CN113946347B - Function call detection method and device, electronic equipment and readable medium - Google Patents

Function call detection method and device, electronic equipment and readable medium Download PDF

Info

Publication number
CN113946347B
CN113946347B CN202111156285.4A CN202111156285A CN113946347B CN 113946347 B CN113946347 B CN 113946347B CN 202111156285 A CN202111156285 A CN 202111156285A CN 113946347 B CN113946347 B CN 113946347B
Authority
CN
China
Prior art keywords
function
target
symbol
address
global
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111156285.4A
Other languages
Chinese (zh)
Other versions
CN113946347A (en
Inventor
王盟盟
彭飞
邓竹立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing 58 Information Technology Co Ltd
Original Assignee
Beijing 58 Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing 58 Information Technology Co Ltd filed Critical Beijing 58 Information Technology Co Ltd
Priority to CN202111156285.4A priority Critical patent/CN113946347B/en
Publication of CN113946347A publication Critical patent/CN113946347A/en
Application granted granted Critical
Publication of CN113946347B publication Critical patent/CN113946347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly

Abstract

The embodiment of the invention provides a detection method, a device, electronic equipment and a readable medium for function call, which can be used for extracting a target symbol corresponding to a dynamic symbol of a dynamic symbol table from a global symbol table by obtaining the global symbol table and the dynamic symbol table in an application engineering file, determining a target function matched with a function name to be detected and a target address of the target function according to the target symbol, determining the target symbol from the global symbol table through the dynamic symbol table to realize function location, effectively improving the accuracy, pertinence and efficiency of the function location, then disassembling the global symbol table to generate an assembly instruction, detecting whether the target function is called according to the assembly instruction and the target address of the target function to generate a call detection result, verifying the function address of the target function according to the assembly instruction, and effectively calling and detecting the located function, the full detection of the calling condition of the target function in the application engineering file is realized.

Description

Function call detection method and device, electronic equipment and readable medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method and an apparatus for detecting a function call, an electronic device, and a computer-readable medium.
Background
The Xcode is an integrated development environment provided by apple Inc. for developers, can be used for developing application programs of macOS, iOS, Watch OS and tvOS, and is a user operation interface with unified user interface design, coding, testing and debugging. In the process of project development of the application program, when a developer wants to search a related function in a project, the developer can only search through an Xcode search box, however, in the search process, the project cannot be searched in a full amount, the search coverage is not comprehensive enough, missing detection is easy to occur, and function names need to be manually input in each detection, so that the detection efficiency is low. Or, the related function is hooked through the corresponding hook function, and the position of the function is found by calling the corresponding stack, however, in this way, the operation is relatively dependent, and if the function which is not found is missed, the related function cannot be effectively detected.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting function call, electronic equipment and a computer readable storage medium, which are used for solving or partially solving the problems that the target function of an application program file cannot be detected in a full amount and the detection efficiency is low in the related art.
The embodiment of the invention discloses a method for detecting function call, which comprises the following steps:
acquiring an application engineering file, wherein the application engineering file comprises a global symbol table and a dynamic symbol table, and the dynamic symbol table comprises dynamic symbols;
extracting a target symbol corresponding to the dynamic symbol from the global symbol table;
determining a target function matched with the name of the function to be detected and a target address of the target function according to the target symbol;
disassembling the global symbol table to generate an assembly instruction corresponding to the global symbol table;
and carrying out call detection on the target function according to the assembly instruction and the target address, and generating a call detection result aiming at the target function.
Optionally, the extracting a target symbol corresponding to the dynamic symbol from the global symbol table includes:
and extracting a global symbol corresponding to the dynamic symbol from the global symbol table as a target symbol.
Optionally, the determining, according to the target symbol, a target function matched with the name of the function to be detected and a target address of the target function further includes:
acquiring a first offset address corresponding to the target symbol;
acquiring a target function name corresponding to the target symbol from the character string table by adopting the first offset address;
checking the target function name and the function name to be detected, and taking the function corresponding to the target function name which is the same as the function name to be detected as a target function;
and acquiring the target address of the target function.
Optionally, the disassembling the global symbol table and generating an assembly instruction corresponding to the global symbol table includes:
and disassembling the global symbol table to generate an assembly instruction corresponding to each global symbol.
Optionally, the assembly instruction includes an address instruction line, and the performing, according to the assembly instruction and the target address, call detection on the target function to generate a call detection result for the target function includes:
comparing the address instruction line of the assembly instruction with the target address of the target symbol, classifying the target symbol to obtain a function calling symbol and/or a non-function calling symbol;
and generating a calling detection result aiming at the target function by adopting the function calling symbol and the non-function calling symbol.
Optionally, the comparing the address instruction line of the assembler instruction with the target address of the target symbol, classifying the target symbol, and obtaining a function call symbol and/or a no function call symbol includes:
taking an assembly instruction of which the address instruction line contains the target address as a first assembly instruction, and taking a global symbol corresponding to the first assembly instruction as a function calling symbol;
and taking an assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a no-function calling symbol.
Optionally, the target address includes a start address and an offset address, the application engineering file further includes a string table, and the method further includes:
extracting function content corresponding to the function calling symbol from the character string table by adopting the initial address and the second offset address of the function calling symbol, and acquiring a class name corresponding to the function content;
and generating a class name file corresponding to the application project file by adopting the class name corresponding to the function content.
The embodiment of the invention also discloses a device for detecting the function call, which comprises:
the system comprises an application project file acquisition module, a dynamic symbol table acquisition module and a dynamic symbol generation module, wherein the application project file acquisition module is used for acquiring an application project file, the application project file comprises a global symbol table and a dynamic symbol table, and the dynamic symbol table comprises dynamic symbols;
the target symbol extraction module is used for extracting a target symbol corresponding to the dynamic symbol from the global symbol table;
the target address determining module is used for determining a target function matched with the name of the function to be detected and a target address of the target function according to the target symbol;
the disassembling module is used for disassembling the global symbol table and generating an assembling instruction corresponding to the global symbol table;
and the calling detection result generation module is used for carrying out calling detection on the target function according to the assembly instruction and the target address and generating a calling detection result aiming at the target function.
Optionally, the global symbol table includes global symbols, and the target symbol extraction module is specifically configured to:
and extracting a global symbol corresponding to the dynamic symbol from the global symbol table as a target symbol.
Optionally, the application engineering file further includes a character string table, and the target address determining module includes:
a first offset address obtaining submodule, configured to obtain a first offset address corresponding to the target symbol;
a function name obtaining submodule, configured to obtain, from the character string table, a target function name corresponding to the target symbol by using the first offset address;
the target function determining submodule is used for verifying the target function name and the function name to be detected and taking a function corresponding to the target function name which is the same as the function name to be detected as a target function;
and the target address acquisition submodule is used for acquiring the target address of the target function.
Optionally, the disassembling module is specifically configured to:
and disassembling the global symbol table to generate an assembly instruction corresponding to each global symbol.
Optionally, the assembler instruction includes an address instruction line, and the call detection result generation module includes:
the address comparison submodule is used for comparing an address instruction line of the assembly instruction with a target address of the target symbol, classifying the target symbol and obtaining a function calling symbol and/or a non-function calling symbol;
and the calling detection result generation submodule is used for generating a calling detection result aiming at the target function by adopting the function calling symbol and the non-function calling symbol.
Optionally, the address comparison sub-module is specifically configured to:
taking an assembly instruction of which the address instruction line contains the target address as a first assembly instruction, and taking a global symbol corresponding to the first assembly instruction as a function calling symbol;
and taking an assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a no-function calling symbol.
Optionally, the target address includes a start address and an offset address, the application engineering file further includes a string table, and the apparatus further includes:
a class name obtaining module, configured to extract, from the character string table, function content corresponding to the function calling symbol by using the start address and the second offset address of the function calling symbol, and obtain a class name corresponding to the function content;
and the class name file generating module is used for generating a class name file corresponding to the application engineering file by adopting the class name corresponding to the function content.
The embodiment of the invention also discloses electronic equipment which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory finish mutual communication through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method according to the embodiment of the present invention when executing the program stored in the memory.
Also disclosed are one or more computer-readable media having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform a method according to an embodiment of the invention.
The embodiment of the invention has the following advantages:
in the embodiment of the invention, the aim symbol corresponding to the dynamic symbol of the dynamic symbol table is extracted from the global symbol table by obtaining the global symbol table and the dynamic symbol table in the application engineering file, the aim function matched with the name of the function to be detected and the aim address of the aim function are determined according to the aim symbol, the aim symbol is determined from the global symbol table by the dynamic symbol table to realize the positioning of the aim function, the accuracy, pertinence and efficiency of the positioning of the function are effectively improved, the global symbol table is disassembled to generate the corresponding assembly instruction, then the aim function is verified whether to be called according to the assembly instruction and the aim address of the aim function to generate the corresponding calling detection result, the aim function is verified whether to be called according to the assembly instruction, the method and the device effectively carry out calling detection on the positioned function, realize the full detection of the calling condition of the target function in the application engineering file, and ensure the accuracy of the detection result.
Drawings
FIG. 1 is a flow chart illustrating steps of a method for detecting a function call according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of function detection provided in an embodiment of the present invention;
fig. 3 is a block diagram of a function call detection apparatus provided in the embodiment of the present invention;
FIG. 4 is a block diagram of an electronic device provided in an embodiment of the invention;
fig. 5 is a schematic diagram of a computer-readable medium provided in an embodiment of the invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Mach-O is a file format that is the format of executable files on the macOS operating system, similar to the PE format on windows (PortableExecutable), the elf format on linux (Executable and LinkingFormat). C, C + +, swift and OC written by a project developer can be finally compiled and linked to generate a Mach-O executable file.
Assembly language (assembly language) is a low-level language, also known as a symbolic language, for use in electronic computers, microprocessors, microcontrollers or other programmable devices. In assembly language, the operation code of a machine instruction is replaced by a mnemonic, and the address of the instruction or operand is replaced by an address symbol or label. In different devices, the assembly language corresponds to different machine language instruction sets and is converted into machine instructions through an assembly process. The specific assembly language and the specific machine language instruction set are in one-to-one correspondence, and the direct migration between different platforms is not available.
Xcode is an integrated development tool (IDE) running on the operating system MacOSX, developed by AppleInc. Xcode is the fastest way to develop macOS and iOS applications. The Xcode has a uniform user interface design, and the encoding, the testing and the debugging are completed in a simple window.
The fisherhook is a tool provided by Facebook for dynamically modifying the link Mach-O file. The C function HOOK is achieved by modifying pointers of a lazy loading table and a non-lazy loading table by using a Mach-O file loading principle.
The C function can be a C language function which can be used as an editing language of an IOS operating system, an IOS application program, an iPadOS operating system, an iPadOS application program, a MacOSX operating system, an application program on the MacOSX and the like, and the non-calling C function can be effectively eliminated by detecting the calling condition of the C function in the application project file, so that the code volume of the application project file is reduced, and the code running efficiency is improved.
As an example, when the call detection is performed on the C function of the application program file, the corresponding function name is manually input in the input box of the Xcode for retrieval, or the C function is hooked through the corresponding Hook function, and the position of the function is found by calling the corresponding stack, so that the call detection on the C function is implemented. However, in the above manner, the direct search manner of the Xcode search box cannot achieve the full coverage of the application engineering files, for example, m files in the library are not exposed to the outside, and the C function cannot be searched easily; the Hook mode is relatively dependent on operation, missing detection is easy to occur if the function which is not checked is possible, and both the Hook mode and the function cannot realize efficient detection. Therefore, the problems that full coverage cannot be realized and the detection efficiency is low in the process of calling and detecting the C function of the application engineering file in the related technology can be solved.
One of the core invention points of the embodiment of the present invention is that, by obtaining the global symbol table and the dynamic symbol table in the application engineering file, then extracting the target symbol corresponding to the dynamic symbol of the dynamic symbol table from the global symbol table, and according to the target symbol, determining the target function matched with the name of the function to be detected and the target address of the target function, and by determining the target symbol from the global symbol table through the dynamic symbol table, the target function is positioned, so that the accuracy, pertinence and efficiency of the function positioning are effectively improved, because the global symbol table contains all (global) variables and functions realized or used by all programs, the global symbol table can be disassembled, a corresponding assembly instruction is generated, and then according to the assembly instruction and the target address of the target function, whether the target function is called or not is detected, and a corresponding calling detection result is generated, the method and the device realize that whether the target function is called or not is judged by checking the function address of the target function according to the assembly instruction, effectively carry out calling detection on the positioned function, realize the full detection of the calling condition of the target function in the application engineering file and ensure the accuracy of the detection result.
Specifically, referring to fig. 1, a flowchart illustrating steps of a method for detecting a function call provided in the embodiment of the present invention is shown, which may specifically include the following steps:
step 101, acquiring an application project file, wherein the application project file comprises a global symbol table and a dynamic symbol table, and the dynamic symbol table comprises dynamic symbols;
in the embodiment of the invention, the application engineering file can be an executable file generated after a developer develops the application program at a terminal of the MacOS operating system, namely a Mach-O file. For the Mach-O file, the method provides strong expansibility and improves the access speed of information in the symbol table. The application engineering file may include a global symbol table, which may be a data structure used in a language translator (e.g., a compiler and an interpreter), and a dynamic symbol table, where each identifier in the program source code is bound to its declaration or usage information, such as its data type, scope, and memory address; the dynamic symbol table may be used to store the imported and exported symbols related to the dynamic link, excluding the symbols inside the module, and may be a subset of the global symbol table.
Optionally, a global symbol corresponding to the C function and an assembly instruction of the global symbol may be included in the global symbol table, and a symbol name, a type, a storage category, a scope, visibility, storage allocation information of a symbol variable, and other attributes of the symbol of the global symbol may also be included. The dynamic symbol associated with the dynamic link may be included in a dynamic symbol table.
Step 102, extracting a target symbol corresponding to the dynamic symbol from the global symbol table;
for the detection of the C function call, the section of all C function calls in the application engineering file needs to be found, and there is a delay binding during dynamic connection, the external symbol is added to the _ subts for dynamic connection instrumentation before the delay binding, and the subts stores all the called system C functions in the application engineering file and exists only as an instrumentation code. Because all system C functions are in the system library, that is, the addresses of the C functions in the global symbol table are 00000, the target structure data of the C functions cannot be determined from the global symbol table by means of address location. In addition, the data structure in the global symbol table is the structured body of nlist _64, while the content in the dynamic symbol table is not similar structured body data and cannot be directly analyzed. However, the analysis of the dynamic symbol table depends on the global symbol table, and the data in the dynamic symbol table represents the position of the global symbol table, so that the corresponding target symbol can be found from the dynamic symbol in the dynamic symbol table to the global symbol table, and the corresponding target symbol can be analyzed to obtain the information corresponding to the C function.
In specific implementation, all system C functions in the application engineering file exist in stubs, and data of the C functions in the stubs are consistent with those in the dynamic symbol table, and the global symbol table may include global symbols corresponding to the C functions, so that, due to the association of the C functions and the dynamic symbols in the dynamic symbol table, global symbols corresponding to the dynamic symbols of the dynamic symbol table may be searched in the global symbol table as target symbols, and the location of the addresses of the C functions in the global symbol table is implemented by the location of the global symbols.
In one example, the dynamic symbol table is a subset of a global symbol table, the global symbols are not obviously different from the dynamic symbols in representation form, and an index (position) of each dynamic symbol exists in the dynamic symbol table, and the global symbols corresponding to the dynamic symbols can be found in the global symbol table through the index, so that the corresponding target symbols can be found from the dynamic symbols in the dynamic symbol table to the global symbol table by using the relationship between the dynamic symbol-C function data in the dynamic symbol table and the dynamic symbols-global symbol-C function data in the global symbol table, and the information corresponding to the C function can be obtained by analyzing the corresponding target symbols. Specifically, in the Mach-o file, the corresponding global symbol can be found from the global symbol table through the index of each dynamic symbol in the dynamic symbol table, and the found global symbol is used as the target symbol corresponding to the C function, so that the target symbol is determined from the global symbol table through the dynamic symbol table to realize the positioning of the target function, the accuracy, pertinence and efficiency of the function positioning are effectively improved, and the full C function positioning can be realized.
103, determining a target function matched with the name of the function to be detected and a target address of the target function according to the target symbol;
in the embodiment of the invention, after the C function is positioned in the global symbol table to obtain the corresponding target symbol, the target function matched with the name of the function to be detected and the target address of the target function can be obtained from the character string table of the application engineering file according to the target symbol. The function name to be detected can be a function name corresponding to a C function which needs function call detection; the target address can be a function call jump address of the C function in the application engineering file. Wherein, a character string table may be included in the application engineering file, the character string table may include a list of IDs, values and titles of all character strings, and so on, and then a corresponding target function and a target address of the target function may be determined from the character strings through information recorded by the target symbol.
In specific implementation, a first offset address corresponding to a target symbol may be obtained first, and a character string corresponding to a target function may be obtained from a character string table by using the first offset address, where the character string may be used to represent a target function name corresponding to a dynamic symbol, and then the target function name may be compared with a function name of a C function to be detected, and a function corresponding to a target function name that is the same as a function name to be detected may be used as a target function, and then the target address of the target function may be reserved. For the acquisition of the target function, the application engineering file can be traversed after the target function name is determined, so that the code segment of the target function name is acquired from the application engineering file, and the target function corresponding to the target function name is acquired from the code segment.
It should be noted that the global symbol may be a data structure of nlist _64, and the nlist _64 may include an index value, a section type, a function address, an optional address type, an offset address in the character string table, and the like of the character string table, so that after the target symbol is determined from the global symbol table through the dynamic symbol table, the corresponding character string may be obtained from the character string table based on the offset position recorded in the target symbol, the target function name corresponding to the dynamic symbol may be determined, the target function name may be matched with the function name of the C function to be detected, and the target address of the target function to be called and detected may be reserved.
Optionally, the dynamic symbol table may correspond to all C functions, and in the process of detecting the C function of the Mach-O file, call and detect some types or all C functions therein, that is, if the name of the function to be detected is the name of the function corresponding to the C function of some types, the call of the C function in the Mach-O file may be detected in a targeted manner; if the function names to be detected are the function names corresponding to all the C functions, the C function calls in the Mach-O file can be detected in a full amount, so that the corresponding function names to be detected can be set, the flexibility of C function detection can be improved, and different development requirements can be met.
104, disassembling the global symbol table to generate an assembly instruction corresponding to the global symbol table;
in a specific implementation, after a target address of a target function is obtained, the global symbol table needs to be disassembled, and assembly instructions corresponding to all global symbols in the global symbol table are generated, so that the calling condition of the target address is detected according to the assembly instructions. The assembly instructions are some operational characters and mnemonics used in assembly language, and also include some pseudo instructions, and the assembly instructions correspond to machine instructions one by one.
And 105, carrying out call detection on the target function according to the assembly instruction and the target address, and generating a call detection result aiming at the target function.
In the embodiment of the present invention, each assembler instruction may include an address instruction line, and the calling condition of the target function in the application engineering file may be verified by comparing the target address of the target function with the address instruction line of the assembler instruction, so as to obtain a calling detection result for the target function.
In a specific implementation, the address instruction line of the assembler instruction may be compared with the target address of the target symbol, the target symbol may be classified to obtain the symbol with the function call and/or the symbol without the function call, and then the symbol with the function call and the symbol without the function call may be used to generate the call detection result for the target function. In the process of judging whether the target function is called, an assembly instruction of an address instruction line containing a target address can be used as a first assembly instruction, and a global symbol corresponding to the first assembly instruction is used as a function calling symbol; and taking the assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a non-function calling symbol.
The method comprises the steps that a target function corresponding to a target symbol is called in an application engineering file through a function calling symbol, and the target function corresponding to the target symbol is called in the application engineering file through a non-function calling symbol, so that whether a target address corresponding to the target function exists or not can be inquired in an address instruction row corresponding to an assembly instruction, calling detection of the target function is achieved, calling detection of the positioned target function is effectively conducted, full detection of calling conditions of the target function in the application engineering file is achieved, and accuracy of a detection result is guaranteed.
Alternatively, the assembly instruction may include a part component indicating a data source, a destination of an operation result, and an executed operation, for example, a C function call is formed in the assembly instruction by "bl instruction + function address + ret instruction", the bl instruction may be used to indicate a data source, the function address may be used to indicate a destination of an operation result, the ret instruction is an end instruction to indicate an executed operation, and the like. The method comprises the steps that function addresses are address instruction lines, in an assembler instruction corresponding to each global symbol, an address instruction line after bl instruction needs to be found before ret instruction is called, then whether a target address exists in the address instruction line of the corresponding assembler instruction or not is judged according to the comparison between the address instruction line and a target address of a target function, and if yes, the target function corresponding to the target symbol is called; if not, the target function corresponding to the target symbol is not called, and the next round of comparison is carried out until the target functions corresponding to all the target symbols are completely called and detected.
In one example, assume that the function name of the C function to be detected is function name X1, function name X1, and function name X1, the dynamic symbol table includes dynamic symbol a, dynamic symbol B, dynamic symbol C, dynamic symbol D, and the like, and the global symbol table includes global symbol a (corresponding to dynamic symbol a), global symbol B (corresponding to dynamic symbol B), global symbol C (corresponding to dynamic symbol C), global symbol D (corresponding to dynamic symbol D), global symbol E, global symbol F, and the like. In the process of performing C function call detection on the application program file, the target symbols can be determined to be a global symbol A, a global symbol B, a global symbol C and a global symbol D from the global symbol table by traversing the index of each dynamic symbol in the dynamic symbol table and then according to the index of each dynamic symbol. Extracting offset addresses from the global symbol A, the global symbol B, the global symbol C and the global symbol D, obtaining corresponding character strings from a character string table according to the offset addresses, wherein the obtained character strings are function names of C functions corresponding to the dynamic symbol a, the dynamic symbol B, the dynamic symbol C, the dynamic symbol D and the like, the obtained character strings comprise a function name Y1 corresponding to the dynamic symbol a, a function name Y2 corresponding to the dynamic symbol B, a function name Y3 corresponding to the dynamic symbol C and a function name Y4 corresponding to the dynamic symbol D, comparing the function names with a function name X1, a function name X1 and a function name X1 one by one, if the function name Y1 is the same as the function name X1, the function name Y2 is the same as the function name X2, the function name Y3 is the same as the function name X3, and the function name Y4 is not in a C function list to be detected, so as to determine a target function from the global symbol table through the dynamic symbol table, the accuracy, pertinence and efficiency of function positioning are effectively improved.
After the symbol positioning is completed, a target address recorded in a global symbol corresponding to a function name Y1, a target address recorded in a global symbol corresponding to a function name Y2 and a target address recorded in a global symbol corresponding to a function name Y3 can be obtained, the global symbol table is disassembled to obtain an assembly instruction of each global symbol, then each target address is compared with an address instruction line in the assembly instruction to judge whether the target address exists in the corresponding assembly instruction or not, and if the target address exists, the C function corresponding to the corresponding global symbol is called; if the global symbol A and the global symbol B do not exist, the C function corresponding to the corresponding global symbol is not called, if the target address I and the target address II exist in the instruction address line of the corresponding assembler instruction, the C function corresponding to the global symbol A and the global symbol B is called in the application engineering file, and the global symbol A and the global symbol B are function calling symbols; the target address III does not exist in the instruction address line of the corresponding assembler instruction, which indicates that the C function corresponding to the global symbol C is not called in the application engineering file, the global symbol C is a no-function calling symbol, after the calling detection of the corresponding C function is completed, the no-function calling symbol and the function calling symbol can be summarized, and the corresponding calling detection result is output, so that the function address of the target function is verified according to the assembler instruction, whether the target function is called or not is judged, the positioned function is effectively called and detected, the full detection of the calling condition of the target function in the application engineering file is realized, and the accuracy of the detection result is ensured.
In addition, the target address may include a start address and an offset address, the start address may be a start position of the character string corresponding to the global symbol in the character string table, the offset address may be an offset relative to the start address, and the character string corresponding to the global symbol may be positionally located by the start address and the offset address, so as to extract function content corresponding to the global symbol in the character string table, and further obtain a function name, a class name, and the like corresponding to the function content. Specifically, after the function call detection is completed, the function content corresponding to the function call symbol may be extracted from the character string table by using the start address and the second offset address of the function call symbol, and the class name corresponding to the function content may be acquired, and then the class name corresponding to the function content may be used to generate a class name file corresponding to the application engineering file, so that after the function call detection is performed on the related C function, the class name corresponding to the called C function may be found, and the corresponding class name file may be output, so that a developer may view the call condition of the C function through the class name file, so as to perform corresponding processing on the application engineering file according to the call condition.
It should be noted that, the embodiment of the present invention includes but is not limited to the above examples, and it is understood that, under the guidance of the idea of the embodiment of the present invention, a person skilled in the art may also set the method according to practical requirements, and the present invention is not limited to this.
In the embodiment of the invention, the target symbol corresponding to the dynamic symbol of the dynamic symbol table is extracted from the global symbol table by obtaining the global symbol table and the dynamic symbol table in the application engineering file, the target function matched with the function name to be detected and the target address of the target function are determined according to the target symbol, the target symbol is determined from the global symbol table by the dynamic symbol table to realize the positioning of the target function, the accuracy, pertinence and efficiency of the function positioning are effectively improved, then the global symbol table is disassembled to generate the corresponding assembly instruction, then whether the target function is called or not is verified according to the assembly instruction and the target address of the target function to generate the corresponding calling detection result, the function address of the target function is verified according to the assembly instruction to judge whether the target function is called or not, the method and the device effectively carry out calling detection on the positioned function, realize the full detection of the calling condition of the target function in the application engineering file, and ensure the accuracy of the detection result.
In order to make those skilled in the art better understand the technical solutions of the embodiments of the present invention, the following is an exemplary description by way of an example.
Referring to fig. 2, a schematic flow diagram of function detection provided in the embodiment of the present invention is shown, and a Mach-O application engineering file may include a dynamic symbol table dynamicsymbol table and a global symbol table. The corresponding target symbol can be found in the global symbol table through the index of each dynamic symbol in the dynamic symbol table, and each target symbol can be a structure body of nlist _64, and the structure body contains the offset address in the string table, the index value in the string table, the section type, the symbol address, the option type and the like. And then finding a character string corresponding to the target symbol from the character string table of the application engineering file through the offset address of the character string table recorded in the structure body, wherein the found character string is the target function name corresponding to each dynamic symbol in the dynamic symbol table, and finding the target address of the target function in a character string matching mode. Specifically, the target function name is compared with the function name of the C function to be detected, and whether the target function corresponding to the target function name is the C function to be detected is checked. And if the target function is the C function to be detected, acquiring a corresponding target address.
In addition, after the target address of the target function has been obtained, the global symbols in the global symbol table need to be disassembled, and an assembly instruction of each global symbol is obtained. For C function call, the assembly instruction in each symbol is in a mode of 'bl instruction + function address', and the ending command of the assembly instruction of each symbol is a 'ret' instruction, so that a function address behind the bl instruction is found before the ret instruction is called by the assembly instruction in each global symbol, namely an instruction line of a target function address, so that the target function can be called by comparing the function address behind the bl instruction in the assembly instruction with the target address of the target function if the function address behind the bl instruction in the assembly instruction is the same as the target address of the target function, and if the target address of the target function does not exist in the function address of the assembly instruction, the function is not called, so that whether the target address corresponding to the target function exists in the address instruction line corresponding to the assembly instruction or not can be inquired, the call detection of the target function is realized, and the located target function is effectively called and detected, the full detection of the target function calling condition in the application engineering file is realized, and the accuracy of the detection result is ensured.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 3, a block diagram of a structure of a device for detecting a function call provided in the embodiment of the present invention is shown, and the device specifically includes the following modules:
an application engineering file obtaining module 301, configured to obtain an application engineering file, where the application engineering file includes a global symbol table and a dynamic symbol table, and the dynamic symbol table includes dynamic symbols;
a target symbol extracting module 302, configured to extract a target symbol corresponding to the dynamic symbol from the global symbol table;
a target address determining module 303, configured to determine, according to the target symbol, a target function matched with the name of the function to be detected and a target address of the target function;
the disassembling module 304 is configured to disassemble the global symbol table and generate an assembling instruction corresponding to the global symbol table;
a call detection result generating module 305, configured to perform call detection on the target function according to the assembler instruction and the target address, and generate a call detection result for the target function.
In an optional embodiment of the present invention, the global symbol table includes global symbols, and the target symbol extraction module 302 is specifically configured to:
and extracting a global symbol corresponding to the dynamic symbol from the global symbol table as a target symbol.
In an optional embodiment of the present invention, the application engineering file further includes a character string table, and the target address determining module 303 includes:
a first offset address obtaining submodule, configured to obtain a first offset address corresponding to the target symbol;
a function name obtaining submodule, configured to obtain, from the character string table, a target function name corresponding to the target symbol by using the first offset address;
the target function determining submodule is used for verifying the target function name and the function name to be detected and taking a function corresponding to the target function name which is the same as the function name to be detected as a target function;
and the target address acquisition submodule is used for acquiring the target address of the target function.
In an optional embodiment of the present invention, the disassembling module 304 is specifically configured to:
and disassembling the global symbol table to generate an assembly instruction corresponding to each global symbol.
In an optional embodiment of the present invention, the assembler instruction includes an address instruction line, and the call detection result generating module 305 includes:
the address comparison submodule is used for comparing an address instruction line of the assembly instruction with a target address of the target symbol, classifying the target symbol and obtaining a function calling symbol and/or a non-function calling symbol;
and the calling detection result generation submodule is used for generating a calling detection result aiming at the target function by adopting the function calling symbol and the non-function calling symbol.
In an optional embodiment of the present invention, the address comparison sub-module is specifically configured to:
taking an assembly instruction of which the address instruction line contains the target address as a first assembly instruction, and taking a global symbol corresponding to the first assembly instruction as a function calling symbol;
and taking an assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a no-function-call symbol.
In an optional embodiment of the present invention, the target address includes a start address and an offset address, the application engineering file further includes a string table, and the apparatus further includes:
a class name obtaining module, configured to extract, from the character string table, function content corresponding to the function calling symbol by using the start address and the second offset address of the function calling symbol, and obtain a class name corresponding to the function content;
and the class name file generating module is used for generating a class name file corresponding to the application engineering file by adopting the class name corresponding to the function content.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
In addition, an electronic device is further provided in the embodiments of the present invention, as shown in fig. 4, and includes a processor 401, a communication interface 402, a memory 403, and a communication bus 404, where the processor 401, the communication interface 402, and the memory 403 complete mutual communication through the communication bus 404,
a memory 403 for storing a computer program;
the processor 401, when executing the program stored in the memory 403, implements the following steps:
acquiring an application engineering file, wherein the application engineering file comprises a global symbol table and a dynamic symbol table, and the dynamic symbol table comprises dynamic symbols;
extracting a target symbol corresponding to the dynamic symbol from the global symbol table;
determining a target function matched with the name of the function to be detected and a target address of the target function according to the target symbol;
disassembling the global symbol table to generate an assembly instruction corresponding to the global symbol table;
and carrying out call detection on the target function according to the assembly instruction and the target address, and generating a call detection result aiming at the target function.
In an optional embodiment of the present invention, the global symbol table includes global symbols, and the extracting target symbols corresponding to the dynamic symbols from the global symbol table includes:
and extracting a global symbol corresponding to the dynamic symbol from the global symbol table as a target symbol.
In an optional embodiment of the present invention, the determining, according to the target symbol, a target function matched with a name of a function to be detected and a target address of the target function further includes:
acquiring a first offset address corresponding to the target symbol;
acquiring a target function name corresponding to the target symbol from the character string table by adopting the first offset address;
checking the target function name and the function name to be detected, and taking the function corresponding to the target function name which is the same as the function name to be detected as a target function;
and acquiring the target address of the target function.
In an optional embodiment of the present invention, the disassembling the global symbol table and generating an assembly instruction corresponding to the global symbol table includes:
and disassembling the global symbol table to generate an assembly instruction corresponding to each global symbol.
In an optional embodiment of the present invention, the assembling instruction includes an address instruction line, and the performing, according to the assembling instruction and the target address, call detection on the target function to generate a call detection result for the target function includes:
comparing the address instruction line of the assembly instruction with the target address of the target symbol, classifying the target symbol to obtain a function calling symbol and/or a non-function calling symbol;
and generating a calling detection result aiming at the target function by adopting the function calling symbol and the non-function calling symbol.
In an optional embodiment of the present invention, the comparing the address instruction line of the assembler instruction with the target address of the target symbol, and classifying the target symbol to obtain a symbol with a function call and/or a symbol without a function call includes:
taking an assembly instruction of which the address instruction line contains the target address as a first assembly instruction, and taking a global symbol corresponding to the first assembly instruction as a function calling symbol;
and taking an assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a no-function calling symbol.
In an optional embodiment of the present invention, the target address includes a start address and an offset address, the application project file further includes a string table, and the method further includes:
extracting function content corresponding to the function calling symbol from the character string table by adopting the initial address and the second offset address of the function calling symbol, and acquiring a class name corresponding to the function content;
and generating a class name file corresponding to the application project file by adopting the class name corresponding to the function content.
The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this is not intended to represent only one bus or type of bus.
The communication interface is used for communication between the terminal and other devices.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In yet another embodiment provided by the present invention, as shown in fig. 5, a computer-readable storage medium 501 is further provided, which stores instructions that, when executed on a computer, cause the computer to execute the method for detecting a function call described in the above embodiment.
In a further embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method for detecting a function call described in the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to be performed in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (8)

1. A method for detecting a function call, comprising:
acquiring an application engineering file, wherein the application engineering file comprises a global symbol table and a dynamic symbol table, and the dynamic symbol table comprises dynamic symbols;
extracting a target symbol corresponding to the dynamic symbol from the global symbol table;
determining a target function matched with the name of the function to be detected and a target address of the target function according to the target symbol;
disassembling the global symbol table to generate an assembly instruction corresponding to the global symbol table;
according to the assembly instruction and the target address, carrying out call detection on the target function, and generating a call detection result aiming at the target function;
the assembling instruction comprises an address instruction line, the calling detection is performed on the target function according to the assembling instruction and the target address, and a calling detection result for the target function is generated, and the method comprises the following steps:
taking an assembly instruction of which the address instruction line contains the target address as a first assembly instruction, and taking a global symbol corresponding to the first assembly instruction as a function calling symbol;
taking an assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a no-function calling symbol;
and generating a calling detection result aiming at the target function by adopting the function calling symbol and the non-function calling symbol.
2. The method of claim 1, wherein the global symbol table includes global symbols, and wherein extracting the target symbols corresponding to the dynamic symbols from the global symbol table comprises:
and extracting a global symbol corresponding to the dynamic symbol from the global symbol table as a target symbol.
3. The method of claim 1, wherein the application engineering file further comprises a character string table, and the determining the target function matched with the name of the function to be detected and the target address of the target function according to the target symbol comprises:
acquiring a first offset address corresponding to the target symbol;
acquiring a target function name corresponding to the target symbol from the character string table by adopting the first offset address;
checking the target function name and the function name to be detected, and taking the function corresponding to the target function name which is the same as the function name to be detected as a target function;
and acquiring the target address of the target function.
4. The method according to claim 2, wherein the disassembling the global symbol table to generate an assembly instruction corresponding to the global symbol table comprises:
and disassembling the global symbol table to generate an assembly instruction corresponding to each global symbol.
5. The method of claim 1, wherein the target address comprises a start address and an offset address, wherein the application project file further comprises a string table, and wherein the method further comprises:
extracting function content corresponding to the function calling symbol from the character string table by adopting the initial address and the second offset address of the function calling symbol, and acquiring a class name corresponding to the function content;
and generating a class name file corresponding to the application project file by adopting the class name corresponding to the function content.
6. An apparatus for detecting a function call, comprising:
the system comprises an application project file acquisition module, a dynamic symbol table acquisition module and a dynamic symbol generation module, wherein the application project file acquisition module is used for acquiring an application project file, the application project file comprises a global symbol table and a dynamic symbol table, and the dynamic symbol table comprises dynamic symbols;
the target symbol extraction module is used for extracting a target symbol corresponding to the dynamic symbol from the global symbol table;
the target address determining module is used for determining a target function matched with the name of the function to be detected and a target address of the target function according to the target symbol;
the disassembling module is used for disassembling the global symbol table and generating an assembling instruction corresponding to the global symbol table;
the calling detection result generation module is used for carrying out calling detection on the target function according to the assembly instruction and the target address and generating a calling detection result aiming at the target function;
wherein, the assembly instruction comprises an address instruction line, and the calling detection result generation module comprises:
the address comparison submodule is used for taking an assembly instruction of which the address instruction row contains the target address as a first assembly instruction and taking a global symbol corresponding to the first assembly instruction as a function calling symbol;
taking an assembly instruction of which the address instruction line does not contain the target address as a second assembly instruction, and taking a global symbol corresponding to the second assembly instruction as a no-function calling symbol;
and the calling detection result generation submodule is used for generating a calling detection result aiming at the target function by adopting the function calling symbol and the non-function calling symbol.
7. An electronic device, comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;
the memory is used for storing a computer program;
the processor, when executing a program stored on the memory, implementing the method of any of claims 1-5.
8. A computer-readable medium having stored thereon instructions, which when executed by one or more processors, cause the processors to perform the method of any one of claims 1-5.
CN202111156285.4A 2021-09-29 2021-09-29 Function call detection method and device, electronic equipment and readable medium Active CN113946347B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111156285.4A CN113946347B (en) 2021-09-29 2021-09-29 Function call detection method and device, electronic equipment and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111156285.4A CN113946347B (en) 2021-09-29 2021-09-29 Function call detection method and device, electronic equipment and readable medium

Publications (2)

Publication Number Publication Date
CN113946347A CN113946347A (en) 2022-01-18
CN113946347B true CN113946347B (en) 2022-07-08

Family

ID=79329480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111156285.4A Active CN113946347B (en) 2021-09-29 2021-09-29 Function call detection method and device, electronic equipment and readable medium

Country Status (1)

Country Link
CN (1) CN113946347B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103761089A (en) * 2014-01-14 2014-04-30 清华大学 Method for determining dynamic function call relation based on register transfer languages
CN111881455A (en) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 Firmware security analysis method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109814939B (en) * 2017-11-20 2021-10-15 华为技术有限公司 Dynamic loading method, and target file manufacturing method and device
CN108549538B (en) * 2018-04-11 2021-03-02 深圳市腾讯网络信息技术有限公司 Code detection method and device, storage medium and test terminal
CN112596739B (en) * 2020-12-17 2022-03-04 北京五八信息技术有限公司 Data processing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103761089A (en) * 2014-01-14 2014-04-30 清华大学 Method for determining dynamic function call relation based on register transfer languages
CN111881455A (en) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 Firmware security analysis method and device

Also Published As

Publication number Publication date
CN113946347A (en) 2022-01-18

Similar Documents

Publication Publication Date Title
CN110059009B (en) Method and apparatus for testing code files
WO2021098148A1 (en) Software compiling method and apparatus, and electronic device and storage medium
US10019240B2 (en) Method and apparatus for detecting code change
US8381194B2 (en) Methods and apparatuses for selective code coverage
CN105183592B (en) Method and apparatus for supporting performance evaluation
CN107783766B (en) Method and device for cleaning files of application program
CN112596739B (en) Data processing method and device
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
Zhang et al. Ripple: Reflection analysis for android apps in incomplete information environments
CN111124479B (en) Method and system for analyzing configuration file and electronic equipment
EP2778629A1 (en) Method and device for code change detection
CN110659210A (en) Information acquisition method and device, electronic equipment and storage medium
CN106776266B (en) Configuration method of test tool and terminal equipment
CN114138281A (en) Compiling method, device, equipment and medium of software engineering
US11868465B2 (en) Binary image stack cookie protection
CN113867704A (en) Code test processing method and device, electronic equipment and storage medium
US9064042B2 (en) Instrumenting computer program code by merging template and target code methods
CN114328168A (en) Anomaly detection method and device, computer equipment and storage medium
CN113946347B (en) Function call detection method and device, electronic equipment and readable medium
Silva et al. Identifying classes in legacy JavaScript code
CN111240987A (en) Migration program detection method and device, electronic equipment and computer readable storage medium
CN113805861B (en) Code generation method based on machine learning, code editing system and storage medium
CN113190235B (en) Code analysis method and device, electronic terminal and storage medium
CN113760291A (en) Log output method and device
CN111240728A (en) Application program updating method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant