CN113886774B - Anti-debugging method and device - Google Patents
Anti-debugging method and device Download PDFInfo
- Publication number
- CN113886774B CN113886774B CN202111479156.9A CN202111479156A CN113886774B CN 113886774 B CN113886774 B CN 113886774B CN 202111479156 A CN202111479156 A CN 202111479156A CN 113886774 B CN113886774 B CN 113886774B
- Authority
- CN
- China
- Prior art keywords
- state
- memory
- target
- program
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000004590 computer program Methods 0.000 claims description 13
- 230000009286 beneficial effect Effects 0.000 abstract description 8
- 230000000694 effects Effects 0.000 abstract description 8
- 239000012634 fragment Substances 0.000 description 12
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 3
- 230000002860 competitive effect Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides an anti-debugging method and an anti-debugging device, which relate to the technical field of network security, and the anti-debugging method comprises the following steps: applying for a target virtual memory segment in a system memory of an operating system operated by a target program; then, inquiring the memory state of the target virtual memory segment through a memory state inquiry interface of the operating system; judging whether the target program is in a debugged state according to the memory state; if yes, the control object program exits the running state. Therefore, the method has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
Description
Technical Field
The application relates to the technical field of network security, in particular to an anti-debugging method and device.
Background
Anti-debugging is an important software protection technology, and is particularly emphasized in various game protection. When the program realizes that the program is possibly in debugging, the normal execution path can be changed or the program of the program can be modified to cause the protected program to crash, thereby increasing the debugging time and complexity and effectively realizing the protection of the rights and interests of the program. The existing anti-debugging method usually detects whether a software debugger exists on a computer or is in a running state, so as to realize anti-debugging. However, in practice, it has been found that there are cases where the operating state and presence or absence of a software debugger are hidden by an anti-debugging tool, thereby causing the existing anti-debugging method to fail. Therefore, the existing method has poor concealment and is easy to bypass by a reverse-reverse debugging technology, thereby reducing the safety of program protection.
Disclosure of Invention
An object of the embodiments of the present application is to provide an anti-debugging method and apparatus, which are good in concealment, not easy to be bypassed by an anti-debugging technique, good in anti-debugging technical effect, and beneficial to improving the security of program protection.
A first aspect of an embodiment of the present application provides an anti-debugging method, including:
applying for a target virtual memory segment in a system memory of an operating system operated by a target program;
inquiring the memory state of the target virtual memory segment through a memory state inquiry interface of the operating system;
judging whether the target program is in a debugged state or not according to the memory state;
and if so, controlling the target program to exit the running state.
In the implementation process, a target virtual memory segment is applied in a system memory of an operating system operated by a target program; then, inquiring the memory state of the target virtual memory segment through a memory state inquiry interface of the operating system; judging whether the target program is in a debugged state according to the memory state; if yes, the control object program exits the running state. Therefore, the method has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
Further, the applying for the target virtual memory segment in the system memory of the operating system in which the target program runs includes:
in a main thread of a target program, a target virtual memory segment is applied through a memory application interface provided by an operating system, and an initial memory state of the target virtual memory segment is designated as a reserved state, wherein the target program can run on the operating system.
Further, the querying the memory state of the target virtual memory segment through the memory state query interface of the operating system includes:
creating a target sub-thread in the main thread;
and in the target sub thread, inquiring the memory state of the target virtual memory segment through the memory state inquiry interface.
Further, the querying, in the target child thread, the memory state of the target virtual memory segment through the memory state querying interface includes:
scanning the working set state of the main thread in the target sub-thread;
the working set state is used as a query parameter to query the memory state through the memory state query interface, and an interface return result is obtained;
analyzing the interface return result to obtain data related to the memory state of the target virtual memory segment;
and determining the memory state according to the data related to the memory state.
Further, the determining whether the target program is in a debugged state according to the memory state includes:
judging whether the memory state is consistent with the initial memory state;
if so, determining that the target program is not in a debugged state;
if not, determining that the target program is in a debugged state, and executing the control to enable the target program to exit the running state.
Further, after the controlling the target program to exit the running state, the method further includes:
and acquiring system information of the operating system, and reporting debugged prompt information comprising the system information.
A second aspect of the embodiments of the present application provides an anti-debugging apparatus, including:
the memory application unit is used for applying for a target virtual memory segment in a system memory of an operating system operated by a target program;
the query unit is used for querying the memory state of the target virtual memory segment through a memory state query interface of the operating system;
the judging unit is used for judging whether the target program is in a debugged state according to the memory state;
and the control unit is used for controlling the target program to exit the running state when the target program is judged to be in the debugged state.
In the implementation process, the memory application unit applies for a target virtual memory segment in a system memory of an operating system in which a target program runs; then, the query unit queries the memory state of the target virtual memory segment through a memory state query interface of the operating system; the judging unit judges whether the target program is in a debugged state according to the memory state; if yes, the control unit controls the target program to exit the running state. Therefore, the method has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
Further, the memory application unit is specifically configured to apply for a target virtual memory segment through a memory application interface provided by an operating system in a main thread of a target program, and designate an initial memory state of the target virtual memory segment as a reserved state, where the target program is capable of running on the operating system.
A third aspect of embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the anti-debugging method according to any one of the first aspect of embodiments of the present application.
A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions, when read and executed by a processor, perform the anti-debugging method according to any one of the first aspect of the present embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an anti-debugging method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another anti-debugging method provided in the embodiment of the present application;
fig. 3 is a schematic structural diagram of an anti-debugging apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another anti-debugging apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flow chart of a debugger method according to an embodiment of the present disclosure. The anti-debugging method comprises the following steps:
s101, applying for a target virtual memory segment in a system memory of an operating system operated by a target program.
In the embodiment of the application, the method is applied to software programs running in a Windows operating system. The operating system is specifically a Windows operating system, and the embodiment of the present application is not limited thereto.
In the embodiment of the present application, in the Windows operating system, each program has a virtual memory address space with the same size (generally larger than the physical memory capacity), and the physical memory capacity of an actual computer is limited, the system will correspond the virtual memory address fragment being used by the program to the actual physical memory, and the process of corresponding the virtual memory address fragment to the actual physical memory is called "mapping".
S102, inquiring the memory state of the target virtual memory segment through a memory state inquiry interface of the operating system.
S103, judging whether the target program is in a debugged state according to the memory state, and if so, executing the step S104; if not, the flow is ended.
In this embodiment of the application, when the target program is not in the debugged state, the steps S102 to S103 may be repeatedly executed according to a preset cycle to monitor the debugged state.
And S104, the control object program exits the running state.
In this embodiment, an execution subject of the method may be an intelligent device such as a computer, a smart phone, a tablet computer, and the like, which is not limited in this embodiment.
In the embodiment of the application, the method realizes inverse debugging by detecting the running characteristics of the software debugger, and can effectively find whether the product is being analyzed by the competitive products, thereby protecting the core software assets of the software company.
Therefore, the anti-debugging method described in the embodiment has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
Example 2
Referring to fig. 2, fig. 2 is a schematic flowchart of another anti-debugging method according to an embodiment of the present application. As shown in fig. 2, the anti-debugging method includes:
s201, in a main thread of a target program, applying for a target virtual memory segment through a memory application interface provided by an operating system, and designating an initial memory state of the target virtual memory segment as a reserved state, wherein the target program can run on the operating system.
In the embodiment of the application, in the program main thread, a section of virtual memory segment is applied by using an application memory interface (such as a VirtualAlloc interface) provided by a Windows operating system to obtain a target virtual memory segment, and the memory state of the target virtual memory segment can be designated as a reserved state.
In this embodiment, the step S201 is implemented to apply for the target virtual memory segment in the system memory of the operating system in which the target program runs.
In the embodiment of the application, in the Windows operating system, when a target program applies for a memory from the operating system in a virtual memory address space of the target program, the state of the required memory can be specified, and the current state of the memory can be queried or changed through an interface provided by the operating system.
In the embodiment of the present application, the specifiable memory state includes a reserved state, a committed state, and the like, which is not limited in this embodiment of the present application. Wherein, the meaning of the submission state is: and mapping the virtual memory address fragment to the physical memory and then providing the physical memory address fragment for the program to use.
In the embodiment of the present application, the initial memory state of the target virtual memory segment is designated as the reserved state, which means that the virtual memory address segment of the target program is reserved, and is not mapped to the physical memory.
S202, creating a target sub-thread in the main thread.
In the embodiment of the application, one sub-thread is created in the main thread of the program to obtain the target sub-thread.
In the embodiment of the application, one running program can have a plurality of threads, and when the program runs, a main thread executing the main code logic of the program can run simultaneously with a sub-thread executing a sub-function.
And S203, scanning the working set state of the main thread in the target sub-thread.
After step S203, the following steps are also included:
and S204, carrying out memory state query through the memory state query interface by taking the working set state as a query parameter to obtain an interface return result.
In the embodiment of the present application, in the target child thread, a memory state query interface (NtQueryVirtualMemory) provided by the Windows system may be used to query the memory state of the virtual memory segment. At query time, the query parameters are specified as the working set state (MemoryWorkingSetInformation) of the scanning current process.
S205, analyzing the interface return result to obtain data related to the memory state of the target virtual memory segment.
S206, determining the memory state according to the data related to the memory state.
In the embodiment of the application, a MEMORY state query interface return value provided by a Windows system is obtained, a data structure (for example, MEMORY _ WORKING _ SET _ EX _ BLOCK) in a return result is analyzed, and then data (for example, a value field) related to a MEMORY state is taken out from the data structure, so that the current MEMORY state of a target virtual MEMORY segment can be determined according to the data related to the MEMORY state.
In this embodiment, by implementing the steps S203 to S206, the memory state of the target virtual memory segment can be queried in the target child thread through the memory state query interface.
In this embodiment, by implementing the steps S202 to S206, the memory state of the target virtual memory segment can be queried through the memory state query interface of the operating system.
S207, judging whether the memory state is consistent with the initial memory state, and if so, executing a step S208; if not, step S209 is performed.
In the embodiment of the present application, in the process of debugging a target program by a software debugger, an essential function is: "view actual data of the specified virtual memory address fragment," the implementation of this function requires access to the virtual memory address fragment, whereas the operating system can only access the virtual memory address fragment that has been mapped to physical memory. If the target virtual memory segment is in the reserved state, the software debugger maps the target virtual memory segment to the physical memory and then performs actual access operation, so that the current memory state of the target virtual memory segment is changed from the initial memory state.
After step S207, the following steps are also included:
and S208, determining that the target program is not in the debugged state, and ending the process.
In this embodiment of the application, when it is determined that the target program is not in the debugged state, the steps S201 to S207 may be repeatedly performed according to a preset period to perform the debugged state detection.
S209, determining that the target program is in a debugged state, and executing the step S210.
In the embodiment of the present application, by implementing the steps S207 to S209, whether the target program is in the debugged state can be determined according to the memory state.
And S210, controlling the target program to exit the running state.
S211, obtaining system information of the operating system, and reporting debugged prompt information including the system information.
In the embodiment of the application, when the target program is detected to be in the debugged state, system information of the operating system is collected, and the running target program is exited.
In the embodiment of the application, a virtual memory address fragment (namely, a target virtual memory fragment) with a reserved state is applied to a Windows operating system in a program main thread, a sub-thread is created in the program, and the function of the sub-thread is to check the state of the corresponding virtual memory address fragment applied in the main thread at intervals. Since there is no module in the program that directly accesses the virtual memory address fragment, it can be considered that the software debugger or debugger accessed the segment of virtual memory when the state of the virtual memory address fragment changes to a mapped to physical memory state. I.e., the program is being debugged, at which time evidence and analyst information that the program is being analyzed by the contest may be gathered and the running program may be exited.
In the embodiment of the application, the implementation of the method can avoid the defects in the existing anti-debugging technology, effectively discover the debugging behavior, and then effectively discover whether the product is being analyzed by the competitive products, thereby protecting the core software assets of the software company.
Therefore, the anti-debugging method described in the embodiment has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
Example 3
Please refer to fig. 3, fig. 3 is a schematic structural diagram of an anti-debugging apparatus according to an embodiment of the present application. As shown in fig. 3, the anti-debug apparatus includes:
a memory application unit 310, configured to apply for a target virtual memory segment in a system memory of an operating system in which a target program runs;
a query unit 320, configured to query the memory state of the target virtual memory segment through a memory state query interface of the operating system;
a determining unit 330, configured to determine whether the target program is in a debugged state according to the memory state;
the control unit 340 is configured to, when it is determined that the target program is in the debugged state, control the target program to exit the running state.
In the embodiment of the present application, for the explanation of the anti-debugging apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
Therefore, the anti-debugging device described in the embodiment has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
Example 4
Referring to fig. 4, fig. 4 is a schematic structural diagram of another anti-debug apparatus according to an embodiment of the present disclosure. The inverse debug apparatus shown in fig. 4 is optimized by the inverse debug apparatus shown in fig. 3. As shown in fig. 4, the memory application unit 310 is specifically configured to apply for a target virtual memory segment through a memory application interface provided by an operating system in a main thread of a target program, and designate an initial memory state of the target virtual memory segment as a reserved state, where the target program is capable of running on the operating system.
As an alternative embodiment, the query unit 320 includes:
a first subunit 321, configured to create a target sub-thread in a main thread;
the second subunit 322 is configured to query, in the target child thread, the memory state of the target virtual memory segment through the memory state query interface.
