CN114168489B - Function information acquisition method, computing device and storage medium - Google Patents

Function information acquisition method, computing device and storage medium Download PDF

Info

Publication number
CN114168489B
CN114168489B CN202210118521.1A CN202210118521A CN114168489B CN 114168489 B CN114168489 B CN 114168489B CN 202210118521 A CN202210118521 A CN 202210118521A CN 114168489 B CN114168489 B CN 114168489B
Authority
CN
China
Prior art keywords
function
library
instruction
library function
information acquisition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210118521.1A
Other languages
Chinese (zh)
Other versions
CN114168489A (en
Inventor
刘昌辉
杨堃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Uniontech Software Technology Co Ltd
Original Assignee
Uniontech Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uniontech Software Technology Co Ltd filed Critical Uniontech Software Technology Co Ltd
Priority to CN202210118521.1A priority Critical patent/CN114168489B/en
Publication of CN114168489A publication Critical patent/CN114168489A/en
Application granted granted Critical
Publication of CN114168489B publication Critical patent/CN114168489B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program

Abstract

The invention discloses a function information acquisition method, a computing device and a storage medium, and the method comprises the following steps: the method comprises the steps of scanning codes of an application to determine library functions to be called in a third-party library by the application, determining which library functions in the third-party library need to be tracked, then obtaining entry addresses of the library functions, replacing instructions at the obtained entry addresses with jump instructions, and executing the jump instructions to jump to execute an information obtaining method for obtaining function information when executing a method defined by the library functions. According to the method, the instruction of the library function of the entry address of the method corresponding to the library function is replaced by the jump instruction, the process of running the library function is captured before the library function is run, the information acquisition method corresponding to the information acquisition function is executed, the function information is acquired in a light weight mode, complex codes do not need to be repeatedly constructed, and the efficiency of acquiring the function information in the third-party library is improved.

Description

Function information acquisition method, computing device and storage medium
Technical Field
The present invention relates to the field of operating systems, and in particular, to a function information obtaining method, a computing device, and a storage medium.
Background
With the development of computer technology, when people develop applications running in computing devices, the developed applications need to be debugged. For software written by itself or software code from an open source community, due to the active code, the behavior of functions in a program can be observed by adding printing information in the source code to be output to a console window or setting breakpoints through a debugging tool to perform single-step debugging. In fact, during the software development process, it is inevitably necessary to refer to a third-party linked library to realize the functions of the program. For example, in the development of the microsoft windows operating system program, a large number of references are required from the dynamically linked library program. The referenced third-party libraries are usually in binary form, lack source code, and only can obtain function declaration information, so that it is difficult to obtain traces and behaviors of programs after entering the third-party codes like debugging common programs.
In the prior art, a common method for debugging a third-party library code of a passive code is to add an upper program for interception, that is, the upper program is added between a called third-party library and an application program, a function interface of the upper program is completely the same as a derived function in the third-party library, and the upper program can be printed when a related third-party library function entry (api) is called each time, so that the api called by the application program in the whole running process can be known, and the running trace of the api can be known. However, the code amount of the intermediate code increased by this method is very large, a dynamic link often includes a large number of export functions, interception by using a method of adding an upper function requires packaging all the export functions, the upper functions need to be implemented again, and a backup export table needs to be generated. It can be very time consuming and cumbersome when a program calls a large number of library functions.
For this reason, a new function information acquisition method is required.
Disclosure of Invention
To this end, the present invention provides a function information acquisition method in an attempt to solve or at least alleviate the above-existing problems.
According to an aspect of the present invention, there is provided a function information obtaining method, adapted to be executed in a computing device, the computing device including an application to be executed, the application calling a library function provided by a third-party library when executed, the method including the steps of: scanning code of the application to determine library functions to be called in a third party library by the application; acquiring an entry address of a library function, and replacing an instruction at the acquired entry address with a jump instruction so as to execute the jump instruction and jump to execute an information acquisition method for acquiring function information when executing a method defined by the library function; and after the information acquisition method is executed, executing the instruction replaced at the entry address of the library function, and then jumping to a position immediately after the replaced instruction, and continuing to execute the method corresponding to the library function.
Optionally, in the method according to the present invention, scanning the code of the application to determine a library function to be called in the third party library by the application includes the steps of: generating an export function file according to the applied codes; and determining a library function to be called in the third-party library by the application according to the function name in the export function file.
Optionally, in the method according to the present invention, replacing the instruction at the fetched entry address with a jump instruction comprises the steps of: acquiring an entry address of an information acquisition method; generating a jump instruction according to an entry address of the information acquisition method and an operation code for executing the jump instruction; and replacing the instruction of the method defined by the library function with the jump instruction at the entry address of the method corresponding to the library function.
Optionally, in the method according to the present invention, the computing device further includes an internal memory, and replacing the instruction of the method defined by the library function with the jump instruction at the entry address of the library function corresponding to the method includes: determining the number of instructions to be replaced in the method defined by the library function according to the storage space required by the jump instruction; and storing the jump instruction in an entry address of a method corresponding to the library function, and executing the instruction to be replaced in the method defined by the library function after executing the information acquisition method jumped by the jump instruction according to the instruction number and the instruction to be replaced in the method defined by other storage area memory library functions of the internal memory.
Optionally, in the method according to the present invention, the information obtaining method for executing a jump instruction to jump to execute the obtained function information comprises the steps of: determining a calling mode of a library function according to the export function file; determining a register used by a corresponding method of the library function according to the calling mode of the library function; and acquiring the function data stored in the register according to the information acquisition method, and determining function information according to the function data and the parameters in the derived function file.
Optionally, in the method according to the present invention, the step of executing an information obtaining method defined by an information obtaining function according to a jump instruction, and obtaining the function information of the library function includes: determining a calling mode of a library function according to the exported function file; determining a register used by a library function corresponding method according to a library function calling mode; and acquiring the function data stored in the register according to the information acquisition method, and determining function information according to the function data and the parameter in the derived function file.
Optionally, in the method according to the present invention, determining a register used by the method corresponding to the library function according to the library function calling manner includes: and when the calling mode of the library function is standard calling, determining that the register used by the method corresponding to the library function is a stack pointer register.
Optionally, in the method according to the present invention, the information obtaining method is defined by an information obtaining function, and the information obtaining function is configured to obtain function information corresponding to the library function from a corresponding register when the library function is called.
According to another aspect of the present invention, there is provided a computing device comprising: one or more processors; a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing the function information acquisition method according to the present invention.
According to still another aspect of the present invention, there is provided a computer-readable storage medium storing one or more programs, the one or more programs including instructions, which when executed by a computing device, cause the computing device to execute a function information acquisition method according to the present invention.
The invention discloses a function information acquisition method which is suitable for being executed in computing equipment. The computing device comprises an application to be executed, and the application calls a library function provided by a third-party library when executing, and the method comprises the following steps: scanning the code of the application to determine library functions to be called in a third-party library by the application, thereby determining which library functions in the third-party library need to be tracked, then acquiring the entry addresses of the library functions, replacing the instructions at the acquired entry addresses with jump instructions, so that when the method defined by the library functions is executed, the jump instructions are executed to jump to execute the information acquisition method for acquiring the function information; after the information acquisition method is executed, the instruction replaced at the entry address of the library function is executed, then the position immediately after the replaced instruction is jumped to, and the method corresponding to the library function is continuously executed. According to the method, the instruction of the library function of the entry address of the library function corresponding method is replaced by the jump instruction, the process of running the library function is captured before the library function is run, the information acquisition method corresponding to the information acquisition function is executed, the function information is acquired in a light weight mode, complex codes do not need to be repeatedly constructed, and the acquisition efficiency of the function information in the third-party library is improved.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description when read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 illustrates a schematic diagram of an operating system running in a computing device according to an exemplary embodiment of the invention;
FIG. 2 illustrates a block diagram of a computing device 200, according to an exemplary embodiment of the invention; and
FIG. 3 illustrates a flow diagram of a method 300 for function information acquisition in accordance with an exemplary embodiment of the present invention; and
FIG. 4 illustrates a diagram of constructing a jump instruction in accordance with an exemplary embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. Like reference numbers generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of an operating system running in a computing device according to an exemplary embodiment of the invention. As shown in fig. 1, the computing device 200 includes a hardware layer 140 and an operating system 130 that operates according to the hardware layer 140. The hardware layer 140 is a hardware portion of the computing device 200, including a processor, an internal memory, and the like (not shown in the figure). The operating system 130 is an operating system installed in the computing device 200, and the invention is not limited to a specific type of operating system 130.
The operating system 130 has a configuration module 121 and a disassembly module 122 built therein. The configuration module 121 is configured to determine a library function called by the application in the third party library according to the third party library, specifically, generate a derived function file according to the third party library, and then determine a library function called by the application in the third party library according to a function name in the derived function file. According to an embodiment of the present invention, the configuration module 121 may be implemented as a script in json format, and the present invention does not limit a specific implementation manner of the configuration module 121.
The disassembling module 122 is adapted to, when acquiring an entry address of a method defined by the library function, and when constructing a jump instruction at the entry address of the method corresponding to the library function, identify whether a replaced instruction of the method corresponding to the library function is an integer instruction or not, so as to replace the integer instruction.
The computing device 200 further comprises a compiler 111 and an application 112 which are run based on the operating system 130, and the compiler 111 is adapted to compile application files stored in the computing device 200 to obtain an executable file of the application 112 so as to run the application 112 in the computing device 200. The executable file of the application 112 is stored in an internal memory.
The specific structure of computing device 200 is shown in FIG. 2. FIG. 2 illustrates a block diagram of a computing device 200, according to an exemplary embodiment of the invention. As shown in FIG. 2, in a basic configuration 202, a computing device 200 typically includes a system memory 206 and one or more processors 204. A memory bus 208 may be used for communication between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof. The processor 204 may include one or more levels of cache, such as a level one cache 210 and a level two cache 212, a processor core 214, and registers 216. Example processor core 214 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 218 may be used with the processor 204, or in some implementations the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 206 may include an operating system 220, one or more programs 222, and program data 228. In some embodiments, the program 222 may be arranged to execute the instructions 223 of the method 300 according to the invention on an operating system by one or more processors 204 using the program data 228.
Computing device 200 may also include a storage interface bus 234. The storage interface bus 234 enables communication from the storage devices 232 (e.g., removable storage 236 and non-removable storage 238) to the basic configuration 202 via the bus/interface controller 230. Operating system 220, programs 222, and at least a portion of data 224 can be stored on removable storage 236 and/or non-removable storage 238, and loaded into system memory 206 via storage interface bus 234 and executed by one or more processors 204 when computing device 200 is powered on or programs 222 are to be executed.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to the basic configuration 202 via the bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. Example peripheral interfaces 244 may include a serial interface controller 254 and a parallel interface controller 256, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 258. An example communication device 246 may include a network controller 260, which may be arranged to communicate with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, radio Frequency (RF), microwave, infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In the device 200 according to the present invention, the program 222 includes a plurality of program instructions of the function information acquisition method 300, which may instruct the processor 204 to execute some steps of the function information acquisition method 300 executed in the computing device 200 of the present invention, so that some parts of the computing device 200 compile function information of a third party library called by the acquisition application by executing the function information acquisition method 300 of the present invention.
Computing device 200 may be implemented as a server, e.g., a file server, a database, a server, an application server, etc., which may be, for example, a Personal Digital Assistant (PDA), a wireless web-browsing device, an application-specific device, or a hybrid device that include any of the above functions. May be implemented as a personal computer including both desktop and notebook computer configurations, and in some embodiments, the computing device 200 is configured as the function information acquisition method 300.
Fig. 3 shows a flow chart diagram of a function information acquisition method 300 according to an exemplary embodiment of the present invention. The function information acquisition method 300 is suitable for execution in a computing device, such as the computing device 200 shown in FIG. 2. Applications that run based on third party libraries are included in the computing device. The third-party library is a function library developed by a third party except a developer or a company developing the application, and the specific type of the third-party library is not limited by the invention. The application can call the library function in the third-party library during running, and specifically can execute the method defined by the library function so as to normally realize the corresponding function. The function of the third-party library and the specific definition details thereof are invisible to a developer developing the application, and therefore, an information acquisition function needs to be constructed so as to acquire function information of the calling library function when the application runs, so that the application can perform work such as debugging.
In the method 300 of the present invention, step S310 is first executed to scan the code of the application to determine the library function to be called by the application in the third-party library. When the called library function is determined, firstly, a derived function file is generated according to the applied code, and then the library function to be called in the third-party library is determined according to the function name in the derived function file.
According to one embodiment of the invention, when the application is executed, calling the third-party library can load the third-party library into the running space of the application through the LoadLibrary. The export function file is a file for recording function information for calling a library function in the third-party library, and the export function file can be generated by using _ declpsec (dllexport) to realize the export function or adding a new def file into the export function name, scanning the applied code and generating the export function file. The invention does not limit the way of generating the export function file and the specific type of the export function file.
The export function file is recorded with function information of one or more library functions of the third-party library called by the application. Each function information includes a function name, a calling mode and the number of parameters. The function name is the function name of the library function called by the application, and the library function called by the application in the third-party library can be determined according to the function name; the calling mode is a calling mode of an application calling library function, and comprises a default calling (cdecl), a Standard calling (Standard Call or _ stdcall), a quick calling (fast Call), a this pointer calling (thiscall) and the like; the number of the parameters is the number of the parameters in the application call library function.
An example of exporting a function file according to one embodiment of the present invention is as follows:
Module Name
{
“FunctionName”: “func”
“ABI”:”stdcall”
“argc”:”4”
}
the function name, the ABI and the argc are respectively a function name, a calling mode and a parameter number, and the export function file is recorded with function information of a called library function: the library function has a function name of func, is called in a standard calling mode and comprises 4 variables.
Subsequently, step S320 is executed to obtain an entry address of the library function, and replace an instruction at the obtained entry address with a jump instruction, so that when the method defined by the library function is executed, the jump instruction is executed to jump to execute the information obtaining method for obtaining the function information. When the application calls the library function, the method corresponding to the library function is executed; when the entry address of the library function is the method defined by the library function, the instruction of the defined method is the starting address stored in the internal memory, and the method defined by the library function can be executed according to the entry address of the method defined by the library function, specifically, the instruction of the method defined by the library function stored in the entry address is executed.
According to an embodiment of the present invention, the obtaining of the entry address of the library function may be performed by determining the library function in step S310 and obtaining a library function pointer, that is, the entry address of the library function, through the getprocaaddress function.
And when the instruction at the entry address is replaced by the construction jump instruction, the entry address of the information acquisition method is acquired, the information acquisition method is defined by an information acquisition function, the entry address of the information acquisition method is the initial address stored in the internal memory of the information acquisition method, and the information acquisition method can be executed according to the entry address of the information acquisition method.
And then generating a jump instruction according to the entry address of the information acquisition method and the operation code for executing the jump instruction. The jump target of the jump instruction points to the information acquisition method, and the jump instruction can be positioned to the entry address of the information acquisition method according to the jump instruction. The opcode to execute the jump instruction is the machine code of the computer to execute the jump operation, and according to one embodiment of the present invention, the jump instruction may be implemented as a jmp instruction and the opcode to execute the jump instruction may be implemented as 0xe9.
And then replacing the instruction of the method defined by the library function with a jump instruction at the entry address of the method corresponding to the library function. When the jump instruction is stored, the number of instructions to be replaced in the method defined by the library function needs to be determined according to the storage space required by the jump instruction. Specifically, the size of each instruction in the library function defined method is determined, and then the number of instructions to be replaced in the library function defined method is determined according to the size of each instruction in the library function defined method, so that the total size of the instructions to be replaced in the library function defined method is larger than or equal to the size of the jump instruction.
The size of the jump instruction is the size of the storage space occupied by the jump instruction when stored in the internal memory. The size of the jump instruction includes the sum of the size of an operation code for executing the jump instruction and the size of an entry address of the information acquisition method. According to an embodiment of the present invention, the size of the operation code executing the jump instruction may be implemented as 1 byte, the size of the entry address of the information acquisition method may be implemented as 4 bytes, and the size of the jump instruction may be implemented as 5 bytes.
The method defined by the library function comprises a plurality of instructions, one or more instructions at the head part need to be stored in other positions in the internal memory, and after the replaced instructions are stored in other positions, the spare storage space is used for storing the jump instruction in the original position.
In order to provide enough storage space for storing the jump instruction, the size of each instruction in the method defined by the library function is determined, specifically, the size of each instruction can be determined from the head of the method defined by the library function, and the storage space of the replaced instruction which needs to reserve enough storage space for storing the jump instruction is calculated. Since the length of each instruction in the library-function-defined method is not necessarily exactly the same, the length of each instruction needs to be determined from the head of the library-function-defined method.
According to an embodiment of the present invention, the first several instructions of the method defined by the library function are generally push operations of register stacking or mov operations of extracting variables, these instructions are replaced by jump instructions, point to entry addresses of the information acquisition method, and store the replaced instructions. When replacing the instruction, whether the replaced instruction is an integer instruction or not needs to be identified so as to replace the whole instruction, and therefore the problem that the instruction is segmented when the instruction is replaced and errors occur in the program running process is avoided. Specifically, whether the length of the first instruction of the library function corresponding method is greater than or equal to the length of the jump instruction is judged, and if the length of the first instruction is greater than or equal to the length of the jump instruction, only the first instruction is replaced. If the length of the first instruction is less than the length of the jump instruction, the length of the subsequent second instruction needs to be determined until the determined total length of the replaced instruction is greater than or equal to the length of the jump instruction. The total length of the replaced instructions is the sum of the lengths of the replaced instructions.
And then, storing the jump instruction in an entry address of a method corresponding to the library function, and executing the instruction to be replaced in the method defined by the library function according to the instruction number in the other memory area of the internal memory so as to execute the information acquisition method jumped by the jump instruction and then execute the instruction to be replaced in the method defined by the library function.
According to one embodiment of the invention, after the information acquisition method defined by the information acquisition function is executed, the instruction to be replaced in the method defined by the library function is executed; and continuing to execute other instructions in the corresponding method of the library function from the position where the jump instruction ends so as to normally run the application.
FIG. 4 illustrates a diagram of constructing a jump instruction in accordance with an exemplary embodiment of the present invention. As shown in fig. 4, the entry address of the method defined by the library function is 0x10000, and the replaced instruction in the method defined by the library function is determined, and the total length of the replaced instruction is N bytes, which is greater than the size of the jump instruction, i.e., 5 bytes. And storing the replaced instruction at other positions in the internal memory, and storing the jump instruction at the entry address of the method defined by the library function. When the method corresponding to the library function is executed, the jump instruction stored in the entry address of the method defined by the library function is executed, and after the jump instruction is executed, the replaced instruction stored in the internal memory is executed. And after the replaced instruction is executed, continuing to execute other instructions in the method corresponding to the library function from the originally stored end position of the replaced instruction. The original stored end position of the replaced instruction is 0x10000+ N.
According to one embodiment of the invention, the jump instruction and the replaced instruction in the library function may be stored by:
int StartHook(int jmpAddr)
{
int jmpCode[5];
jmpCode[0] = 0xe9;
memcpy(&jmpCode[1], &jmpAddr, 4);
store(OriginCode);
jmp();
}
the information obtaining function is used for obtaining the function information corresponding to the library function from the corresponding register when the library function is called. According to one embodiment of the invention, the information acquisition function can be realized as a static function, the running efficiency of the debugging code is improved, a plurality of functions can jointly multiplex the same information acquisition function in the whole program, and the normal flow of the program is not influenced while the functions are normally intercepted. The entry address of the information acquisition method for jumping when each jump instruction is executed is a fixed address, and when a large number of codes need to be debugged, the running efficiency can be greatly improved.
According to one embodiment of the invention, in the information acquisition function, parameters in various different calling processes can be effectively and universally expressed by printing data stored in the register, and the function information of the library function can be obtained by combining the exported function file and the information stored in the register without realizing corresponding upper copy functions for each function.
And executing the information acquisition method, determining the calling mode of the library function according to the exported function file when acquiring the function information of the library function, and determining the register used by the corresponding method of the library function according to the calling mode of the library function. Specifically, when the library function calling mode is standard calling, determining that a register used by the library function corresponding method is a stack pointer register (esp register); when the calling mode of the library function is this pointer calling, the register used by the method corresponding to the library function can be determined as a counter register (ecx register).
And then, acquiring the function data stored in the register according to the information acquisition method, and determining function information according to the function data and the parameters in the derived function file. The information retrieval function may be implemented as a function of the data stored in the retrieval register.
An example of an information acquisition function according to one embodiment of the present invention is as follows:
void hook_func(void)
{
...
__asm__ __volatile__ ("mov %ecx, %0\n\t":"=r"(r_ecx)::"descriptor");
print(r_ecx);
...
__asm__ __volatile__ ("mov %0, (%esp)\n\t"::"m"(m_esp):"descriptor");
print(m_esp);
...
}
when function information is determined according to the function data and the parameters in the derived function file, the number of the parameters called by the library function and the parameter value corresponding to each parameter can be determined according to the parameter values stored in the register and the parameter numbers, and the function information is obtained. Inputting function information in a high-level language mode, namely knowing the running track of the application and all parameter sets thereof, and determining where the parameters in the library function are jumped from according to the parameter value of each parameter to clarify the circulation relationship of the parameters; according to the function information, the process of calling the library function can be determined, and according to the process of calling the library function, a calling interface with the function similar to that of a third-party library function is simulated, so that the application is further developed.
Then, step S330 is executed, after the information obtaining method is executed, the instruction replaced at the entry address of the library function is executed, and then a jump is made to a position immediately after the replaced instruction, and the method corresponding to the library function is continuously executed.
Because the instructions to be replaced in the method defined by the memory area memory bank functions of the internal memory are stored in advance according to the number of the instructions, the replaced instructions in the method defined by the memory bank functions are executed after the information acquisition method jumped by the jump instruction is executed.
And after the replaced instruction is executed, continuously executing the method corresponding to the library function from the position behind the replaced instruction, thereby normally calling and executing the method corresponding to the library function and running the application.
The invention discloses a function information acquisition method which is suitable for being executed in computing equipment. The computing device comprises an application to be executed, and the application calls a library function provided by a third-party library when executing, and the method comprises the following steps: scanning the code of the application to determine library functions to be called in a third-party library by the application, thereby determining which library functions in the third-party library need to be tracked, then acquiring the entry addresses of the library functions, replacing the instructions at the acquired entry addresses with jump instructions, so that when the method defined by the library functions is executed, the jump instructions are executed to jump to execute the information acquisition method for acquiring the function information; after the information acquisition method is executed, the instruction replaced at the entry address of the library function is executed, then the position immediately after the replaced instruction is jumped to, and the method corresponding to the library function is continuously executed. According to the method, the instruction of the library function of the entry address of the method corresponding to the library function is replaced by the jump instruction, the process of running the library function is captured before the library function is run, the information acquisition method corresponding to the information acquisition function is executed, the function information is acquired in a light weight mode, complex codes do not need to be repeatedly constructed, and the efficiency of acquiring the function information in the third-party library is improved.
It should be noted that, in the embodiment, the present invention is described in terms of a third-party library and corresponding functions conforming to the microsoft windows operating system. However, it should be understood that the function information obtaining method of the present invention is not limited to the specific kind of operating system for executing the method, and those skilled in the art can understand that the method can also be implemented on other kinds of operating systems, for example, operating systems such as linux system, without any creative effort. Any kind of operating system capable of implementing the function information obtaining method by the method of the present invention is within the scope of the present invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects.
Those skilled in the art will appreciate that the modules or units or groups of devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or groups in embodiments may be combined into one module or unit or group and may furthermore be divided into sub-modules or sub-units or sub-groups. All of the features disclosed in this specification, and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except that at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the function information acquisition method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to practitioners skilled in this art. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention.

Claims (7)

1. A function information obtaining method adapted to be executed in a computing device including therein an application to be executed, the application calling a library function provided by a third-party library when executed, the method comprising the steps of:
scanning code of the application to determine library functions to be called by the application in the third party library;
acquiring an entry address of the library function, and replacing an instruction at the acquired entry address with a jump instruction so as to execute the jump instruction and jump to execute an information acquisition method for acquiring function information when executing a method defined by the library function; and
after the information acquisition method is executed, executing the instruction replaced at the entry address of the library function, then jumping to the position immediately after the replaced instruction, and continuing to execute the method corresponding to the library function;
the method comprises the following steps that the computing device further comprises an internal memory, when an instruction at the acquired entry address is replaced by a jump instruction, the jump instruction is generated, and an instruction of a method defined by the library function is replaced by the jump instruction at the entry address of the method corresponding to the library function, and the method comprises the following steps:
determining the size of each instruction in the method defined by the library function;
determining the number of instructions to be replaced in the method defined by the library function according to the size of each instruction in the method defined by the library function, so that the total size of the instructions to be replaced in the method defined by the library function is larger than or equal to the size of the jump instruction;
storing the jump instruction at an entry address of a method corresponding to the library function, and storing an instruction to be replaced in a method defined by the library function in other storage areas of an internal memory according to the instruction number so as to execute the instruction to be replaced in the method defined by the library function after executing the information acquisition method jumped by the jump instruction;
the information acquisition method for executing the jump instruction and jumping to execute the acquired function information comprises the following steps:
determining a calling mode of a library function according to the export function file;
determining a register used by the method corresponding to the library function according to the library function calling mode;
acquiring function data stored in the register according to an information acquisition method, and determining function information according to the function data and parameters in the export function file;
the function information comprises the number of parameters called by the library function determined according to the parameter values and the number of parameters stored in the register and the parameter value corresponding to each parameter, the function information is suitable for determining the parameter flow relation in the library function and the process of calling the library function, and a calling interface with the function similar to that of a third-party library function is simulated according to the process of calling the library function.
2. The method of claim 1, wherein said scanning code of said application to determine library functions to be called by said application in said third party library comprises the steps of:
generating an export function file according to the applied codes;
and determining library functions to be called in the third-party library by the application according to the function names in the export function file.
3. The method of claim 1, wherein said generating a jump instruction comprises the steps of:
acquiring an entry address of the information acquisition method;
and generating a jump instruction according to the entry address of the information acquisition method and the operation code for executing the jump instruction.
4. The method of claim 1, wherein the determining the register used by the method corresponding to the library function according to the library function calling mode comprises:
and when the library function calling mode is standard calling, determining that the register used by the library function corresponding method is a stack pointer register.
5. The method of any one of claims 1-4, wherein the information acquisition method is defined by an information acquisition function for acquiring function information corresponding to a library function from a corresponding register when the library function is called.
6. A computing device, comprising:
one or more processors;
a memory; and
one or more apparatuses comprising instructions for performing the method of any of claims 1-5.
7. A computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform the method of any of claims 1-5.
CN202210118521.1A 2022-02-08 2022-02-08 Function information acquisition method, computing device and storage medium Active CN114168489B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210118521.1A CN114168489B (en) 2022-02-08 2022-02-08 Function information acquisition method, computing device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210118521.1A CN114168489B (en) 2022-02-08 2022-02-08 Function information acquisition method, computing device and storage medium

Publications (2)

Publication Number Publication Date
CN114168489A CN114168489A (en) 2022-03-11
CN114168489B true CN114168489B (en) 2022-12-30

Family

ID=80489503

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210118521.1A Active CN114168489B (en) 2022-02-08 2022-02-08 Function information acquisition method, computing device and storage medium

Country Status (1)

Country Link
CN (1) CN114168489B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6026235A (en) * 1997-05-20 2000-02-15 Inprise Corporation System and methods for monitoring functions in natively compiled software programs
CN107357622A (en) * 2017-07-17 2017-11-17 迈普通信技术股份有限公司 Hot patch implementation method and communication equipment
CN110046497A (en) * 2018-01-16 2019-07-23 腾讯科技(深圳)有限公司 A kind of function hook implementation method, device and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5946486A (en) * 1996-12-10 1999-08-31 International Business Machines Corporation Apparatus and method for tracing entries to or exits from a dynamic link library
US5970245A (en) * 1997-01-03 1999-10-19 Ncr Corporation Method for debugging shared procedures contained in dynamic link library files
EP2553582A1 (en) * 2010-03-26 2013-02-06 Software Diagnostics Technology GmbH A method for automatically generating a trace data set for a software system, a computer system, and a computer program product
TWI566090B (en) * 2014-10-17 2017-01-11 Insyde Software Corp Debugging firmware / software to produce tracking systems and methods, recording media and computer program products
CN111290952B (en) * 2020-01-22 2023-04-14 北京统信软件技术有限公司 Tracking method and device for dynamic link library function
US11334360B2 (en) * 2020-05-06 2022-05-17 Deepbits Technology Inc. High throughput disassembly system for executable code and applications
US11392483B2 (en) * 2020-07-16 2022-07-19 Metawork Corporation Dynamic library replacement technique

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6026235A (en) * 1997-05-20 2000-02-15 Inprise Corporation System and methods for monitoring functions in natively compiled software programs
CN107357622A (en) * 2017-07-17 2017-11-17 迈普通信技术股份有限公司 Hot patch implementation method and communication equipment
CN110046497A (en) * 2018-01-16 2019-07-23 腾讯科技(深圳)有限公司 A kind of function hook implementation method, device and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于数据流跟踪和库函数识别检测溢出攻击;周侃;《中国优秀硕士学位论文全文数据库 信息科技辑》;20110715;I139-81 *
替换应用程序DLL动态库的详细方法步骤 (gts.dll为例);我是张洪铭我是熊博士;《https://www.cnblogs.com/azbane/p/7493109.html》;20170908;第1-2页 *

Also Published As

Publication number Publication date
CN114168489A (en) 2022-03-11

Similar Documents

Publication Publication Date Title
JP5602597B2 (en) Method, computer program, and system for memory optimization of virtual machine code by segmenting foreign information
CN111290952B (en) Tracking method and device for dynamic link library function
US8997065B2 (en) Automatic modularization of source code
JP2000347872A (en) Method and device for processing exception as regular control flow
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
CN112379888A (en) Code change analysis method
CN114003291A (en) Application program running method and device, computing equipment and storage medium
CN114003289A (en) Application program running method, computing device and storage medium
US8769498B2 (en) Warning of register and storage area assignment errors
CN113238760A (en) Software migration method and device, computing equipment and readable storage medium
CN114168489B (en) Function information acquisition method, computing device and storage medium
CN114816772B (en) Debugging method, debugging system and computing device for application running based on compatible layer
CN112860473B (en) Method and device for positioning source code during program operation error and computing equipment
CN113849245B (en) Application program running method, computing device and storage medium
CN112925539B (en) Application updating method, computing device and storage medium
US7225434B2 (en) Method to collect address trace of instructions executed
CN114003290A (en) Application program running method and device related to instruction replacement
CN113254347A (en) Log function adding method, computing device and storage medium
CN113805971A (en) Application program running method, computing device and storage medium
CN109634636B (en) Application processing method, device, equipment and medium
CN116113927A (en) Method and apparatus for reusable and relatively indexed register resource allocation in function calls
CN113835927B (en) Instruction execution method, computing device and storage medium
US7685188B2 (en) Automated generation of computer-executable compensation procedures for previously executed methods
CN115291852B (en) Development method, device, equipment and medium of Sketch plug-in
CN114416221A (en) Application execution method, computing device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant