CN113805854A - Method, system and device for realizing Hook of application layer based on Linux system and storage medium - Google Patents
Method, system and device for realizing Hook of application layer based on Linux system and storage medium Download PDFInfo
- Publication number
- CN113805854A CN113805854A CN202111155242.4A CN202111155242A CN113805854A CN 113805854 A CN113805854 A CN 113805854A CN 202111155242 A CN202111155242 A CN 202111155242A CN 113805854 A CN113805854 A CN 113805854A
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- link library
- interface
- hook
- application layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/20—Software design
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a method, a system, a device and a storage medium for realizing Hook of an application layer based on a Linux system, wherein the method comprises the following steps: compiling a dynamic link library and exporting a preset interface; modifying the environment variable and the default configuration file which are loaded preferentially, and increasing the absolute path of the dynamic link library to load the dynamic link library in real time after the preset degree is started; when the target process calls the Hook API, preferentially calling an interface of the dynamic link library; acquiring and storing an original address of a system API in an interface of a dynamic link library; the interface of the dynamic link library interacts with a preset control center to carry out strategy judgment business operation; and after the strategy judgment business operation is completed, calling the original address of the system API, and returning the calling result to the target process. The invention can complete the loading of the self-defined dynamic library by modifying the system configuration, realize the replacement of the system API, and can reach an API interface closer to the user behavior from Hook, thereby realizing the behavior analysis and control more accurately.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method, a system, a device and a storage medium for realizing Hook of an application layer based on a Linux system.
Background
The Hook technology is also called Hook function, before the system does not call the function, the Hook program captures the message, the Hook function obtains control right first, and the Hook function can process the execution behavior of the function and can also end the transfer of the message forcibly. In short, the program of the system is pulled out to become a code segment for self execution. Thus, hook can monitor various event messages in the system or process, intercept messages sent to the target window and process the messages.
Currently, for the Hook technology, two pieces can be used, the first one is Hook at Ring3 level, commonly known as application layer Hook technology, and the other one is Hook at Ring0 level, commonly known as inner core layer Hook technology. The implementation method for Hook mainly has the following defects:
1. the current realization of the kernel layer Hook needs developers to have experience of kernel development, the development difficulty is high, and once problems occur, the system is crashed.
2. Although there are various implementation methods for implementing Hook in the current application layer, all of them need to perform a large amount of data processing, function and memory calling, which results in high system overhead and high performance requirements for devices.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a method, a system, a device and a storage medium for realizing an application layer Hook based on a Linux system.
In order to achieve the purpose, the invention is realized by the following technical scheme:
a method for realizing an application layer Hook based on a Linux system comprises the following steps:
s1: compiling a dynamic link library, and leading out a preset interface through the dynamic link library;
s2: modifying the environment variable and the default configuration file which are loaded preferentially, and increasing the absolute path of the dynamic link library to load the dynamic link library in real time after the preset degree is started;
s3: when the target process calls the Hook API, preferentially calling an interface of the dynamic link library;
s4: acquiring and storing an original address of a system API in an interface of a dynamic link library;
s5: the interface of the dynamic link library interacts with a preset control center to carry out strategy judgment business operation;
s6: and after the strategy judgment business operation is completed, calling the original address of the system API, and returning the calling result to the target process.
Further, the step S4 specifically includes:
and acquiring an API original address of a specified version number through a dlvsym interface.
Further, the preset interface is an interface completely consistent with the definition of the Hook API.
Further, the dynamically linked library is libhook.
Further, the environment variable and default configuration file which are loaded preferentially are/etc/ld.
Further, the preset interface is an XCreateWindow interface.
Correspondingly, the invention also discloses an application layer Hook implementation system based on the Linux system, which comprises the following steps:
the export unit is used for compiling the dynamic link library and exporting the preset interface through the dynamic link library;
the loading unit is used for modifying the environment variable and the default configuration file which are loaded preferentially, increasing the absolute path of the dynamic link library and loading the dynamic link library in real time after the preset degree is started;
the calling unit is used for preferentially calling the interface of the dynamic link library when the target process calls the Hook API;
the address acquisition unit is used for acquiring and storing an original address of the system API in an interface of the dynamic link library;
the business operation unit is used for carrying out strategy judgment business operation by the interaction of the interface of the dynamic link library and a preset control center;
and the return unit is used for calling the original address of the system API after the strategy judgment service operation is finished and returning the calling result to the target process.
Correspondingly, the invention also discloses a device for realizing the Hook of the application layer based on the Linux system, which comprises the following components:
the memory is used for storing an application layer Hook program based on the Linux system;
a processor, configured to implement the steps of the Linux system based application layer Hook implementation method according to any one of the above items when executing the Linux system based application layer Hook program.
Correspondingly, the invention discloses a readable storage medium, wherein the readable storage medium is stored with an application layer Hook program based on the Linux system, and the application layer Hook program based on the Linux system realizes the steps of the application layer Hook realization method based on the Linux system when being executed by a processor.
Compared with the prior art, the invention has the beneficial effects that: the invention provides a method, a system, a device and a storage medium for realizing Hook of an application layer based on a Linux system, which can finish the loading of a self-defined dynamic library by modifying the configuration of the system, realize the replacement of a system API, and realize Hook to an API interface closer to the behavior of a user, thereby realizing the behavior analysis and control more accurately.
The invention has the advantage of low development difficulty, all operations are completed in an application layer, and kernel development experience is not needed.
Therefore, compared with the prior art, the invention has prominent substantive features and remarkable progress, and the beneficial effects of the implementation are also obvious.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a process flow diagram of an embodiment of the present invention.
FIG. 2 is a system block diagram of an embodiment of the present invention.
In the figure, 1 is a derivation unit, 2 is a loading unit, 3 is a calling unit, 4 is an address acquisition unit, 5 is a service operation unit, and 6 is a return unit.
Detailed Description
The following description of the embodiments of the present invention will be made with reference to the accompanying drawings.
The first embodiment is as follows:
as shown in fig. 1, the embodiment discloses an application layer Hook implementation method based on a Linux system, which includes the following steps:
s1: compiling the dynamic link library, and exporting a preset interface through the dynamic link library.
So, the preset interface is an interface completely consistent with the definition of the Hook API, such as an XCreateWindow interface.
S2: and modifying the environment variable and the default configuration file which are loaded preferentially, and increasing the absolute path of the dynamic link library so as to load the dynamic link library in real time after the preset degree is started.
The environment variables and the default configuration file which are loaded preferentially are/etc/ld.
In the loading process of the dynamic link LIBRARY of the Linux operating system, the dynamic link device can firstly read the LD _ PRELOAD environment variable and the default configuration file/etc/ld.so.preload the read dynamic link LIBRARY file, and even if the program does not depend on the dynamic link libraries, the dynamic link libraries specified in the LD _ PRELOAD environment variable and/etc/ld.so.preload configuration file can still be loaded, and because the priorities of the dynamic link libraries are higher than the file priority of the link LIBRARY searching PATH defined by the LD _ LIBRARY _ PATH environment variable, the dynamic link LIBRARY loading can be carried out in advance of the dynamic LIBRARY loading called by the user.
S3: when the target process calls the Hook-oriented API, the interface of the dynamic link library is preferably called.
S4: and acquiring and storing the original address of the system API in the interface of the dynamic link library.
The method specifically comprises the following steps: and acquiring an API original address of a specified version number through a dlvsym interface.
S5: the interface of the dynamic link library interacts with a preset control center to carry out strategy judgment business operation;
s6: and after the strategy judgment business operation is completed, calling the original address of the system API, and returning the calling result to the target process.
Example two:
based on the first embodiment, the embodiment also discloses an application layer Hook implementation method based on the Linux system, which comprises the following steps:
1. so, a dynamically linked library libhook is implemented, exporting an interface that is fully consistent with the definition of the Hook API, such as exporting an XCreateWindow interface.
2. Modifying/etc/ld.so.preload files, adding a libhook.so absolute path, and loading the libhook.so when the modified program is started;
3. so, when the target process calls the Hook-attached API, the interface in libhook.
4. So, the original address of the system API is obtained and saved in the XCreateWindow interface of libhook.
5. So, after being called, an interface in the libhook can interact with a control center to complete service operations such as strategy judgment and the like.
6. And after the service operation is finished, calling the system API original address stored in the step 4, and returning the result to the target process.
Step 4 may obtain the API original address of the specified version number through the dlvsym interface.
Example three:
based on the first embodiment, as shown in fig. 2, the present invention further discloses an application layer Hook implementation system based on the Linux system, which includes: the system comprises a derivation unit 1, a loading unit 2, a calling unit 3, an address acquisition unit 4, a service operation unit 5 and a return unit 6.
And the export unit 1 is used for compiling the dynamic link library and exporting the preset interface through the dynamic link library.
And the loading unit 2 is used for modifying the environment variables and the default configuration files which are loaded preferentially, increasing the absolute path of the dynamic link library and loading the dynamic link library in real time after the preset degree is started.
And the calling unit 3 is used for preferentially calling the interface of the dynamic link library when the target process calls the Hook API.
And the address acquisition unit 4 is used for acquiring and storing the original address of the system API in the interface of the dynamic link library.
And the business operation unit 5 is used for performing strategy judgment business operation by the interaction of the interface of the dynamic link library and a preset control center.
And the returning unit 6 is used for calling the original address of the system API after the strategy judgment service operation is finished, and returning the calling result to the target process.
Example four:
the embodiment discloses an application layer Hook implementation device based on a Linux system, which comprises a processor and a memory; when the processor executes the application layer Hook program based on the Linux system stored in the memory, the following steps are realized:
1. compiling the dynamic link library, and exporting a preset interface through the dynamic link library.
2. And modifying the environment variable and the default configuration file which are loaded preferentially, and increasing the absolute path of the dynamic link library so as to load the dynamic link library in real time after the preset degree is started.
3. When the target process calls the Hook-oriented API, the interface of the dynamic link library is preferably called.
4. And acquiring and storing the original address of the system API in the interface of the dynamic link library.
5. And the interface of the dynamic link library interacts with a preset control center to carry out strategy judgment business operation.
6. And after the strategy judgment business operation is completed, calling the original address of the system API, and returning the calling result to the target process.
Further, the apparatus for implementing an application layer Hook based on the Linux system in this embodiment may further include:
and the input interface is used for acquiring an externally imported Linux system-based application layer Hook program, storing the acquired Linux system-based application layer Hook program into the memory, and also used for acquiring various instructions and parameters transmitted by external terminal equipment and transmitting the instructions and parameters into the processor, so that the processor can utilize the instructions and parameters to perform corresponding processing. In this embodiment, the input interface may specifically include, but is not limited to, a USB interface, a serial interface, a voice input interface, a fingerprint input interface, a hard disk reading interface, and the like.
And the output interface is used for outputting various data generated by the processor to the terminal equipment connected with the output interface, so that other terminal equipment connected with the output interface can acquire various data generated by the processor. In this embodiment, the output interface may specifically include, but is not limited to, a USB interface, a serial interface, and the like.
And the communication unit is used for establishing remote communication connection between the application layer Hook implementation device based on the Linux system and the external server so that the application layer Hook implementation device based on the Linux system can mount the mirror image file into the external server. In this embodiment, the communication unit may specifically include, but is not limited to, a remote communication unit based on a wireless communication technology or a wired communication technology.
And the keyboard is used for acquiring various parameter data or instructions input by a user through real-time key cap knocking.
And the display is used for displaying relevant information in the short circuit positioning process of the power supply line of the running server in real time.
The mouse can be used for assisting a user in inputting data and simplifying the operation of the user.
Example five:
the present embodiments also disclose a readable storage medium, where the readable storage medium includes Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, a hard disk, a removable hard disk, a CD-ROM, or any other form of storage medium known in the art. The readable storage medium stores an application layer Hook program based on the Linux system, and the application layer Hook program based on the Linux system realizes the following steps when being executed by a processor:
1. compiling the dynamic link library, and exporting a preset interface through the dynamic link library.
2. And modifying the environment variable and the default configuration file which are loaded preferentially, and increasing the absolute path of the dynamic link library so as to load the dynamic link library in real time after the preset degree is started.
3. When the target process calls the Hook-oriented API, the interface of the dynamic link library is preferably called.
4. And acquiring and storing the original address of the system API in the interface of the dynamic link library.
5. And the interface of the dynamic link library interacts with a preset control center to carry out strategy judgment business operation.
6. And after the strategy judgment business operation is completed, calling the original address of the system API, and returning the calling result to the target process.
In summary, the invention can complete the loading of the custom dynamic library by modifying the system configuration, realize the replacement of the system API, and can reach an API interface closer to the user behavior from Hook, thereby more accurately realizing the behavior analysis and control.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, where the computer software product is stored in a storage medium, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like, and the storage medium can store program codes, and includes instructions for enabling a computer terminal (which may be a personal computer, a server, or a second terminal, a network terminal, and the like) to perform all or part of the steps of the method in the embodiments of the present invention. The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant points can be referred to the description in the method embodiment.
In the embodiments provided by the present invention, it should be understood that the disclosed system, system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each module may exist alone physically, or two or more modules are integrated into one unit.
Similarly, each processing unit in the embodiments of the present invention may be integrated into one functional module, or each processing unit may exist physically, or two or more processing units are integrated into one functional module.
The invention is further described with reference to the accompanying drawings and specific embodiments. It should be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Further, it should be understood that various changes or modifications of the present invention may be made by those skilled in the art after reading the teaching of the present invention, and these equivalents also fall within the scope of the present application.
Claims (9)
1. A method for realizing Hook of an application layer based on a Linux system is characterized by comprising the following steps:
s1: compiling a dynamic link library, and leading out a preset interface through the dynamic link library;
s2: modifying the environment variable and the default configuration file which are loaded preferentially, and increasing the absolute path of the dynamic link library to load the dynamic link library in real time after the preset degree is started;
s3: when the target process calls the Hook API, preferentially calling an interface of the dynamic link library;
s4: acquiring and storing an original address of a system API in an interface of a dynamic link library;
s5: the interface of the dynamic link library interacts with a preset control center to carry out strategy judgment business operation;
s6: and after the strategy judgment business operation is completed, calling the original address of the system API, and returning the calling result to the target process.
2. The method for implementing the Hook of the application layer based on the Linux system according to claim 1, wherein the step S4 specifically comprises:
and acquiring an API original address of a specified version number through a dlvsym interface.
3. The method for implementing the Hook on the application layer based on the Linux system of claim 1, wherein the preset interface is an interface completely consistent with the definition of the Hook API.
4. The Linux system-based application layer Hook implementation method of claim 1, wherein the dynamic link library is libhook.
5. The method for implementing the Hook based on the application layer of the Linux system of claim 1, wherein the environment variable and the default configuration file which are loaded preferentially are/etc/ld.
6. The method of claim 2, wherein the predetermined interface is an XCreateWindow interface.
7. An application layer Hook implementation system based on a Linux system is characterized by comprising:
the export unit is used for compiling the dynamic link library and exporting the preset interface through the dynamic link library;
the loading unit is used for modifying the environment variable and the default configuration file which are loaded preferentially, increasing the absolute path of the dynamic link library and loading the dynamic link library in real time after the preset degree is started;
the calling unit is used for preferentially calling the interface of the dynamic link library when the target process calls the Hook API; the address acquisition unit is used for acquiring and storing an original address of the system API in an interface of the dynamic link library; the business operation unit is used for carrying out strategy judgment business operation by the interaction of the interface of the dynamic link library and a preset control center;
and the return unit is used for calling the original address of the system API after the strategy judgment service operation is finished and returning the calling result to the target process.
8. An application layer Hook implementation device based on a Linux system is characterized by comprising:
the memory is used for storing an application layer Hook program based on the Linux system;
a processor, configured to implement the steps of the Linux system based application layer Hook implementation method according to any one of claims 1 to 6 when executing the Linux system based application layer Hook program.
9. A readable storage medium, characterized by: the readable storage medium stores thereon a Linux system based application layer Hook program, which when executed by a processor implements the steps of the Linux system based application layer Hook implementing method as recited in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111155242.4A CN113805854A (en) | 2021-09-29 | 2021-09-29 | Method, system and device for realizing Hook of application layer based on Linux system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111155242.4A CN113805854A (en) | 2021-09-29 | 2021-09-29 | Method, system and device for realizing Hook of application layer based on Linux system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113805854A true CN113805854A (en) | 2021-12-17 |
Family
ID=78938906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111155242.4A Pending CN113805854A (en) | 2021-09-29 | 2021-09-29 | Method, system and device for realizing Hook of application layer based on Linux system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113805854A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115904548A (en) * | 2023-01-09 | 2023-04-04 | 北京六方云信息技术有限公司 | Dynamic loading method, device and system for application recognition algorithm model |
-
2021
- 2021-09-29 CN CN202111155242.4A patent/CN113805854A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115904548A (en) * | 2023-01-09 | 2023-04-04 | 北京六方云信息技术有限公司 | Dynamic loading method, device and system for application recognition algorithm model |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111597110B (en) | Page test method and device, electronic equipment and storage medium | |
| CN113010827B (en) | Page rendering method and device, electronic equipment and storage medium | |
| CN106850650B (en) | Method for accessing data by game client and client game system | |
| CN110007936B (en) | Data processing method and device | |
| CN111090666A (en) | Data processing method, device and system and computer readable storage medium | |
| CN111695827A (en) | Business process management method and device, electronic equipment and storage medium | |
| CN112996020A (en) | Bluetooth-based automatic testing method and device and Bluetooth testing terminal | |
| CN113805854A (en) | Method, system and device for realizing Hook of application layer based on Linux system and storage medium | |
| CN117234582A (en) | Project code processing method and device, electronic equipment and storage medium | |
| CN110018831B (en) | Program processing method, program processing apparatus, and computer-readable storage medium | |
| CN111124781A (en) | Display card testing method and device, electronic equipment and storage medium | |
| CN111092774A (en) | Configuration method and equipment of acquisition gateway | |
| CN114610446B (en) | Method, device and system for automatically injecting probe | |
| CN107168648B (en) | File storage method and device and terminal | |
| CN115469561A (en) | Simulation test method and device, electronic device and storage medium | |
| CN114070892A (en) | Data transmission method and device | |
| CN114217927A (en) | Thread calling method and device, computer equipment and storage medium | |
| CN113849356A (en) | Equipment testing method and device, electronic equipment and storage medium | |
| CN113110846A (en) | Method and device for acquiring environment variable | |
| CN112182083A (en) | File generation method, device, equipment and storage medium | |
| CN117883789B (en) | Data acquisition method, apparatus, device, readable storage medium, and program product | |
| CN110780864A (en) | Control method and device for class method replacement, storage medium and electronic equipment | |
| CN111124907A (en) | Mobile phone game testing method and device and server | |
| CN113032040B (en) | Method, apparatus, device, medium, and article for processing tasks | |
| CN111767093B (en) | Data processing method, apparatus and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |