CN113946803A - Method and device for automatic bypass by having anti-debugging mechanism for target program - Google Patents
Method and device for automatic bypass by having anti-debugging mechanism for target program Download PDFInfo
- Publication number
- CN113946803A CN113946803A CN202111255594.7A CN202111255594A CN113946803A CN 113946803 A CN113946803 A CN 113946803A CN 202111255594 A CN202111255594 A CN 202111255594A CN 113946803 A CN113946803 A CN 113946803A
- Authority
- CN
- China
- Prior art keywords
- signal
- module
- processing function
- signal processing
- target program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000007246 mechanism Effects 0.000 title claims abstract description 19
- 230000006870 function Effects 0.000 claims description 113
- 230000004044 response Effects 0.000 claims description 27
- 230000004048 modification Effects 0.000 claims description 26
- 238000012986 modification Methods 0.000 claims description 26
- 230000003068 static effect Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 11
- 238000005314 correlation function Methods 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009131 signaling function Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application discloses a method and a device for automatically bypassing a target program with an anti-debugging mechanism, wherein the method comprises the following steps: traversing all modules loaded in the system, judging whether the modules belong to a target program, and recording module information of the modules belonging to the target program if the modules belong to the target program; calling a signal processing function, traversing all signal values of the system to obtain a registered processing signal related function, judging whether a signal processing function signal belongs to a target program module, if so, registering a new general signal processing function to replace the original signal processing function signal, and storing the original signal processing function; after receiving the signal, the target program starts a new general signal processing function, saves a context value, and acquires a corresponding original signal processing function signal according to the signal value to call; and after the original signal processing function signal returns, judging whether the key register values in the context values are the same or not, and if the key register values are different, dynamically modifying and/or statically modifying the code.
Description
Technical Field
The application relates to the technical field of computer software reverse analysis, in particular to a method and a device for automatic bypass by aiming at a target program with an anti-debugging mechanism.
Background
Debugging is one of the most common techniques for software reverse analysis and reverse, and plays a very important role in the security fields of virus analysis, vulnerability analysis and the like. However, some software authors, especially malware authors, often apply some technical means to prevent others from analyzing their own software. Among these techniques, the inverse debugging can be said to be one of the most widely used techniques. Currently, popular anti-debug technologies can be mainly classified into two categories, one is based on a debugger detection technology, and the other is based on a debugger interference technology.
In the process of program analysis, reverse analysis and dynamic debugging of programs (Linux and Android ELF files) are required to be performed without source codes, but the programs are interfered by adopting a reverse analysis and reverse debugging mechanism. In the running process of the target program, some signal processing functions are actively registered, then some signals (such as SIGLL) are actively triggered when running to some occasions (such as a key code flow), and then register values (such as PC) are modified in the processing functions, so that the purpose of dynamically modifying the execution of the program flow is achieved, and the purposes of static analysis and dynamic debugging are interfered.
In order to increase the analysis difficulty of the ELF file, the execution path is usually modified dynamically, which interferes with dynamic and static analysis, and increases the analysis difficulty, wherein a Linux signal machine is used as a common anti-debugging method.
Therefore, how to eliminate interference, reduce analysis difficulty and restore a real call flow relationship is an urgent problem to be solved in the field.
Disclosure of Invention
The embodiment of the application provides a method and a device for automatically bypassing a target program with an anti-debugging mechanism, so as to solve the technical problems mentioned in the background technology section.
In a first aspect, an embodiment of the present application provides a method for automatic bypassing with an anti-debugging mechanism for a target program, where the method includes the following steps:
s1, traversing all modules loaded in the current computer system, judging whether the modules belong to the target program, responding to the fact that the templates belong to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and a size of the executable code loaded in the modules;
s2, traversing all signal values of the computer system by calling a signal processing function to obtain a registered processing signal related function, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function;
s3, after the target program receives the signal, starting a new general signal processing function, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and S4, after the original signal processing function signal returns, judging whether the key register values in the context value are the same, in response to the fact that the key register values are different, carrying out dynamic modification and/or static modification codes, and in response to the fact that the key register values are the same, not carrying out processing.
And S1-S4, positioning the self-defined signal processing function of the program by using the module base address and the signal processing function address, and registering a new general signal processing function to change the program flow, thereby restoring the real call flow relation.
In some embodiments, steps S1-S4 are each performed in a dynamic link library file, the method further comprising:
creating dynamic link library file, injecting the dynamic link library file into the running target program of the computer system, completing the loading of the dynamic link library file, and executing the operations S1-S4 in the constructor of the dynamic link library file.
The purpose of performing the above operations in the constructor is to: after the dynamic link library file is loaded, the code attached with the function can be automatically executed.
In some embodiments, the traversing all modules loaded in the current computer system in step S1, and determining whether a module belongs to the target program, specifically further includes:
traversing all modules loaded in the current computer system through a/proc/self/maps file;
judging whether the module belongs to the target program or not by comparing the path of the module;
if the module belongs to the target program, recording module information of the module belonging to the target program, wherein the module information comprises a base address and a size loaded by an executable code in the module, and recording the module information into the map by taking the path as key and the base address and the size as values; and if the module does not belong to the target program, not processing.
By the method, the modules belonging to the target program are filtered out firstly, and the module information is recorded, while the modules not belonging to the target program are not processed, so that the processing speed can be effectively improved.
In some embodiments, the determining in step S2 whether the signal processing function signal in the processed signal correlation function belongs to the module belonging to the target program further includes:
determining whether the signal processing function signal address is in the base address of the module or in a range of the base address of the module which is increased;
in response to determining that it is within the range of the base address of the module or the base address of the module 7 is increasing, determining that the signal processing function signal belongs to the module of the target program.
By the method, the module of the signal processing function belonging to the target program can be conveniently and quickly judged and identified for the next operation, and if the signal processing function belongs to the default of the computer system or is registered by other modules of the non-target program, the signal processing function is not processed.
In some embodiments, the determining in step S2 determines whether the signal processing function signal in the processed signal correlation function belongs to a module belonging to the target program, and in response to determining that the signal processing function signal belongs, registers a new general signal processing function to replace the original signal processing function signal, and simultaneously saves the original signal processing function signal to a map, where key of the map is the signal number, and the value of the map is the signal processing function of the original signal.
In some embodiments, in response to determining that the key register values are not the same in step S4, performing dynamic modification and/or static modification on the code, specifically further includes:
calculating a real jump address according to a key register value in the context value before and after modification;
dynamically modifying codes pointed by the register to change indirect jump into direct jump;
and recording and storing the data of the register into a database for a static analysis tool to use so as to eliminate the interference codes of the static analysis.
The operation can simplify the flow and realize dynamic modification or static modification of the code.
In a second aspect, an embodiment of the present application provides an apparatus for automatic bypassing with an anti-debugging mechanism for a target program, where the apparatus includes:
the determining module is used for traversing all modules loaded in the current computer system, judging whether the modules belong to the target program or not, responding to the fact that the determining module belongs to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and size of loading of an executable code in the module;
the replacing module is used for obtaining a registered processing signal related function by calling the signal processing function and traversing all signal values of the computer system, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function;
the starting module is used for starting a new general signal processing function after the target program receives the signal, firstly storing a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and the modification module is used for judging whether the key register values in the context values are the same or not after the original signal processing function signal returns, performing dynamic modification and/or static modification codes in response to the fact that the key register values are different, and not performing processing in response to the fact that the key register values are the same.
In some embodiments, the apparatus further comprises:
the creating module is used for creating a dynamic link library file and injecting the dynamic link library file into a running target program of the computer system, and the determining module, the replacing module, the starting module and the modifying module are all stored in the dynamic link library file.
In a third aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, the computer program, when executed by a processor, implementing the method according to any one of the above.
According to the method and the device for automatically bypassing the target program with the anti-debugging mechanism, the original signal processing function signal defined by the module base address and the processing signal function address positioning program is utilized, the program flow is changed by utilizing signal processing, interference can be effectively eliminated, the analysis difficulty is reduced, and the real call flow relation is restored.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings in which:
FIG. 1 is a flow diagram of one embodiment of a method for automatic bypass with an anti-debug mechanism for a target program according to the present application;
FIG. 2 is a schematic flow chart diagram illustrating another embodiment of a method for automatic bypassing for a target program with an anti-debug mechanism in accordance with the present application;
FIG. 3 is a block diagram illustrating one embodiment of an apparatus for automatic bypassing for a target program with an anti-debug mechanism according to the present application;
fig. 4 is a schematic structural diagram of a computer system suitable for implementing the terminal device or the server according to the embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows a flowchart 100 of an embodiment of a method for automatic bypass with an anti-debugging mechanism for a target program according to the present application, and fig. 2 is a flowchart of another specific embodiment, which is combined with fig. 1 and fig. 2, and the method for automatic bypass includes the following steps:
In this embodiment, the injection manner for injecting the dynamic link library file into the target program being run by the computer system may be LD _ load or other injection manners. All functions are completed in the dynamically linked library file, and the purpose of placing subsequent operations in the constructor (constructor) is to: after the dynamic link library file is loaded, the function code of step 102 and step 105 can be automatically executed.
In this embodiment, traversing all modules loaded in the current computer system, and determining whether a module belongs to the target program, specifically further includes:
after the dynamic link library file is loaded, traversing all modules loaded in the current computer system through a/proc/self/maps file;
judging whether the module belongs to the target program or not by comparing the path of the module;
if the module belongs to the target program, recording module information of the module belonging to the target program, wherein the module information comprises a base address and a size loaded by an executable code in the module, and recording the module information into the map by taking the path as key and the base address and the size as values; and if the module does not belong to the target program, not processing.
The module that belongs to the target program is filtered out and the module information is recorded, and the module that does not belong to the target program is not processed, so that the processing speed can be effectively increased.
The processing signal correlation function (struct signal) comprises signal, signal and signal captyset, and the computer system is a Linux system.
In this embodiment, determining whether a signal processing function signal in the processed signal correlation function belongs to the module belonging to the target program specifically further includes:
determining whether the signal processing function signal address is in the base address of the module or in a range of the base address of the module which is increased;
in response to determining that it is within the range of the base address of the module or the base address of the module 7 is increasing, determining that the signal processing function signal belongs to the module of the target program.
In this way, the module which identifies the signal processing function as belonging to the target program can be conveniently and quickly judged for the next operation, and if not, the signal processing function is judged to be the default of the computer system or other modules which are not the target program and are registered, so that the signal processing function is not processed.
Further, in this embodiment, the original signal processing function may be saved in a map, where key of the map is the signal number, and the value (value) of the map is the signal processing function of the original signal.
After the above steps are completed, the target program does not enter the signal processing function set by the program any more after receiving the signal, but enters a new general signal processing function set by the dynamic link library file.
And step 104, after the target program receives the signal, starting a new general signal processing function, firstly saving a context value, and then acquiring a corresponding original signal processing function signal from the map according to the signal value for calling.
And 105, after the original signal processing function signal returns, judging whether the key register values in the context values are the same or not, performing dynamic modification and/or static modification codes in response to the fact that the key register values are different, and not performing processing in response to the fact that the key register values are the same.
In this embodiment, by comparing whether the key register value (e.g. PC) in the context value is the same, if so, it indicates that the code flow is not changed; if different, the code flow is said to have changed in the signal processing function.
Further, in this embodiment, in response to determining that the key register values are not the same, performing dynamic modification and/or static modification on the code, specifically, the method further includes:
calculating a real jump address according to a key register value in the context values before and after modification, such as a PC register value;
the real jump address is PC register value-module base address, and the module base address can be obtained through/proc/self/maps in the system or through an interface (such as dl _ iterative _ phdr) provided by the system.
Then, dynamically modifying the code pointed by the PC register to change the indirect jump into direct jump, thereby simplifying the flow;
or, the data of the PC register is recorded and stored in the database and is provided for a static analysis tool to use during static analysis, and the static analysis tool can remove the interference code of the static analysis according to the relevant information.
According to the method, the original signal processing function signal defined by the module base address and the processing signal function address positioning program is utilized, the program flow is changed by utilizing signal processing, interference can be effectively eliminated, the analysis difficulty is reduced, and the real calling flow relation is restored.
With further reference to fig. 3, as an implementation of the method shown in fig. 1, the present application provides an embodiment of an apparatus for performing automatic bypassing with an anti-debugging mechanism for a target program, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 1, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 3, the apparatus 200 for automatically bypassing with an anti-debugging mechanism for a target program according to the present embodiment includes:
the creating module 201 is configured to create a dynamic link library file, and inject the dynamic link library file into an object program running on the computer system, where the determining module 202, the replacing module 203, the starting module 204, and the modifying module 205 mentioned below are all stored.
The determining module 202 is configured to traverse all modules loaded in the current computer system, determine whether a module belongs to the target program, and record module information of the module belonging to the target program in response to determining that the template belongs to the target program, where the module information includes a base address and a size of an executable code loaded in the module.
The replacing module 203 is used for obtaining a registered processing signal related function by calling the signal processing function and traversing all signal values of the computer system, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously storing the original signal processing function;
the starting module 204 is used for starting a new general signal processing function after the target program receives the signal, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and the modification module 205 is configured to determine whether a key register value in the context value is the same after the original signal processing function signal returns, perform dynamic modification and/or static modification on the code in response to determining that the key register value is different, and perform no processing in response to determining that the key register value is the same.
Referring now to FIG. 4, a block diagram of a computer system 300 suitable for implementing a terminal device or server of the embodiments of the present application is shown. The terminal device or the server shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 4, the computer system 300 includes a Central Processing Unit (CPU)301 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)302 or a program loaded from a storage section 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data necessary for the operation of the system 300 are also stored. The CPU301, ROM302, and RAM303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
The following components are connected to the I/O interface 305: an input portion 306 including a keyboard, a mouse, and the like; an output section 307 including a Liquid Crystal Display (LCD) and the like and a speaker and the like; a storage section 308 including a hard disk and the like; and a communication section 309 including a network interface card such as a LAN card, a modem, or the like. The communication section 309 performs communication processing via a network such as the internet. A drive 310 is also connected to the I/O interface 305 as needed. A removable medium 311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 310 as necessary, so that a computer program read out therefrom is mounted into the storage section 308 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 309, and/or installed from the removable medium 311. The computer program performs the above-described functions defined in the method of the present application when executed by the Central Processing Unit (CPU) 301. It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable medium or any combination of the two. A computer readable medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, an analysis module, and an output module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (9)
1. A method for automatic bypass with an anti-debug mechanism for a target program, the method comprising the steps of:
s1, traversing all modules loaded in the current computer system, judging whether the modules belong to a target program, responding to the fact that the templates belong to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and a size of the module for loading executable codes;
s2, traversing all signal values of the computer system by calling a signal processing function to obtain a registered processing signal related function, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace the original signal processing function signal and simultaneously saving the original signal processing function;
s3, after the target program receives the signal, starting the new general signal processing function, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and S4, after the original signal processing function signal returns, judging whether the key register values in the context value are the same, in response to determining that the key register values are different, performing dynamic modification and/or static modification codes, and in response to determining that the key register values are the same, not performing processing.
2. The method for automatic bypassing with anti-debug mechanism for a target program as claimed in claim 1, wherein said steps S1-S4 are all performed in a dynamic link library file, said method further comprising:
creating a dynamic link library file, injecting the dynamic link library file into the target program running in the computer system, completing the loading of the dynamic link library file, and executing the operations of the steps S1-S4 in the constructor of the dynamic link library file.
3. The method as claimed in claim 1, wherein the step S1 of traversing all modules loaded in the current computer system and determining whether the module belongs to the target program further comprises:
traversing all modules loaded in the current computer system through a/proc/self/maps file;
judging whether the module belongs to the target program or not by comparing the path of the module;
if the module belongs to the target program, recording module information of the module belonging to the target program, wherein the module information comprises a base address and a size loaded by an executable code in the module, and recording the module information into a map by taking a path as a key and the base address and the size as values; and if the module does not belong to the target program, not processing.
4. The method as claimed in claim 1, wherein the determining in step S2 whether the signal processing function signal in the processed signal correlation function belongs to a module of the target program further comprises:
determining whether the signal processing function signal address is within a base address of the module or a range in which the base address of the module is increased;
in response to determining that the signal processing function signal belongs to a module of the target program, the module is determined to be at a base address of the module or within a range of the base address of the module being larger.
5. The method of claim 1, wherein the determining in step S2 is to determine whether a signal processing function signal in the processed signal related function belongs to the module of the target program, and in response to determining that the signal processing function signal belongs to, registering a new general signal processing function to replace the original signal processing function signal while saving the original signal processing function signal to the map, wherein key of the map is the signal number, and value of the map is the signal processing function of the original signal.
6. The method as claimed in claim 1, wherein the step S4 of performing dynamic modification and/or static modification of the code in response to determining that the key register values are not the same, further comprises:
calculating a real jump address according to the key register value in the context value before and after modification;
dynamically modifying codes pointed by the register to change indirect jump into direct jump;
and recording and storing the data of the register into a database for a static analysis tool to use so as to eliminate the interference codes of the static analysis.
7. An apparatus for automatic bypassing with an anti-debug mechanism for a target program, the apparatus comprising:
the determining module is used for traversing all modules loaded in the current computer system, judging whether the modules belong to a target program or not, responding to the fact that the determining module belongs to the target program, and recording module information of the modules belonging to the target program, wherein the module information comprises a base address and size of loading of executable codes in the modules;
the replacing module is used for traversing all signal values of the computer system by calling a signal processing function to obtain a registered processing signal related function, judging whether a signal processing function signal in the processing signal related function belongs to the module belonging to the target program, and in response to determining that the signal processing function signal belongs, registering a new general signal processing function to replace an original signal processing function signal and simultaneously storing the original signal processing function;
the starting module is used for starting the new general signal processing function after the target program receives the signal, firstly saving a context value, and then acquiring a corresponding original signal processing function signal according to the signal value for calling;
and the modification module is used for judging whether the key register values in the context values are the same or not after the original signal processing function signal returns, carrying out dynamic modification and/or static modification codes in response to the fact that the key register values are different, and not carrying out processing in response to the fact that the key register values are the same.
8. The apparatus for automatic bypassing with an anti-debug mechanism for a target program of claim 7, further comprising:
the creating module is used for creating a dynamic link library file and injecting the dynamic link library file into the target program which is running in the computer system, and the determining module, the replacing module, the starting module and the modifying module are all stored in the dynamic link library file.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111255594.7A CN113946803A (en) | 2021-10-27 | 2021-10-27 | Method and device for automatic bypass by having anti-debugging mechanism for target program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111255594.7A CN113946803A (en) | 2021-10-27 | 2021-10-27 | Method and device for automatic bypass by having anti-debugging mechanism for target program |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113946803A true CN113946803A (en) | 2022-01-18 |
Family
ID=79332766
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111255594.7A Pending CN113946803A (en) | 2021-10-27 | 2021-10-27 | Method and device for automatic bypass by having anti-debugging mechanism for target program |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113946803A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116383827A (en) * | 2023-03-17 | 2023-07-04 | 中广核智能科技(深圳)有限责任公司 | Method, system and storage medium for safely unloading trusted function mechanism |
CN117873414A (en) * | 2024-03-12 | 2024-04-12 | 麒麟软件有限公司 | X11-based linux program appointed display method and device |
-
2021
- 2021-10-27 CN CN202111255594.7A patent/CN113946803A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116383827A (en) * | 2023-03-17 | 2023-07-04 | 中广核智能科技(深圳)有限责任公司 | Method, system and storage medium for safely unloading trusted function mechanism |
CN117873414A (en) * | 2024-03-12 | 2024-04-12 | 麒麟软件有限公司 | X11-based linux program appointed display method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110502357B (en) | Stack backtracking method, device, medium and equipment | |
CN113946803A (en) | Method and device for automatic bypass by having anti-debugging mechanism for target program | |
CN113961919B (en) | Malicious software detection method and device | |
KR101979329B1 (en) | Method and apparatus for tracking security vulnerable input data of executable binaries thereof | |
CN110659210A (en) | Information acquisition method and device, electronic equipment and storage medium | |
CN114138281A (en) | Compiling method, device, equipment and medium of software engineering | |
US20120054724A1 (en) | Incremental static analysis | |
CN106484779B (en) | File operation method and device | |
CN110908882A (en) | Performance analysis method and device of application program, terminal equipment and medium | |
CN116795486A (en) | Analysis method and device for container mirror image file purification, storage medium and terminal | |
US20230141948A1 (en) | Analysis and Testing of Embedded Code | |
CN116700768B (en) | Application processing method and related device | |
CN111506904A (en) | Method and device for online vulnerability repair | |
CN113821486B (en) | Method and device for determining dependency relationship between pod libraries and electronic equipment | |
CN115712918A (en) | File protection method based on Linux system and electronic equipment | |
CN114936368A (en) | Java memory Trojan detection method, terminal device and storage medium | |
CN110377499B (en) | Method and device for testing application program | |
US9477448B2 (en) | Screen-oriented computing program refactoring | |
CN113504904A (en) | User-defined function implementation method and device, computer equipment and storage medium | |
CN112214220B (en) | Method, apparatus and device for integrated system | |
CN106897588B (en) | Processing method and device of label function | |
CN116414424B (en) | Thermal updating method, device, equipment and storage medium | |
CN111382017A (en) | Fault query method, device, server and storage medium | |
CN113296834B (en) | Android closed source service type information extraction method based on reverse engineering | |
CN112230935B (en) | Privacy risk detection method, device and equipment in application |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |