CN113946803A - Method and device for automatic bypass by having anti-debugging mechanism for target program - Google Patents

Method and device for automatic bypass by having anti-debugging mechanism for target program Download PDF

Info

Publication number
CN113946803A
CN113946803A CN202111255594.7A CN202111255594A CN113946803A CN 113946803 A CN113946803 A CN 113946803A CN 202111255594 A CN202111255594 A CN 202111255594A CN 113946803 A CN113946803 A CN 113946803A
Authority
CN
China
Prior art keywords
signal
module
processing function
signal processing
target program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111255594.7A
Other languages
Chinese (zh)
Inventor
刘星
刘富坚
孟方方
郑汉军
黄惠海
叶青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Anscen Network Technology Co ltd
Original Assignee
Xiamen Anscen Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Anscen Network Technology Co ltd filed Critical Xiamen Anscen Network Technology Co ltd
Priority to CN202111255594.7A priority Critical patent/CN113946803A/en
Publication of CN113946803A publication Critical patent/CN113946803A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the application discloses a method and a device for automatically bypassing a target program with an anti-debugging mechanism, wherein the method comprises the following steps: traversing all modules loaded in the system, judging whether the modules belong to a target program, and recording module information of the modules belonging to the target program if the modules belong to the target program; calling a signal processing function, traversing all signal values of the system to obtain a registered processing signal related function, judging whether a signal processing function signal belongs to a target program module, if so, registering a new general signal processing function to replace the original signal processing function signal, and storing the original signal processing function; after receiving the signal, the target program starts a new general signal processing function, saves a context value, and acquires a corresponding original signal processing function signal according to the signal value to call; and after the original signal processing function signal returns, judging whether the key register values in the context values are the same or not, and if the key register values are different, dynamically modifying and/or statically modifying the code.

Description

Method and device for automatic bypass by having anti-debugging mechanism for target program
Technical Field
The application relates to the technical field of computer software reverse analysis, in particular to a method and a device for automatic bypass by aiming at a target program with an anti-debugging mechanism.
Background
Debugging is one of the most common techniques for software reverse analysis and reverse, and plays a very important role in the security fields of virus analysis, vulnerability analysis and the like. However, some software authors, especially malware authors, often apply some technical means to prevent others from analyzing their own software. Among these techniques, the inverse debugging can be said to be one of the most widely used techniques. Currently, popular anti-debug technologies can be mainly classified into two categories, one is based on a debugger detection technology, and the other is based on a debugger interference technology.
In the process of program analysis, reverse analysis and dynamic debugging of programs (Linux and Android ELF files) are required to be performed without source codes, but the programs are interfered by adopting a reverse analysis and reverse debugging mechanism. In the running process of the target program, some signal processing functions are actively registered, then some signals (such as SIGLL) are actively triggered when running to some occasions (such as a key code flow), and then register values (such as PC) are modified in the processing functions, so that the purpose of dynamically modifying the execution of the program flow is achieved, and the purposes of static analysis and dynamic debugging are interfered.
In order to increase the analysis difficulty of the ELF file, the execution path is usually modified dynamically, which interferes with dynamic and static analysis, and increases the analysis difficulty, wherein a Linux signal machine is used as a common anti-debugging method.
Therefore, how to eliminate interference, reduce analysis difficulty and restore a real call flow relationship is an urgent problem to be solved in the field.
Disclosure of Invention
The embodiment of the application provides a method and a device for automatically bypassing a target program with an anti-debugging mechanism, so as to solve the technical problems mentioned in the background technology section.
In a first aspect, an embodiment of the present application provides a method for automatic bypassing with an anti-debugging mechanism for a target program, where the method includes the following steps:
s1, traversing all modules loaded in the current computer system, judging whether the modules belong to the target program, responding to the fact that the templates belong to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and a size of the executable code loaded in the modules;
s2, traversing all signal values of the computer system by calling a signal processing function to obtain a registered processing signal related function, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function;
s3, after the target program receives the signal, starting a new general signal processing function, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and S4, after the original signal processing function signal returns, judging whether the key register values in the context value are the same, in response to the fact that the key register values are different, carrying out dynamic modification and/or static modification codes, and in response to the fact that the key register values are the same, not carrying out processing.
And S1-S4, positioning the self-defined signal processing function of the program by using the module base address and the signal processing function address, and registering a new general signal processing function to change the program flow, thereby restoring the real call flow relation.
In some embodiments, steps S1-S4 are each performed in a dynamic link library file, the method further comprising:
creating dynamic link library file, injecting the dynamic link library file into the running target program of the computer system, completing the loading of the dynamic link library file, and executing the operations S1-S4 in the constructor of the dynamic link library file.
The purpose of performing the above operations in the constructor is to: after the dynamic link library file is loaded, the code attached with the function can be automatically executed.
In some embodiments, the traversing all modules loaded in the current computer system in step S1, and determining whether a module belongs to the target program, specifically further includes:
traversing all modules loaded in the current computer system through a/proc/self/maps file;
judging whether the module belongs to the target program or not by comparing the path of the module;
if the module belongs to the target program, recording module information of the module belonging to the target program, wherein the module information comprises a base address and a size loaded by an executable code in the module, and recording the module information into the map by taking the path as key and the base address and the size as values; and if the module does not belong to the target program, not processing.
By the method, the modules belonging to the target program are filtered out firstly, and the module information is recorded, while the modules not belonging to the target program are not processed, so that the processing speed can be effectively improved.
In some embodiments, the determining in step S2 whether the signal processing function signal in the processed signal correlation function belongs to the module belonging to the target program further includes:
determining whether the signal processing function signal address is in the base address of the module or in a range of the base address of the module which is increased;
in response to determining that it is within the range of the base address of the module or the base address of the module 7 is increasing, determining that the signal processing function signal belongs to the module of the target program.
By the method, the module of the signal processing function belonging to the target program can be conveniently and quickly judged and identified for the next operation, and if the signal processing function belongs to the default of the computer system or is registered by other modules of the non-target program, the signal processing function is not processed.
In some embodiments, the determining in step S2 determines whether the signal processing function signal in the processed signal correlation function belongs to a module belonging to the target program, and in response to determining that the signal processing function signal belongs, registers a new general signal processing function to replace the original signal processing function signal, and simultaneously saves the original signal processing function signal to a map, where key of the map is the signal number, and the value of the map is the signal processing function of the original signal.
In some embodiments, in response to determining that the key register values are not the same in step S4, performing dynamic modification and/or static modification on the code, specifically further includes:
calculating a real jump address according to a key register value in the context value before and after modification;
dynamically modifying codes pointed by the register to change indirect jump into direct jump;
and recording and storing the data of the register into a database for a static analysis tool to use so as to eliminate the interference codes of the static analysis.
The operation can simplify the flow and realize dynamic modification or static modification of the code.
In a second aspect, an embodiment of the present application provides an apparatus for automatic bypassing with an anti-debugging mechanism for a target program, where the apparatus includes:
the determining module is used for traversing all modules loaded in the current computer system, judging whether the modules belong to the target program or not, responding to the fact that the determining module belongs to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and size of loading of an executable code in the module;
the replacing module is used for obtaining a registered processing signal related function by calling the signal processing function and traversing all signal values of the computer system, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function;
the starting module is used for starting a new general signal processing function after the target program receives the signal, firstly storing a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and the modification module is used for judging whether the key register values in the context values are the same or not after the original signal processing function signal returns, performing dynamic modification and/or static modification codes in response to the fact that the key register values are different, and not performing processing in response to the fact that the key register values are the same.
In some embodiments, the apparatus further comprises:
the creating module is used for creating a dynamic link library file and injecting the dynamic link library file into a running target program of the computer system, and the determining module, the replacing module, the starting module and the modifying module are all stored in the dynamic link library file.
In a third aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, the computer program, when executed by a processor, implementing the method according to any one of the above.
According to the method and the device for automatically bypassing the target program with the anti-debugging mechanism, the original signal processing function signal defined by the module base address and the processing signal function address positioning program is utilized, the program flow is changed by utilizing signal processing, interference can be effectively eliminated, the analysis difficulty is reduced, and the real call flow relation is restored.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings in which:
FIG. 1 is a flow diagram of one embodiment of a method for automatic bypass with an anti-debug mechanism for a target program according to the present application;
FIG. 2 is a schematic flow chart diagram illustrating another embodiment of a method for automatic bypassing for a target program with an anti-debug mechanism in accordance with the present application;
FIG. 3 is a block diagram illustrating one embodiment of an apparatus for automatic bypassing for a target program with an anti-debug mechanism according to the present application;
fig. 4 is a schematic structural diagram of a computer system suitable for implementing the terminal device or the server according to the embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows a flowchart 100 of an embodiment of a method for automatic bypass with an anti-debugging mechanism for a target program according to the present application, and fig. 2 is a flowchart of another specific embodiment, which is combined with fig. 1 and fig. 2, and the method for automatic bypass includes the following steps:
step 101, creating a dynamic link library file, injecting the dynamic link library file into a running target program of the computer system, completing loading of the dynamic link library file, and executing the operation of step 102 and step 105 in a constructor (constructor) of the dynamic link library file.
In this embodiment, the injection manner for injecting the dynamic link library file into the target program being run by the computer system may be LD _ load or other injection manners. All functions are completed in the dynamically linked library file, and the purpose of placing subsequent operations in the constructor (constructor) is to: after the dynamic link library file is loaded, the function code of step 102 and step 105 can be automatically executed.
Step 102, traversing all modules loaded in the current computer system, judging whether the modules belong to the target program, responding to the fact that the templates belong to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and a size of the executable code loaded in the modules. The computer system is a Linux system.
In this embodiment, traversing all modules loaded in the current computer system, and determining whether a module belongs to the target program, specifically further includes:
after the dynamic link library file is loaded, traversing all modules loaded in the current computer system through a/proc/self/maps file;
judging whether the module belongs to the target program or not by comparing the path of the module;
if the module belongs to the target program, recording module information of the module belonging to the target program, wherein the module information comprises a base address and a size loaded by an executable code in the module, and recording the module information into the map by taking the path as key and the base address and the size as values; and if the module does not belong to the target program, not processing.
The module that belongs to the target program is filtered out and the module information is recorded, and the module that does not belong to the target program is not processed, so that the processing speed can be effectively increased.
Step 103, traversing all signal values of the computer system by calling the signal processing function to obtain a registered processed signal correlation function (struct signal), judging whether a signal processing function signal in the processed signal correlation function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function.
The processing signal correlation function (struct signal) comprises signal, signal and signal captyset, and the computer system is a Linux system.
In this embodiment, determining whether a signal processing function signal in the processed signal correlation function belongs to the module belonging to the target program specifically further includes:
determining whether the signal processing function signal address is in the base address of the module or in a range of the base address of the module which is increased;
in response to determining that it is within the range of the base address of the module or the base address of the module 7 is increasing, determining that the signal processing function signal belongs to the module of the target program.
In this way, the module which identifies the signal processing function as belonging to the target program can be conveniently and quickly judged for the next operation, and if not, the signal processing function is judged to be the default of the computer system or other modules which are not the target program and are registered, so that the signal processing function is not processed.
Further, in this embodiment, the original signal processing function may be saved in a map, where key of the map is the signal number, and the value (value) of the map is the signal processing function of the original signal.
After the above steps are completed, the target program does not enter the signal processing function set by the program any more after receiving the signal, but enters a new general signal processing function set by the dynamic link library file.
And step 104, after the target program receives the signal, starting a new general signal processing function, firstly saving a context value, and then acquiring a corresponding original signal processing function signal from the map according to the signal value for calling.
And 105, after the original signal processing function signal returns, judging whether the key register values in the context values are the same or not, performing dynamic modification and/or static modification codes in response to the fact that the key register values are different, and not performing processing in response to the fact that the key register values are the same.
In this embodiment, by comparing whether the key register value (e.g. PC) in the context value is the same, if so, it indicates that the code flow is not changed; if different, the code flow is said to have changed in the signal processing function.
Further, in this embodiment, in response to determining that the key register values are not the same, performing dynamic modification and/or static modification on the code, specifically, the method further includes:
calculating a real jump address according to a key register value in the context values before and after modification, such as a PC register value;
the real jump address is PC register value-module base address, and the module base address can be obtained through/proc/self/maps in the system or through an interface (such as dl _ iterative _ phdr) provided by the system.
Then, dynamically modifying the code pointed by the PC register to change the indirect jump into direct jump, thereby simplifying the flow;
or, the data of the PC register is recorded and stored in the database and is provided for a static analysis tool to use during static analysis, and the static analysis tool can remove the interference code of the static analysis according to the relevant information.
According to the method, the original signal processing function signal defined by the module base address and the processing signal function address positioning program is utilized, the program flow is changed by utilizing signal processing, interference can be effectively eliminated, the analysis difficulty is reduced, and the real calling flow relation is restored.
With further reference to fig. 3, as an implementation of the method shown in fig. 1, the present application provides an embodiment of an apparatus for performing automatic bypassing with an anti-debugging mechanism for a target program, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 1, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 3, the apparatus 200 for automatically bypassing with an anti-debugging mechanism for a target program according to the present embodiment includes:
the creating module 201 is configured to create a dynamic link library file, and inject the dynamic link library file into an object program running on the computer system, where the determining module 202, the replacing module 203, the starting module 204, and the modifying module 205 mentioned below are all stored.
The determining module 202 is configured to traverse all modules loaded in the current computer system, determine whether a module belongs to the target program, and record module information of the module belonging to the target program in response to determining that the template belongs to the target program, where the module information includes a base address and a size of an executable code loaded in the module.
The replacing module 203 is used for obtaining a registered processing signal related function by calling the signal processing function and traversing all signal values of the computer system, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function;
the starting module 204 is used for starting a new general signal processing function after the target program receives the signal, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and the modification module 205 is configured to determine whether a key register value in the context value is the same after the original signal processing function signal returns, perform dynamic modification and/or static modification on the code in response to determining that the key register value is different, and perform no processing in response to determining that the key register value is the same.
Referring now to FIG. 4, a block diagram of a computer system 300 suitable for implementing a terminal device or server of the embodiments of the present application is shown. The terminal device or the server shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 4, the computer system 300 includes a Central Processing Unit (CPU)301 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)302 or a program loaded from a storage section 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data necessary for the operation of the system 300 are also stored. The CPU301, ROM302, and RAM303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
The following components are connected to the I/O interface 305: an input portion 306 including a keyboard, a mouse, and the like; an output section 307 including a Liquid Crystal Display (LCD) and the like and a speaker and the like; a storage section 308 including a hard disk and the like; and a communication section 309 including a network interface card such as a LAN card, a modem, or the like. The communication section 309 performs communication processing via a network such as the internet. A drive 310 is also connected to the I/O interface 305 as needed. A removable medium 311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 310 as necessary, so that a computer program read out therefrom is mounted into the storage section 308 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 309, and/or installed from the removable medium 311. The computer program performs the above-described functions defined in the method of the present application when executed by the Central Processing Unit (CPU) 301. It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable medium or any combination of the two. A computer readable medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, an analysis module, and an output module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.

Claims (9)

1. A method for automatic bypass with an anti-debug mechanism for a target program, the method comprising the steps of:
s1, traversing all modules loaded in the current computer system, judging whether the modules belong to a target program, responding to the fact that the templates belong to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and a size of the module for loading executable codes;
s2, traversing all signal values of the computer system by calling a signal processing function to obtain a registered processing signal related function, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously saving the original signal processing function;
s3, after the target program receives the signal, starting the new general signal processing function, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and S4, after the original signal processing function signal returns, judging whether the key register values in the context value are the same, in response to determining that the key register values are different, performing dynamic modification and/or static modification codes, and in response to determining that the key register values are the same, not performing processing.
2. The method for automatic bypassing with anti-debug mechanism for a target program as claimed in claim 1, wherein said steps S1-S4 are all performed in a dynamic link library file, said method further comprising:
creating a dynamic link library file, injecting the dynamic link library file into the target program running in the computer system, completing the loading of the dynamic link library file, and executing the operations of the steps S1-S4 in the constructor of the dynamic link library file.
3. The method as claimed in claim 1, wherein the step S1 of traversing all modules loaded in the current computer system and determining whether the module belongs to the target program further comprises:
traversing all modules loaded in the current computer system through a/proc/self/maps file;
judging whether the module belongs to the target program or not by comparing the path of the module;
if the module belongs to the target program, recording module information of the module belonging to the target program, wherein the module information comprises a base address and a size loaded by an executable code in the module, and recording the module information into a map by taking a path as a key and the base address and the size as values; and if the module does not belong to the target program, not processing.
4. The method as claimed in claim 1, wherein the determining in step S2 whether the signal processing function signal in the processed signal correlation function belongs to a module of the target program further comprises:
determining whether the signal processing function signal address is within a base address of the module or a range in which the base address of the module is increased;
in response to determining that the signal processing function signal belongs to a module of the target program, the module is determined to be at a base address of the module or within a range of the base address of the module being larger.
5. The method of claim 1, wherein the determining in step S2 is to determine whether a signal processing function signal in the processed signal related function belongs to the module of the target program, and in response to determining that the signal processing function signal belongs to, registering a new general signal processing function to replace the original signal processing function signal while saving the original signal processing function signal to the map, wherein key of the map is the signal number, and value of the map is the signal processing function of the original signal.
6. The method as claimed in claim 1, wherein the step S4 of performing dynamic modification and/or static modification of the code in response to determining that the key register values are not the same, further comprises:
calculating a real jump address according to the key register value in the context value before and after modification;
dynamically modifying codes pointed by the register to change indirect jump into direct jump;
and recording and storing the data of the register into a database for a static analysis tool to use so as to eliminate the interference codes of the static analysis.
7. An apparatus for automatic bypassing with an anti-debug mechanism for a target program, the apparatus comprising:
the determining module is used for traversing all modules loaded in the current computer system, judging whether the modules belong to a target program or not, responding to the fact that the determining module belongs to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and size of loading of executable codes in the modules;
the replacing module is used for traversing all signal values of the computer system by calling a signal processing function to obtain a registered processing signal related function, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace an original signal processing function signal and simultaneously storing the original signal processing function;
the starting module is used for starting the new general signal processing function after the target program receives the signal, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and the modification module is used for judging whether the key register values in the context values are the same or not after the original signal processing function signal returns, carrying out dynamic modification and/or static modification codes in response to the fact that the key register values are different, and not carrying out processing in response to the fact that the key register values are the same.
8. The apparatus for automatic bypassing with an anti-debug mechanism for a target program of claim 7, further comprising:
the creating module is used for creating a dynamic link library file and injecting the dynamic link library file into the target program which is running in the computer system, and the determining module, the replacing module, the starting module and the modifying module are all stored in the dynamic link library file.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
CN202111255594.7A 2021-10-27 2021-10-27 Method and device for automatic bypass by having anti-debugging mechanism for target program Pending CN113946803A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111255594.7A CN113946803A (en) 2021-10-27 2021-10-27 Method and device for automatic bypass by having anti-debugging mechanism for target program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111255594.7A CN113946803A (en) 2021-10-27 2021-10-27 Method and device for automatic bypass by having anti-debugging mechanism for target program

Publications (1)

Publication Number Publication Date
CN113946803A true CN113946803A (en) 2022-01-18

Family

ID=79332766

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111255594.7A Pending CN113946803A (en) 2021-10-27 2021-10-27 Method and device for automatic bypass by having anti-debugging mechanism for target program

Country Status (1)

Country Link
CN (1) CN113946803A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116383827A (en) * 2023-03-17 2023-07-04 中广核智能科技(深圳)有限责任公司 Method, system and storage medium for safely unloading trusted function mechanism
CN117873414A (en) * 2024-03-12 2024-04-12 麒麟软件有限公司 X11-based linux program appointed display method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116383827A (en) * 2023-03-17 2023-07-04 中广核智能科技(深圳)有限责任公司 Method, system and storage medium for safely unloading trusted function mechanism
CN117873414A (en) * 2024-03-12 2024-04-12 麒麟软件有限公司 X11-based linux program appointed display method and device

Similar Documents

Publication Publication Date Title
CN110502357B (en) Stack backtracking method, device, medium and equipment
CN113946803A (en) Method and device for automatic bypass by having anti-debugging mechanism for target program
CN113961919B (en) Malicious software detection method and device
KR101979329B1 (en) Method and apparatus for tracking security vulnerable input data of executable binaries thereof
CN110659210A (en) Information acquisition method and device, electronic equipment and storage medium
CN114138281A (en) Compiling method, device, equipment and medium of software engineering
US20120054724A1 (en) Incremental static analysis
CN106484779B (en) File operation method and device
CN110908882A (en) Performance analysis method and device of application program, terminal equipment and medium
CN116795486A (en) Analysis method and device for container mirror image file purification, storage medium and terminal
US20230141948A1 (en) Analysis and Testing of Embedded Code
CN116700768B (en) Application processing method and related device
CN111506904A (en) Method and device for online vulnerability repair
CN113821486B (en) Method and device for determining dependency relationship between pod libraries and electronic equipment
CN115712918A (en) File protection method based on Linux system and electronic equipment
CN114936368A (en) Java memory Trojan detection method, terminal device and storage medium
CN110377499B (en) Method and device for testing application program
US9477448B2 (en) Screen-oriented computing program refactoring
CN113504904A (en) User-defined function implementation method and device, computer equipment and storage medium
CN112214220B (en) Method, apparatus and device for integrated system
CN106897588B (en) Processing method and device of label function
CN116414424B (en) Thermal updating method, device, equipment and storage medium
CN111382017A (en) Fault query method, device, server and storage medium
CN113296834B (en) Android closed source service type information extraction method based on reverse engineering
CN112230935B (en) Privacy risk detection method, device and equipment in application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination