CN113515729B - Method and system for automatically bypassing anti-debugging by using security Zhuo Duan - Google Patents
Method and system for automatically bypassing anti-debugging by using security Zhuo Duan Download PDFInfo
- Publication number
- CN113515729B CN113515729B CN202110455097.5A CN202110455097A CN113515729B CN 113515729 B CN113515729 B CN 113515729B CN 202110455097 A CN202110455097 A CN 202110455097A CN 113515729 B CN113515729 B CN 113515729B
- Authority
- CN
- China
- Prior art keywords
- function
- debugging
- app
- jni
- debugged
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000008569 process Effects 0.000 claims abstract description 13
- 238000002360 preparation method Methods 0.000 claims abstract description 9
- 230000001680 brushing effect Effects 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims description 16
- 230000003068 static effect Effects 0.000 claims description 8
- 239000000725 suspension Substances 0.000 claims description 7
- 230000009191 jumping Effects 0.000 claims description 3
- 230000002787 reinforcement Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method for automatically bypassing anti-debugging by using security Zhuo Duan, which comprises the following steps: step S1, brushing ART in an APP, starting the APP, and finishing registration of a JNI function after the APP is started; step S2, when the JNI function finishes registration, anti-debugging in the APP is started; step S3, JNI functions are executed, ART is prepared before each JNI function is executed, and a JNIMethodStart () function is called; s4, detecting whether a JNI function to be debugged exists, if yes, suspending the JNI function execution, suspending all anti-debugging, opening IDA, waiting for the IDA to be added into an APP process, resuming thread execution, finding out the JNI function address to be debugged on a subsequent page, performing breakpoint on the debugged JNI function address, and resuming program operation; if not, ART preparation is completed, and the JNI function is executed; the invention can bypass the anti-debugging means.
Description
Technical Field
The invention relates to the technical field of application dynamic reverse analysis, in particular to a method and a system for automatically bypassing reverse debugging of An Zhuo Duan.
Background
Previously An Zhuoduan when analyzing game or plug-in samples and application samples in reverse, the problem is that the samples are simply code obfuscated or function extracted, so obfuscated or expanded, and the difficulty of reverse analysis is not great. However, mobile reinforcement has been developed and upgraded over the years, and the prior code obfuscation and function extraction techniques have been gradually eliminated by the market, and now it is often faced with the situation that a VMP shell is added to the sample (the code part protected by this software is executed on a virtual machine, which makes it difficult for the protected program to be analyzed and broken). In this case, it is not practical to directly reverse analyze the sample code, and it is necessary to dynamically debug the sample and find its interpreter. But all anti-debugging is needed to analyze these samples dynamically. But all the schemes bypassing the anti-debugging on the network are based on static reverse analysis sample codes, writing hook codes or modifying applications or game assembly codes and secondarily packing and compiling applications or games, and bypassing the anti-debugging in continuous testing and code searching. Common anti-debug types are: 1. ptrace itself, multiprocess daemon; 2. detecting a file; 3. debugger detection (process name, port), breakpoint instruction check; 4. checking code execution time difference; 5. checking the execution environment (simulator, injection framework, root, etc.); 6. android itself debug status related function interfaces.
This manual bypass of anti-debug has several drawbacks:
the static analysis of the code is complicated, and the code is confused and expanded when the confusion and the vmp are encountered, so that the reading difficulty is higher, let alone the understanding of the code, and the reverse code is written; writing Hook code can encounter continuous breakdown of application or game, and can not successfully bypass anti-debugging; the anti-debugging code and the thread are hidden deeply and are not easy to be found; the anti-debugging means are various, all the anti-debugging means need to be searched out one by one, and even if one anti-debugging means is missed, the next work of the reverse analysis is possibly difficult to carry out; some applications often use unusual or original anti-debugging means, so that an analyst cannot recognize the anti-debugging principle.
Disclosure of Invention
To overcome the above problems, an object of the present invention is to provide a method for automatically bypassing anti-debug An Zhuoduan which can bypass anti-debug means.
The invention is realized by adopting the following scheme: a method of security Zhuo Duan automation bypassing anti-debug, the method comprising the steps of:
step S1, brushing ART in an APP, starting the APP, and finishing registration of a JNI function after the APP is started;
step S2, when the JNI function finishes registration, anti-debugging in the APP is started;
step S3, JNI functions are executed, ART is prepared before each JNI function is executed, and a JNIMethodStart () function is called;
s4, detecting whether a JNI function to be debugged exists, if yes, suspending the JNI function execution, suspending all anti-debugging, opening IDA, waiting for the IDA to be added into an APP process, resuming thread execution, finding out the JNI function address to be debugged on a subsequent page, performing breakpoint on the debugged JNI function address, and resuming program operation; if not, the ART preparation is completed and the JNI function is executed.
Further, the step S1 is further specifically: the JNI function registration is divided into static state and dynamic state, and the flow is as follows: acquiring the name, sig and function pointer of each function, acquiring a corresponding ArtMethod object pointer through the function name and sig, and finally finishing registration through the register native of the ArtMethod class.
Further, the step S2 further specifically includes the following steps:
step S21, APP starting, and meanwhile anti-debugging starting;
step S22, an IDA debugger is added to the APP, debugging is prepared, an assembly interface is obtained, and the JNI function to be debugged is jumped to;
step S23, detecting whether the anti-debugging is set here, if yes, actively and forcedly exiting the APP, otherwise, normally operating the program;
s24, suspending the APP, downloading a breakpoint at a JNI function to be dynamically debugged, and resuming program execution;
step S25, when the anti-debugging detects that the IDA debugger is added into the APP, the program is actively and forcedly exited.
Further, the step S3 is further specifically: when the JNI function to be debugged is to be executed, the JNI function is paused for 60 seconds after entering the JNIMethodStart () function, and at the moment, the APP thread is paused, and all anti-debugging is disabled for 60 seconds.
Further, the step S4 is further specifically: at this time, the anti-debugging is bypassed, the APP cannot crash, the IDA debugger can break on the JNI function to be debugged, and then the IDA debugger can execute in a single step or dynamically debug the JNI function.
The invention also provides a system for automatically bypassing the anti-debugging of the security Zhuo Duan, which comprises a registration module, an anti-debugging module, a calling module and a detection module; the registration module brushes ART in the APP, opens the APP, and the JNI function completes registration after the APP is started; the anti-debugging module is started when the JNI function finishes registration; the calling module, i.e., JNI functions are executed, ART prepares before each JNI function is executed, and jnimithodstart () functions are called; the detection module detects whether the JNI function to be debugged exists or not, if yes, the JNI function execution is suspended, all anti-debugging is suspended, IDA is opened, the IDA is waited to be added into the APP process, then the thread execution is resumed, the JNI function address to be debugged is found out on a subsequent page, a breakpoint is carried out on the debugged JNI function address, and the program operation is resumed; if not, the ART preparation is completed and the JNI function is executed.
Further, the registration module is further specifically: the JNI function registration is divided into static state and dynamic state, and the flow is as follows: acquiring the name, sig and function pointer of each function, acquiring a corresponding ArtMethod object pointer through the function name and sig, and finally finishing registration through the register native of the ArtMethod class.
Further, the anti-debug module further specifically includes: the device comprises a starting unit, an additional unit, a detection unit, a pause unit and a forcing unit, wherein the starting unit is APP starting and is started in anti-debugging mode; the adding unit is used for adding the IDA debugger to the APP, preparing for debugging, obtaining an assembly interface, and jumping to a JNI function to be debugged; the detection unit detects whether the reverse debugging is arranged at the position, if yes, the APP is actively and forcedly exited, and if not, the program runs normally; the suspension unit, namely APP suspension, downloads a breakpoint at the JNI function to be dynamically debugged, and resumes program execution; the forcing unit actively forces to exit the program when the inverse debug detects that the IDA debugger is attached to the APP.
Further, the calling module is further specifically: when the JNI function to be debugged is to be executed, the JNI function is paused for 60 seconds after entering the JNIMethodStart () function, and at the moment, the APP thread is paused, and all anti-debugging is disabled for 60 seconds.
Further, the detection module is further specifically: at this time, the anti-debugging is bypassed, the APP cannot crash, the IDA debugger can break on the JNI function to be debugged, and then the IDA debugger can execute in a single step or dynamically debug the JNI function.
The invention has the beneficial effects that: from the result, when the debugger is used for dynamically debugging the application, the game and the plug-in samples, the technical scheme of the invention can rapidly and automatically bypass all anti-debugging means even if the application, the game and the plug-in samples are all provided with vmp shells; technically, the current on-line found data is manually found for code bypassing for anti-debugging, so that time and energy are wasted, and the effect is very little, and if the application is protected by the VMP shell, the possibility of manually bypassing the anti-debugging is basically 0; the technical scheme of the invention can perform dimension reduction striking on the application from the angle of the inner core without any consideration of reinforcement; even if the advanced technology is used for anti-debugging means, the method can be quickly bypassed; the invention greatly simplifies the difficulty of the reverse analysis and shortens the time of the reverse analysis; in addition, because the invention starts from the source code, the code is written in the art virtual machine, so that the shell and the reinforcement mode can not avoid the technical scheme of the invention and can not detect the technical scheme of the invention; moreover, even if these anti-debugging can be bypassed manually, it is enough that many are accomplished with the aid of a frame like frida, without any frame.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention.
FIG. 2 is a flow chart of an anti-debugging method.
Fig. 3 is a system schematic block diagram of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1, a method for automatically bypassing anti-debug by using security Zhuo Duan of the present invention includes the following steps:
step S1, brushing ART in an APP, starting the APP, and finishing registration of a JNI function after the APP is started;
step S2, when the JNI function finishes registration, anti-debugging in the APP is started;
step S3, JNI functions are executed, ART is prepared before each JNI function is executed, and a JNIMethodStart () function is called;
s4, detecting whether a JNI function to be debugged exists, if yes, suspending the JNI function execution, suspending all anti-debugging, opening IDA, waiting for the IDA to be added into an APP process, resuming thread execution, finding out the JNI function address to be debugged on a subsequent page, performing breakpoint on the debugged JNI function address, and resuming program operation; if not, the ART preparation is completed and the JNI function is executed.
The invention is further illustrated by the following examples:
for the current application, game and plug-in sample, in order to prevent reverse personnel from reversely analyzing own products, a large amount of anti-debugging means are adopted, and a plurality of important codes such as vmp interpreters, protocol algorithms and the like are written as JNI (Java local interface writing program) functions. Then, since the references of the JNI function are all local references, when the JNI function returns after execution, all local references are released, but the JNI function does not have an automatic release mechanism, so that the participation of ART is required. The ART performs some preparation and late cleaning before and after the JNI function is executed. That is, before each JNI function is executed, the function jnmethod start () is entered to complete the preparation work:
to automatically bypass all anti-debugging, the JNI function to be debugged is paused when the JNI function is about to be called, and execution of the JNI function is resumed after the debugger is attached. Suspending the JNI function when the function is about to be called, and letting the function sleep for a short time is enough for the debugger to attach to the application, thus bypassing the anti-debugging quickly.
Referring to fig. 2, the anti-debugging method includes the following steps:
step S21, APP starting, and meanwhile anti-debugging starting;
step S22, an IDA debugger is added to the APP, debugging is prepared, an assembly interface is obtained, and the JNI function to be debugged is jumped to;
step S23, detecting whether the anti-debugging is set here, if yes, actively and forcedly exiting the APP, otherwise, normally operating the program;
s24, suspending the APP, downloading a breakpoint at a JNI function to be dynamically debugged, and resuming program execution;
step S25, when the anti-debugging detects that the IDA debugger is added into the APP, the program is actively and forcedly exited.
The specific codes are divided into two types:
1. directly pausing the JNI function to be debugged before:
the principle is to detect whether the function to be executed is a function to be dynamically debugged when the jnithoistart is called, here an oncreate function, and if so, to suspend the function to execute for 60 seconds. Within these 60 seconds, no anti-debug exists, and all our debuggers can be directly attached for dynamic debugging. And finally, storing the modified codes, and inputting the codes into an AOSP source code catalog downloading terminal: source build/envsetup sh then inputs lunch, selects own handset number, here 23, and then compiles image file make. Brushing the obtained mirror image file into the mobile phone
2. Writing lightweight code, debugging any JNI function by means of a frida framework (a hook framework):
the method is based on the principle that str functions are added into the JNIMethodStart functions, and whether the functions to be called contain JNIMethodStart character strings or not is continuously searched, and the functions are not normally found. Then in the Hook code, searching for the str with the second parameter being JNIMethodStart through a Hook str function. Finding is followed by looking at whether the first parameter is the Jni function we need to pause, here the onCreate function, and after finding, modifying the return value of str so that it is not null to effect pause of the function.
The first advantage is that the automatic bypass of anti-debugging can be accomplished without any framework, and the functions we need can be debugged by writing aosp source code. However, the disadvantage is that the aosp source code compiling process is long, and the code needs to be recompiled for changing the debugging function, which is tedious.
The second advantage is that the function suspension can be accomplished by means of the lightweight hook framework of frida using the spawn mode, while only a bit of code needs to be modified simply when the dynamically debugged function needs to be changed, which is very convenient. However, the disadvantage is that applications and games are filled with a large number of tests on the frada framework, so that custom versions are required to remove all features of the frada, and that the bypass of anti-debug is required to be accomplished with this framework.
Bypassing the method steps of anti-debugging:
1. after the custom ART is flushed, the APP is opened, and after the APP is started, the JNI function completes registration first. Registration is classified into static and dynamic, and the flow is: traversing to obtain the name, sig and function pointer of each method, obtaining the corresponding ArtMethod object pointer through the function name and sig, and finally finishing registration through the register native of the ArtMethod class.
2. The anti-debugging of the application may also be turned on while the JNI function completes registration. If no custom ART automatically bypasses anti-debugging, the IDA is directly used for being added to the application process, the anti-debugging can detect that a debugger is added to the process, and the process is forced to exit, so that the application cannot be dynamically debugged.
3. JNI functions are executed, each of which prepares an ART before execution, and calls the jniomethodstart () function. When the JNI function to be debugged is about to be executed, the JNIMethodStart () function is started, and then the JNI function is paused for 60 seconds, at this time, the thread is paused, and all anti-debugging fails for 60 seconds.
4. Opening IDA, attaching to application process, finding out address of JNI function to be debugged in next page, and resuming program operation at break point up and down at address. At this time, the anti-debugging is bypassed, the program is not crashed, the IDA is broken on the JNI function to be debugged, and then the IDA can perform single-step execution or other dynamic debugging on the JNI function. Note, however, that the thread resumes execution no more than 60 seconds from the beginning of the function pause to the IDA resume program run time, exceeding 60 seconds, and the anti-debug is normally on.
Case one:
for example, after an APK (application installation package) is reinforced by 360VMP, a reverse view source code band is in a variety of forms:
the source code cannot be read at all, and the code seen is all the entry logic code of the VMP, the true code of this application has been hardened. Its oncreate function is changed by the shell to a JNI function after the instrumentation, so dynamic debugging is required to analyze this oncreate function to find the interpreter of this VMP, so that this application with VMP shell instrumentation performs code reduction. Dynamically debugging the function by using IDA (a dynamic debugger), finding the address of the function in IDA dynamic debugging mode, and adding a breakpoint; then resume program operation, its shell so begins loading and running, then program exits, IDA calls to interface without any code; when nothing is seen, anti-debugging has been effected and the program is automatically exited because of anti-debugging. If 360VMP is known, it should be known that there are a large number of anti-debug means, and that the anti-debug code in its shell so libjiagu. So is confusing and bloated, and that its so has not yet been shelled, the difficulty of trying to manually bypass it is great. So using my first scheme, modifying AOSP source code, brushing compiled image file into handset, restarting application and IDA dynamic debugging, restarting breakpoint, restoring program operation, now actually entering into execution of VMP protected oncreate function, and its anti-debugging has been automatically passed around. Then the VMP interpreter can be searched for by single step debugging; with the second scheme, the application is started in the spin mode, then the breakpoint is set at the initial address of the oncreate function in the IDA dynamic debug mode, and the program execution is resumed, and as a result, the reverse debug is automatically bypassed as in the above figure.
In a word, according to the scheme of the invention, by modifying the android AOSP (android open source code project) source code, compiling the image file, customizing an ART (android runtime) virtual machine, automatically bypassing all anti-debugging, simplifying a great deal of effort of reverse analysts, and facilitating dynamic debugging analysis samples.
Referring to fig. 3, the invention also provides a system for automatically bypassing the anti-debugging of the security Zhuo Duan, which comprises a registration module, an anti-debugging module, a calling module and a detection module; the registration module brushes ART in the APP, opens the APP, and the JNI function completes registration after the APP is started; the anti-debugging module is started when the JNI function finishes registration; the calling module, i.e., JNI functions are executed, ART prepares before each JNI function is executed, and jnimithodstart () functions are called; the detection module detects whether the JNI function to be debugged exists or not, if yes, the JNI function execution is suspended, all anti-debugging is suspended, IDA is opened, the IDA is waited to be added into the APP process, then the thread execution is resumed, the JNI function address to be debugged is found out on a subsequent page, a breakpoint is carried out on the debugged JNI function address, and the program operation is resumed; if not, the ART preparation is completed and the JNI function is executed.
The registration module is further specifically: the JNI function registration is divided into static state and dynamic state, and the flow is as follows: acquiring the name, sig and function pointer of each function, acquiring a corresponding ArtMethod object pointer through the function name and sig, and finally finishing registration through the register native of the ArtMethod class.
The anti-debugging module further specifically comprises: the device comprises a starting unit, an additional unit, a detection unit, a pause unit and a forcing unit, wherein the starting unit is APP starting and is started in anti-debugging mode; the adding unit is used for adding the IDA debugger to the APP, preparing for debugging, obtaining an assembly interface, and jumping to a JNI function to be debugged; the detection unit detects whether the reverse debugging is arranged at the position, if yes, the APP is actively and forcedly exited, and if not, the program runs normally; the suspension unit, namely APP suspension, downloads a breakpoint at the JNI function to be dynamically debugged, and resumes program execution; the forcing unit actively forces to exit the program when the inverse debug detects that the IDA debugger is attached to the APP.
The calling module is further specifically: when the JNI function to be debugged is to be executed, the JNI function is paused for 60 seconds after entering the JNIMethodStart () function, and at the moment, the APP thread is paused, and all anti-debugging is disabled for 60 seconds.
The detection module is further specifically: at this time, the anti-debugging is bypassed, the APP cannot crash, the IDA debugger can break on the JNI function to be debugged, and then the IDA debugger can execute in a single step or dynamically debug the JNI function.
The foregoing description is only of the preferred embodiments of the invention, and all changes and modifications that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (4)
1. A method for automatically bypassing anti-debugging by using an ampere Zhuo Duan, which is characterized in that: the method comprises the following steps:
step S1, brushing ART in an APP, starting the APP, and finishing registration of a JNI function after the APP is started;
the step S1 is further specifically: the JNI function registration is divided into static state and dynamic state, and the flow is as follows: acquiring the name, sig and function pointer of each function, acquiring a corresponding ArtMethod object pointer through the function name and sig, and finally finishing registration through the register native of the ArtMethod class;
step S2, when the JNI function finishes registration, anti-debugging in the APP is started;
the step S2 further specifically includes the following steps:
step S21, APP starting, and meanwhile anti-debugging starting;
step S22, an IDA debugger is added to the APP, debugging is prepared, an assembly interface is obtained, and the JNI function to be debugged is jumped to;
step S23, detecting whether the anti-debugging is set here, if yes, actively and forcedly exiting the APP, otherwise, normally operating the program;
s24, suspending the APP, downloading a breakpoint at a JNI function to be dynamically debugged, and resuming program execution;
step S25, when the inverse debugging detects that the IDA debugger is added into the APP, actively and forcedly exiting the program;
step S3, JNI functions are executed, ART is prepared before each JNI function is executed, and a JNIMethodStart () function is called;
the step S3 is further specifically: when the JNI function to be debugged is to be executed, entering a JNIMethodStart () function, and then suspending for 60 seconds in the JNIMethodStart () function, wherein the APP thread is suspended at the moment, and all anti-debugging is disabled for 60 seconds;
s4, detecting whether a JNI function to be debugged exists, if yes, suspending the JNI function execution, suspending all anti-debugging, opening IDA, waiting for the IDA to be added into an APP process, resuming thread execution, finding out the JNI function address to be debugged on a subsequent page, performing breakpoint on the debugged JNI function address, and resuming program operation; if not, the ART preparation is completed and the JNI function is executed.
2. The method for automating bypass anti-debug of claim 1 wherein: the step S4 is further specifically: at this time, the anti-debugging is bypassed, the APP cannot crash, the IDA debugger can break on the JNI function to be debugged, and then the IDA debugger can execute the dynamic debugging of the JNI function in a single step.
3. A system for secure Zhuo Duan automation bypassing anti-debug, characterized by: the system comprises a registration module, an anti-debugging module, a calling module and a detection module; the registration module brushes ART in the APP, opens the APP, and the JNI function completes registration after the APP is started; the registration module is further specifically: the JNI function registration is divided into static state and dynamic state, and the flow is as follows: acquiring the name, sig and function pointer of each function, acquiring a corresponding ArtMethod object pointer through the function name and sig, and finally finishing registration through the register native of the ArtMethod class; the anti-debugging module is started when the JNI function finishes registration; the anti-debugging module further specifically comprises: the device comprises a starting unit, an additional unit, a detection unit, a pause unit and a forcing unit, wherein the starting unit is APP starting and is started in anti-debugging mode; the adding unit is used for adding the IDA debugger to the APP, preparing for debugging, obtaining an assembly interface, and jumping to a JNI function to be debugged; the detection unit detects whether the reverse debugging is arranged at the position, if yes, the APP is actively and forcedly exited, and if not, the program runs normally; the suspension unit, namely APP suspension, downloads a breakpoint at the JNI function to be dynamically debugged, and resumes program execution; the forced unit actively forces to exit the program when the inverse debugging detects that the IDA debugger is added into the APP; the calling module, i.e., JNI functions are executed, ART prepares before each JNI function is executed, and jnimithodstart () functions are called; the calling module is further specifically: when the JNI function to be debugged is to be executed, entering a JNIMethodStart () function, and then suspending for 60 seconds in the JNIMethodStart () function, wherein the APP thread is suspended at the moment, and all anti-debugging is disabled for 60 seconds; the detection module detects whether the JNI function to be debugged exists or not, if yes, the JNI function execution is suspended, all anti-debugging is suspended, IDA is opened, the IDA is waited to be added into the APP process, then the thread execution is resumed, the JNI function address to be debugged is found out on a subsequent page, a breakpoint is carried out on the debugged JNI function address, and the program operation is resumed; if not, the ART preparation is completed and the JNI function is executed.
4. A system for automated bypass anti-debug of an atm Zhuo Duan according to claim 3, wherein: the detection module is further specifically: at this time, the anti-debugging is bypassed, the APP cannot crash, the IDA debugger can break on the JNI function to be debugged, and then the IDA debugger can execute the dynamic debugging of the JNI function in a single step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110455097.5A CN113515729B (en) | 2021-04-26 | 2021-04-26 | Method and system for automatically bypassing anti-debugging by using security Zhuo Duan |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110455097.5A CN113515729B (en) | 2021-04-26 | 2021-04-26 | Method and system for automatically bypassing anti-debugging by using security Zhuo Duan |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113515729A CN113515729A (en) | 2021-10-19 |
| CN113515729B true CN113515729B (en) | 2024-03-08 |
Family
ID=78063624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110455097.5A Active CN113515729B (en) | 2021-04-26 | 2021-04-26 | Method and system for automatically bypassing anti-debugging by using security Zhuo Duan |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113515729B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109726115A (en) * | 2018-11-06 | 2019-05-07 | 北京大学 | It is a kind of based on Intel processor tracking anti-debug automatically bypass method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040040013A1 (en) * | 2002-08-26 | 2004-02-26 | Mohit Kalra | Time-based breakpoints in debuggers |
| US7895569B2 (en) * | 2006-08-30 | 2011-02-22 | Research In Motion Limited | System and method for implementing software breakpoints in an interpreter |
-
2021
- 2021-04-26 CN CN202110455097.5A patent/CN113515729B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109726115A (en) * | 2018-11-06 | 2019-05-07 | 北京大学 | It is a kind of based on Intel processor tracking anti-debug automatically bypass method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113515729A (en) | 2021-10-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4901075B2 (en) | Computer-readable medium, method and computing device | |
| US7299456B2 (en) | Run into function | |
| US10540262B2 (en) | Using edit and continue to dynamically set and unset optimizations in source code while debugging | |
| US20090037887A1 (en) | Compiler-inserted predicated tracing | |
| US5832271A (en) | Determining dynamic properties of programs | |
| US20090199163A1 (en) | Debugger assistance for locating values at runtime | |
| US10089126B2 (en) | Function exit instrumentation for tail-call optimized code | |
| JPH0689200A (en) | Debug system and method | |
| US9489286B2 (en) | Method and system for computer assisted hot-tracing mechanism | |
| US7761282B2 (en) | System and method to simulate conditions and drive control-flow in software | |
| Krishnakumar | Kernel korner: kprobes-a kernel debugger | |
| US20110314338A1 (en) | Data collisions in concurrent programs | |
| US20090100413A1 (en) | Stack Walking Enhancements Using Sensorpoints | |
| US20080127118A1 (en) | Method and system for dynamic patching of software | |
| CN109857520B (en) | Semantic reconstruction improvement method and system in virtual machine introspection | |
| CN113515729B (en) | Method and system for automatically bypassing anti-debugging by using security Zhuo Duan | |
| US6983454B2 (en) | Extended “run to” function | |
| US20030018957A1 (en) | Debugger monitor with anticipatory highlights | |
| Jiang et al. | CrackDex: Universal and automatic DEX extraction method | |
| US11182182B2 (en) | Calling arbitrary functions in the kernel via a probe script | |
| JP2658982B2 (en) | Specific instruction execution detection method | |
| Quante | Online construction of dynamic object process graphs | |
| CN110554969B (en) | Target code coverage rate testing method, system and medium based on preset breakpoints | |
| CN113836046B (en) | Debugging method and system for application program of virtual machine on MCU (microprogrammed control Unit) | |
| CN108197000B (en) | Application program starting log saving method, storage medium, electronic device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |