record into a second function address, so that the second function is called based on the second function address when the first instruction set is executed.
In some possible implementation manners, the first function identifier is a first function ID uniquely identifying the first function, and the search unit 1301 is specifically configured to: and searching the corresponding relation record corresponding to the first function ID from the target mapping relation by a table look-up method.
As an example, the modifying unit 1301 includes: a first obtaining subunit, configured to obtain a class element of the first function according to a class literal quantity of the first function; a determining subunit that determines the first function ID based on the class element of the first function. Wherein, the determining the sub-unit specifically comprises: a second obtaining subunit, configured to obtain, according to the class element of the first function, a name of the package and a name of the class of the first function; a third obtaining subunit, configured to obtain description information of the first function based on the class element, the name of the first function, the name of the package, the name of the class, and the parameter type list; and the calculating subunit is used for calculating a first function ID of the first function according to the description information of the first function.
It should be noted that the apparatus 1300 corresponds to the method provided by the embodiment shown in fig. 10, so that various possible implementations of the apparatus 1300 and the achieved technical effects can be referred to the description of the method provided by the embodiment shown in fig. 10.
In addition, the embodiment of the present application also provides an apparatus, and referring to fig. 14, the apparatus 1400 includes a memory 1401 and a processor 1402; wherein, the said memorizer 1401, is used for storing the program code; the processor 1402 is configured to execute the instructions in the program code, so that the apparatus 1400 performs the method for dynamically hooking the Java language according to any implementation manner in the embodiments shown in fig. 3, fig. 5, and fig. 10.
In addition, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute the method for dynamically hooking a Java language in any implementation manner in the embodiments shown in fig. 3, fig. 5, and fig. 10.
In addition, the embodiment of the present application further provides a computer program product, which when running on a computer, causes the computer to execute the method for dynamically hooking the Java language in any implementation manner in the embodiments shown in fig. 3, fig. 5 and fig. 10.
In the names of "first function", "first function identifier", and the like, the "first" mentioned in the embodiments of the present application is used only for name identifiers, and does not represent the first in sequence. The same applies to "second" etc.
As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that all or part of the steps in the above embodiment methods can be implemented by software plus a general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a read-only memory (ROM)/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network communication device such as a router) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical modules, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only an exemplary embodiment of the present application, and is not intended to limit the scope of the present application.

Claims (11)

1. A method for dynamically hooking a hook in Java language is characterized by comprising the following steps:
determining a first function identifier of a first function, and searching a corresponding relation record corresponding to the first function identifier from a target mapping relation, wherein the target mapping relation is stored in a memory in advance and comprises a corresponding relation between the function identifier and a function address;
modifying the first function address in the correspondence record to a second function address, such that the second function is invoked based on the second function address when the first set of instructions is executed.
2. The method according to claim 1, wherein the first function identifier is a first function ID that uniquely identifies the first function, and the searching for the corresponding relationship record corresponding to the first function identifier from the target mapping relationship specifically includes:
and searching the corresponding relation record corresponding to the first function ID from the target mapping relation by a table look-up method.
3. The method according to claim 2, wherein the determining the first function identifier of the first function specifically comprises:
obtaining a class element of the first function according to the class literal quantity of the first function;
determining the first function ID based on the class element of the first function.
4. The method according to claim 3, wherein the determining the first function ID based on the class element of the first function specifically comprises:
obtaining the name of the program package and the name of the class of the first function according to the class element of the first function;
obtaining description information of the first function based on the class element, the name of the first function, the name of the program package, the name of the class and the parameter type list;
and calculating a first function ID of the first function according to the description information of the first function.
5. An apparatus, comprising:
the searching unit is used for determining a first function identifier of a first function and searching a corresponding relation record corresponding to the first function identifier from a target mapping relation, wherein the target mapping relation is stored in a memory in advance and comprises a corresponding relation between the function identifier and a function address;
and the modifying unit is used for modifying the first function address in the corresponding relation record into a second function address so as to call the second function based on the second function address when the first instruction set is operated.
6. The device according to claim 5, wherein the first function identifier is a first function ID uniquely identifying the first function, and the lookup unit is specifically configured to:
and searching the corresponding relation record corresponding to the first function ID from the target mapping relation by a table look-up method.
7. The apparatus of claim 6, wherein the modification unit comprises:
a first obtaining subunit, configured to obtain a class element of the first function according to a class literal quantity of the first function;
a determining subunit that determines the first function ID based on the class element of the first function.
8. The apparatus according to claim 7, wherein the determining the sub-unit specifically comprises:
a second obtaining subunit, configured to obtain, according to the class element of the first function, a name of the package and a name of the class of the first function;
a third obtaining subunit, configured to obtain description information of the first function based on the class element, the name of the first function, the name of the package, the name of the class, and the parameter type list;
and the calculating subunit is used for calculating a first function ID of the first function according to the description information of the first function.
9. An apparatus, comprising a memory and a processor;
the memory for storing program code;
the processor is used for executing instructions in the program code to enable the device to execute the method for dynamically hooking the Java language according to any one of the claims 1-4.
10. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to execute the method of dynamic hooking in Java language according to any one of claims 1 to 4.
11. A computer program product, which, when run on a computer, causes the computer to perform the method of Java language dynamic hooking of any of the preceding claims 1 to 4.
CN201910786023.2A 2019-08-23 2019-08-23 Method, device and equipment for dynamically hooking Java language hooks Pending CN112416366A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910786023.2A CN112416366A (en) 2019-08-23 2019-08-23 Method, device and equipment for dynamically hooking Java language hooks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910786023.2A CN112416366A (en) 2019-08-23 2019-08-23 Method, device and equipment for dynamically hooking Java language hooks

Publications (1)

Publication Number Publication Date
CN112416366A true CN112416366A (en) 2021-02-26

Family

ID=74779071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910786023.2A Pending CN112416366A (en) 2019-08-23 2019-08-23 Method, device and equipment for dynamically hooking Java language hooks

Country Status (1)

Country Link
CN (1) CN112416366A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116467221A (en) * 2023-06-16 2023-07-21 荣耀终端有限公司 Pile inserting method and system based on interpreter and related electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070261044A1 (en) * 2006-05-04 2007-11-08 Jonathan Clark Chained Hook Function Serving Multiple Versions Of Identically Named Dynamically Loaded Libraries
CN106325927A (en) * 2016-08-19 2017-01-11 北京金山安全管理系统技术有限公司 Interception method and device applied to dynamic library API (Application Program Interface) in Linux system
CN107391219A (en) * 2017-07-07 2017-11-24 腾讯科技(深圳)有限公司 Function Compilation Method and device
CN107908391A (en) * 2017-11-20 2018-04-13 北京奇虎科技有限公司 The optimization method and device of routine call
CN108415739A (en) * 2018-02-28 2018-08-17 腾讯科技(深圳)有限公司 A kind of the hook method, apparatus and storage medium of Dynamic Link Library Function

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070261044A1 (en) * 2006-05-04 2007-11-08 Jonathan Clark Chained Hook Function Serving Multiple Versions Of Identically Named Dynamically Loaded Libraries
CN106325927A (en) * 2016-08-19 2017-01-11 北京金山安全管理系统技术有限公司 Interception method and device applied to dynamic library API (Application Program Interface) in Linux system
CN107391219A (en) * 2017-07-07 2017-11-24 腾讯科技(深圳)有限公司 Function Compilation Method and device
CN107908391A (en) * 2017-11-20 2018-04-13 北京奇虎科技有限公司 The optimization method and device of routine call
CN108415739A (en) * 2018-02-28 2018-08-17 腾讯科技(深圳)有限公司 A kind of the hook method, apparatus and storage medium of Dynamic Link Library Function

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116467221A (en) * 2023-06-16 2023-07-21 荣耀终端有限公司 Pile inserting method and system based on interpreter and related electronic equipment
CN116467221B (en) * 2023-06-16 2024-04-02 荣耀终端有限公司 Pile inserting method and system based on interpreter and related electronic equipment

Similar Documents

Publication Publication Date Title
CN109062617B (en) Application method of platform supporting multiple types of equipment and mobile terminal
US7055146B1 (en) Method and system for dynamically inserting modifications for identified programs
WO2015165232A1 (en) Driver program loading method and embedded device
US20160232017A1 (en) System and Method for Reloading Constructors
US10929149B2 (en) Method and system for updating firmware
EP3698241A1 (en) Using semantic annotations to control compatibility behaviors
US9152442B2 (en) Callbacks in virtual machines
EP3207453B1 (en) Api versioning independent of product releases
US20230418581A1 (en) Native emulation compatible application binary interface for supporting emulation of foreign code
WO2022057418A1 (en) Method and apparatus for running application program, terminal device and storage medium
WO2022042252A1 (en) Driver configuration management method and apparatus, medium, device, and system
CN109558121B (en) Interface driver development method, device, equipment and storage medium
CN114721688A (en) SDK upgrading method and device and computer equipment
CN112416366A (en) Method, device and equipment for dynamically hooking Java language hooks
CN111427617A (en) Data processing method, device and equipment
JP2023538812A (en) Hybrid binary with codestream folding
US11403100B2 (en) Dual architecture function pointers having consistent reference addresses
US20040216140A1 (en) Method and system for accessing system operations through an interface layer
WO2022052739A1 (en) Device tree repair method and system, and computer-readable storage medium
CN117744088A (en) Virtual machine trusted starting method based on TPCM under ARM architecture
CN117389567A (en) Multi-terminal application development method, device, medium and equipment
CN117472407A (en) Platform upgrading method, device, equipment and medium based on k8s cluster construction
CN116795419A (en) Version package grouping method, device, equipment and storage medium
CN114995871A (en) Software version adaptation method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210226

RJ01 Rejection of invention patent application after publication