As an alternative embodiment, the second subunit 322 includes:
the first module is used for scanning the working set state of the main thread in the target sub-thread;
the second module is used for inquiring the memory state through the memory state inquiry interface by taking the working set state as an inquiry parameter to obtain an interface return result;
the third module is used for analyzing the interface return result to obtain data related to the memory state of the target virtual memory segment;
a fourth module for determining the memory status according to the data related to the memory status.
As an optional implementation, the determining unit 330 includes:
a third subunit 331, configured to determine whether the memory state is consistent with the initial memory state;
a fourth subunit 332, configured to determine that the target program is not in the debugged state when it is determined that the memory state is consistent with the initial memory state; and when the memory state is judged to be inconsistent with the initial memory state, determining that the target program is in a debugged state, and triggering the control unit 340 to control the target program to exit the running state.
As an optional implementation, the anti-debugging apparatus further includes:
the obtaining unit 350 is configured to obtain system information of the operating system after the control target program exits the running state, and report debugged prompt information including the system information.
In the embodiment of the present application, for the explanation of the anti-debugging apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
Therefore, the anti-debugging device described in the embodiment has good concealment, is not easy to be bypassed by the anti-debugging technology, has good anti-debugging technical effect, and is beneficial to improving the safety of program protection.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute an anti-debugging method in any one of embodiment 1 or embodiment 2 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions execute the anti-debugging method in any one of embodiment 1 or embodiment 2 of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (8)
1. An anti-debug method, comprising:
applying for a target virtual memory segment in a system memory of an operating system operated by a target program;
inquiring the memory state of the target virtual memory segment through a memory state inquiry interface of the operating system;
judging whether the target program is in a debugged state or not according to the memory state;
if yes, controlling the target program to exit the running state;
wherein the applying for the target virtual memory segment in the system memory of the operating system operated by the target program includes:
in a main thread of a target program, a target virtual memory segment is applied through a memory application interface provided by an operating system, and an initial memory state of the target virtual memory segment is designated as a reserved state, wherein the target program can run on the operating system.
2. The anti-debug method according to claim 1, wherein said querying the memory state of the target virtual memory segment through a memory state query interface of the operating system comprises:
creating a target sub-thread in the main thread;
and in the target sub thread, inquiring the memory state of the target virtual memory segment through the memory state inquiry interface.
3. The anti-debugging method of claim 2, wherein the querying, in the target child thread, the memory state of the target virtual memory segment through the memory state querying interface comprises:
scanning the working set state of the main thread in the target sub-thread;
the working set state is used as a query parameter to query the memory state through the memory state query interface, and an interface return result is obtained;
analyzing the interface return result to obtain data related to the memory state of the target virtual memory segment;
and determining the memory state according to the data related to the memory state.
4. The anti-debugging method of claim 1, wherein the determining whether the target program is in a debugged state according to the memory state comprises:
judging whether the memory state is consistent with the initial memory state;
if so, determining that the target program is not in a debugged state;
if not, determining that the target program is in a debugged state, and executing the control to enable the target program to exit the running state.
5. The anti-debugging method according to claim 1, further comprising, after the controlling the target program to exit the running state:
and acquiring system information of the operating system, and reporting debugged prompt information comprising the system information.
6. An anti-debug apparatus, comprising:
the memory application unit is used for applying for a target virtual memory segment in a system memory of an operating system operated by a target program;
the query unit is used for querying the memory state of the target virtual memory segment through a memory state query interface of the operating system;
the judging unit is used for judging whether the target program is in a debugged state according to the memory state;
the control unit is used for controlling the target program to exit the running state when the target program is judged to be in the debugged state;
the memory application unit is specifically configured to apply for a target virtual memory segment through a memory application interface provided by an operating system in a main thread of a target program, and designate an initial memory state of the target virtual memory segment as a reserved state, where the target program is capable of running on the operating system.
7. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the anti-debugging method of any one of claims 1 to 5.
8. A readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the anti-debug method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111479156.9A CN113886774B (en) | 2021-12-07 | 2021-12-07 | Anti-debugging method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111479156.9A CN113886774B (en) | 2021-12-07 | 2021-12-07 | Anti-debugging method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113886774A CN113886774A (en) | 2022-01-04 |
| CN113886774B true CN113886774B (en) | 2022-02-11 |
Family
ID=79015670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111479156.9A Active CN113886774B (en) | 2021-12-07 | 2021-12-07 | Anti-debugging method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113886774B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771762A (en) * | 2009-01-06 | 2010-07-07 | 北京邮电大学 | Method and system for dynamically loading services in service system |
| CN106778226A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Shell document hulling method and device |
| CN110046479A (en) * | 2019-03-21 | 2019-07-23 | 腾讯科技(深圳)有限公司 | A kind of chained library file reverse adjustment method and device based on Android operation system |
| CN111090536A (en) * | 2019-11-19 | 2020-05-01 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for acquiring memory leakage information |
| CN111881449A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Auxiliary analysis method and device for malicious codes |
| CN113612661A (en) * | 2021-08-03 | 2021-11-05 | 北京安天网络安全技术有限公司 | Method, device, computing equipment and storage medium for checking program stability |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9710357B2 (en) * | 2012-08-04 | 2017-07-18 | Microsoft Technology Licensing, Llc | Function evaluation using lightweight process snapshots |
| CN107038373A (en) * | 2017-04-28 | 2017-08-11 | 北京洋浦伟业科技发展有限公司 | A kind of Process Debugging detection method and device |
| CN109684795B (en) * | 2018-12-25 | 2023-01-24 | 成都卫士通信息产业股份有限公司 | Method and device for anti-debugging of application program and electronic equipment |
| CN110096853B (en) * | 2019-04-12 | 2022-10-21 | 福建天晴在线互动科技有限公司 | Unity android application reinforcement method based on Mono and storage medium |
-
2021
- 2021-12-07 CN CN202111479156.9A patent/CN113886774B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771762A (en) * | 2009-01-06 | 2010-07-07 | 北京邮电大学 | Method and system for dynamically loading services in service system |
| CN106778226A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Shell document hulling method and device |
| CN110046479A (en) * | 2019-03-21 | 2019-07-23 | 腾讯科技(深圳)有限公司 | A kind of chained library file reverse adjustment method and device based on Android operation system |
| CN111090536A (en) * | 2019-11-19 | 2020-05-01 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for acquiring memory leakage information |
| CN111881449A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Auxiliary analysis method and device for malicious codes |
| CN113612661A (en) * | 2021-08-03 | 2021-11-05 | 北京安天网络安全技术有限公司 | Method, device, computing equipment and storage medium for checking program stability |
Non-Patent Citations (3)
| Title |
|---|
| Towards Transparent Debugging;Fengwei Zhang等;《网页在线公开:https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7439809》;20160323;第1-15页 * |
| Windows下反反调试技术汇总;alphallab;《网页在线公开:https://www.freebuf.com/jobs/181085.html》;20180822;第1-30页 * |
| 虚拟内存进程重构与恶意行为扩展识别模型;唐彰国等;《北京工业大学学报》;20181231;第44卷(第4期);第538-545页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113886774A (en) | 2022-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101711882B1 (en) | Method, device and terminal device for detecting a malicious vulnerability file | |
| US11868468B2 (en) | Discrete processor feature behavior collection | |
| CN107358096B (en) | File virus searching and killing method and system | |
| US20170364679A1 (en) | Instrumented versions of executable files | |
| CN111625833B (en) | Efficient method and device for judging reuse loopholes after release of software program | |
| CN109298987B (en) | Method and device for detecting running state of web crawler | |
| US9087137B2 (en) | Detection of custom parameters in a request URL | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| KR20160099160A (en) | Method of modelling behavior pattern of instruction set in n-gram manner, computing device operating with the method, and program stored in storage medium configured to execute the method in computing device | |
| CN106127558B (en) | Bill generation method and mobile terminal | |
| CN113886774B (en) | Anti-debugging method and device | |
| CN105404813A (en) | Host defensive system based log generation method, apparatus and system | |
| JP2018508865A (en) | Application event tracking | |
| US10733080B2 (en) | Automatically establishing significance of static analysis results | |
| CN109213526B (en) | Method and apparatus for determining processor operation | |
| CN109218284B (en) | XSS vulnerability detection method and device, computer equipment and readable medium | |
| CN109033763B (en) | Program encryption method and device, readable medium and storage controller | |
| JP2007133632A (en) | Method and program for setting security policy | |
| US10565084B2 (en) | Detecting transitions | |
| US20220100631A1 (en) | Microservices graph generation | |
| CN108595328A (en) | The method for detecting browser based on JavaScript stack informations | |
| CN115391793B (en) | Real-time vulnerability detection system and method based on FlowDroid tool and storage medium | |
| JP2001331368A (en) | Method for discriminating omission of memory release | |
| KR101012669B1 (en) | Malicious program detector for scanning a illegal memory access and method thereof | |
| CN107688745B (en) | Method for processing and generating kernel mirror image, kernel initialization method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |