CN115033873A - Dynamic injection method and device - Google Patents

Dynamic injection method and device Download PDF

Info

Publication number
CN115033873A
CN115033873A CN202210744879.5A CN202210744879A CN115033873A CN 115033873 A CN115033873 A CN 115033873A CN 202210744879 A CN202210744879 A CN 202210744879A CN 115033873 A CN115033873 A CN 115033873A
Authority
CN
China
Prior art keywords
address
register
dynamic
target process
interrupt state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210744879.5A
Other languages
Chinese (zh)
Inventor
王长建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Hubei Topsec Network Security Technology Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Hubei Topsec Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd, Hubei Topsec Network Security Technology Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210744879.5A priority Critical patent/CN115033873A/en
Publication of CN115033873A publication Critical patent/CN115033873A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30098Register arrangements
    • G06F9/3012Organisation of register space, e.g. banked or distributed register file
    • G06F9/3013Organisation of register space, e.g. banked or distributed register file according to data content, e.g. floating-point registers, address registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading

Abstract

The application provides a dynamic injection method and a device, which are applied to the field of network security, wherein the dynamic injection method comprises the following steps: tracking a target process and reading register data of the target process; controlling a target process to enter a soft interrupt state according to register data, and loading a dynamic library in the soft interrupt state; and executing the execution function in the loaded dynamic library by utilizing the address-independent code PIC so as to realize the aim of dynamic injection. In the above scheme, after the dynamic library is loaded in the soft interrupt state, the PIC is used to execute the execution function in the loaded dynamic library with reference to the PIC calling mode in the MIPS architecture. Different from other architectures, the MIPS architecture cannot execute the execution function in the dynamic library only by adjusting the register value, and therefore, by adopting the above manner, the function of running the dynamic library under dynamic injection can be realized under the MIPS architecture.

Description

Dynamic injection method and device
Technical Field
The present application relates to the field of network security, and in particular, to a dynamic injection method and apparatus.
Background
The dynamic injection technology is an important component in the data security technology, and has wide application markets in the aspects of program hot patching, automatic testing and the like. The dynamic injection technology generally completes operations such as correlation analysis, function analysis, redirection and the like between the hosted program and the target process through relevant data provided by the hosted program and relevant information of the target process; in addition, the dynamic injection technology can also complete the operations of process positioning, process analysis, process recovery and the like by acquiring the relevant information of the target process. Therefore, by utilizing the dynamic injection technology, the purpose of effectively controlling the safety data is achieved by monitoring the running process in real time.
In the prior art, the method is generally implemented based on the following two ways: load LD _ PRELOAD environment variable or Linux-Inject. For a homemade operating system, The two manners are applicable to an Android system and an X86 Architecture (The X86 Architecture) and an arm (advanced RISC machine) Architecture, but are not applicable to an MIPS Architecture (Microprocessor Without Interlocked phased stacks Architecture).
Disclosure of Invention
An object of the embodiments of the present application is to provide a dynamic injection method and apparatus, so as to solve a technical problem that a dynamic injection method in the prior art is not suitable for an MIPS architecture.
In a first aspect, an embodiment of the present application provides a dynamic injection method, including: tracking a target process and reading register data of the target process; controlling the target process to enter a soft interrupt state according to the register data, and loading a dynamic library in the soft interrupt state; and executing the loaded execution function in the dynamic library by utilizing the address-independent code PIC so as to realize the purpose of dynamic injection. In the above scheme, after the dynamic library is loaded in the soft interrupt state, referring to a Position Independent Code (PIC) calling mode under the MIPS architecture, the PIC is used to execute an execution function in the loaded dynamic library. Different from other architectures, the MIPS architecture cannot execute the execution function in the dynamic library only by adjusting the register value, and therefore, by adopting the above manner, the function of running the dynamic library under dynamic injection can be realized under the MIPS architecture.
In an optional embodiment, the executing the loaded execution function in the dynamic library by using the address-independent code PIC includes: jumping to a breakpoint address by using the PIC; wherein the breakpoint address corresponds to an address of the execution function; and adjusting the register data according to the breakpoint address, and executing the execution function by executing the adjusted register data. In the above scheme, the PIC may jump to a breakpoint address, and adjust the register data based on the breakpoint address to execute the execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of running the dynamic library under dynamic injection can be realized under the MIPS framework.
In an optional embodiment, the adjusting the register data according to the breakpoint address includes: storing the space occupied by the address of the execution function in a stack register; storing an address of the execution function in a temporary register; and storing the name of the execution function in an EPC register. In the above scheme, after jumping to the breakpoint address using the PIC, the values of the stack register, the temporary register, and the EPC register may be adjusted based on the breakpoint address to execute the execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of running the dynamic library under dynamic injection can be realized under the MIPS framework.
In an optional embodiment, the controlling the target process to enter a soft interrupt state according to the register data includes: acquiring a free section of memory space of the target process; rewriting the numerical value of the return value register into the address of the memory space; and controlling the target process to enter a soft interrupt state based on the address of the memory space by executing a breakpoint instruction. In the above scheme, the target process may enter a soft interrupt state in a manner similar to a GDB breakpoint, that is, the value of the return value register is rewritten into the address of the memory space, and the target process is controlled to enter the soft interrupt state based on the address of the memory space by executing a breakpoint instruction. The interrupt mechanism of the MIPS framework is not suitable for process control, so that the control target process can enter a soft interrupt state under the MIPS framework by adopting the mode, and the function of running a dynamic library under dynamic injection is further realized.
In an optional embodiment, the loading the dynamic library in the soft interrupt state includes: adjusting the register data in the soft interrupt state and loading the dynamic bank based on the adjusted register data. In the above scheme, after the target process enters the soft interrupt state, the dynamic library can be loaded by adjusting the register data.
In an alternative embodiment, said adjusting said register data in said soft-interrupt state comprises: adjusting the value of the EPC register as a kernel function call address; adjusting the value of the return value register to be a kernel symbol of a dlopen function; and adjusting the parameter register value to the dynamic library address loaded by the dlopen function. In the above scheme, the dynamic library can be loaded by adjusting the values of the EPC register, the return value register, and the parameter register.
In a second aspect, an embodiment of the present application provides a dynamic injection apparatus, including: the reading module is used for tracking a target process and reading register data of the target process; the control module is used for controlling the target process to enter a soft interrupt state according to the register data and loading a dynamic library in the soft interrupt state; and the execution module is used for executing the loaded execution function in the dynamic library by using the address-independent code PIC so as to realize the purpose of dynamic injection. In the above scheme, after the dynamic library is loaded in the soft interrupt state, the PIC is used to execute the execution function in the loaded dynamic library with reference to the PIC calling mode in the MIPS architecture. Different from other architectures, the MIPS architecture cannot execute the execution function in the dynamic library only by adjusting the register value, and therefore, by adopting the above manner, the function of running the dynamic library under dynamic injection can be realized under the MIPS architecture.
In an optional implementation manner, the execution module is specifically configured to: jumping to a breakpoint address by using the PIC; wherein the breakpoint address corresponds to an address of the execution function; and adjusting the register data according to the breakpoint address, and executing the execution function by executing the adjusted register data. In the above scheme, the PIC may jump to a breakpoint address, and adjust the register data based on the breakpoint address to execute the execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of running the dynamic library under dynamic injection can be realized under the MIPS framework.
In an alternative embodiment, the execution module is further configured to: storing the space occupied by the address of the execution function in a stack register; storing an address of the execution function in a temporary register; and storing the name of the execution function in an EPC register. In the above scheme, after jumping to the breakpoint address using the PIC, the values of the stack register, the temporary register, and the EPC register may be adjusted based on the breakpoint address to execute the execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of operating the dynamic library under the dynamic injection can be realized under the MIPS framework.
In an alternative embodiment, the control module is specifically configured to: acquiring a free section of memory space of the target process; rewriting the value of the return value register as the address of the memory space; and controlling the target process to enter a soft interrupt state based on the address of the memory space by executing a breakpoint instruction. In the above scheme, the target process may enter a soft interrupt state in a manner similar to a GDB breakpoint, that is, the value of the return value register is rewritten into the address of the memory space, and the target process is controlled to enter the soft interrupt state based on the address of the memory space by executing a breakpoint instruction. The interrupt mechanism of the MIPS framework is not suitable for process control, so that the control target process can enter a soft interrupt state under the MIPS framework by adopting the mode, and the function of running a dynamic library under dynamic injection is further realized.
In an optional embodiment, the control module is specifically configured to: adjusting the register data in the soft interrupt state and loading the dynamic bank based on the adjusted register data. In the above scheme, after the target process enters the soft interrupt state, the dynamic library can be loaded by adjusting the register data.
In an alternative embodiment, the control module is further configured to: adjusting the value of the EPC register as a kernel function call address; adjusting the value of the return value register to be a kernel symbol of a dlopen function; and adjusting the parameter register value to the dynamic library address loaded by the dlopen function. In the above scheme, the dynamic library can be loaded by adjusting the values of the EPC register, the return value register, and the parameter register.
In a third aspect, embodiments of the present application provide a computer program product, which includes computer program instructions, and when the computer program instructions are read and executed by a processor, the dynamic injection method according to the first aspect is performed.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to enable performance of the dynamic injection method according to the first aspect.
In a fifth aspect, embodiments of the present application provide a computer-readable storage medium storing computer program instructions, which when executed by a computer, cause the computer to perform the dynamic injection method according to the first aspect.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of a dynamic injection method according to an embodiment of the present disclosure;
fig. 2 is a block diagram of a dynamic injection apparatus according to an embodiment of the present disclosure;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
At present, the dynamic injection technology under the Linux framework is mainly realized based on two ways: one is realized by loading LD _ PRELOAD environment variables, before loading all the dynamic libraries required by a program, the dynamic linker will load the dynamic libraries specified by the LD _ PRELAOD environment variables, and by applying the mechanism, the method in the dynamic libraries can be replaced, thereby changing the execution behavior of the program; the other is to inject the code into the running process using linux-inject.
In the first mode, since the service needs to be restarted by the preloading mode, the mode is only effective for the dynamically linked program and is ineffective for the statically linked program. In addition, the method needs to distinguish different processes, because the LD _ load is valid for the entire operating system, any process starts, the environment variables of the LD _ load are preferentially acquired, a monitor library needs to be written for distinguishing and judging, and otherwise, the running of other processes is affected.
In the second method, since the instruction set of the MIPS architecture is different from the instruction set of the X86 architecture and the instruction set of the ARM architecture, and the register calling and searching method of the MIPS architecture is different from the register calling and searching method of the X86 architecture and the register calling and searching method of the ARM architecture, the method is not suitable for the MIPS architecture although it is suitable for the X86 architecture and the ARM architecture.
Therefore, based on the problems in the prior art, the embodiments of the present application provide a new dynamic injection method. The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a dynamic injection method according to an embodiment of the present disclosure, where the dynamic injection method includes the following steps:
step S101: and tracking the target process and reading the register data of the target process.
Step S102: and controlling the target process to enter a soft interrupt state according to the register data, and loading the dynamic library in the soft interrupt state.
Step S103: and executing the execution function in the loaded dynamic library by utilizing the address-independent code PIC so as to realize the aim of dynamic injection.
Specifically, in step S101, the target process is a process that needs to be dynamically injected. For the target process, the target process may be tracked and register data of the target process may be read. The embodiment of the present application does not specifically limit the specific implementation of the register data, and a person skilled in the art may appropriately select the register data according to actual situations, for example, the register data may include a value of a stack register, a value of a temporary register, a value of an EPC register, and the like.
As an embodiment, the above step S101 may be implemented using PTRACE. Tracking of the target process may be implemented using a PTRACE _ ATTACH instruction, where the tracked target process becomes a child process of the current process and enters an abort state (i.e., a pause state); in addition, the PTRACE _ GETREGSET instruction may be used to implement a read of register data for the target process.
It is understood that the implementation of the above step S101 by using PTRACE is only an example provided by the embodiments of the present application, and those skilled in the art can make appropriate adjustments according to the actual situations and the prior art.
In the step S102, the target process may be controlled to enter a soft interrupt state according to the register data read in the step S101, and the dynamic library may be loaded in the soft interrupt state. The specific implementation of the control target process entering the soft interrupt state and loading the dynamic library in the soft interrupt state will be described in detail in the following embodiments, which will not be described here.
In step S103 above, the PIC is used to generate position independent code names, which means that these codes can be loaded anywhere for execution. In general, the PIC may read entries from the GOT table. In this embodiment, the PIC described above may be used to execute an execution function in a loaded dynamic library, so as to achieve the purpose of dynamic injection.
In the above scheme, after the dynamic library is loaded in the soft interrupt state, the PIC is used to execute the execution function in the loaded dynamic library with reference to the PIC calling mode in the MIPS architecture. Different from other architectures, the MIPS architecture cannot execute the execution function in the dynamic library only by adjusting the register value, and therefore, by adopting the above manner, the function of running the dynamic library under dynamic injection can be realized under the MIPS architecture.
Further, on the basis of the foregoing embodiment, the step S103 may specifically include the following steps:
step 1), jumping to a breakpoint address by using PIC; wherein the breakpoint address corresponds to an address at which the function is executed.
And step 2), adjusting the register data according to the breakpoint address, and executing the execution function by executing the adjusted register data.
Specifically, by using the PIC function under the MIPS architecture, it is possible to jump to the breakpoint position and execute the adjusted register data to run the function of the dynamic library.
The breakpoint position refers to an address of the target process when the target process enters the soft interrupt state, and corresponds to an address of the execution function. Therefore, based on the breakpoint position, register data of the target process can be adjusted, so that the execution function is executed by executing the adjusted register data.
In the above scheme, the PIC may jump to a breakpoint address, and adjust the register data based on the breakpoint address to execute the execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of running the dynamic library under dynamic injection can be realized under the MIPS framework.
Further, on the basis of the foregoing embodiment, as an implementation manner, the step of adjusting register data according to a breakpoint address may specifically include the following steps:
step 1), storing the space occupied by the address of the execution function in a stack register.
And step 2), storing the address of the execution function in a temporary register.
Step 3), the name of the executed function is stored in the EPC register.
Specifically, after the PIC call is executed to the breakpoint address, the values of the stack register, the temporary register, and the EPC register may be adjusted. For the stack register, the space occupied by the address of the execution function can be stored in the stack register; for the temporary register, storing the address of the execution function in the temporary register; for the EPC register, the name of the executing function (or the function symbol) may be stored in the EPC register.
It is understood that there is no order of execution between the above steps 1), 2), 3). As an embodiment, the steps 1), 2), 3) may be performed simultaneously; as another embodiment, the above steps 1), 2), and 3) may be performed sequentially. The embodiments of the present application are not specifically limited, and those skilled in the art can make appropriate adjustments according to actual situations.
In the above scheme, after jumping to the breakpoint address using the PIC, the values of the stack register, the temporary register, and the EPC register may be adjusted based on the breakpoint address to execute the execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of running the dynamic library under dynamic injection can be realized under the MIPS framework.
Further, on the basis of the above embodiment, the step of controlling the target process to enter the soft interrupt state according to the register data in the step S102 may specifically include the following steps:
step 1), obtaining a free section of memory space of the target process.
And step 2), rewriting the numerical value of the return value register into the address of the memory space.
And 3) controlling the target process to enter a soft interrupt state based on the address of the memory space by executing the breakpoint instruction.
Specifically, in the embodiment of the present application, a mode similar to a GDB breakpoint may be used to implement abnormal interruption of a process, so that the process enters a soft interruption state. The method comprises the steps of obtaining a free section of memory space of a target process, rewriting a return value register to be the address of the memory space after reading register data of the target process, and enabling the return value register to execute a preset breakpoint instruction so as to enable the target process to enter a soft interrupt state.
In the above scheme, the target process may enter a soft interrupt state in a manner similar to a GDB breakpoint, that is, the value of the return value register is rewritten into the address of the memory space, and the target process is controlled to enter the soft interrupt state based on the address of the memory space by executing a breakpoint instruction. The interrupt mechanism of the MIPS framework is not suitable for process control, so that the control target process can enter a soft interrupt state under the MIPS framework by adopting the mode, and the function of running a dynamic library under dynamic injection is further realized.
Further, on the basis of the foregoing embodiment, the step of loading the dynamic library in the soft interrupt state in step S102 may specifically include the following steps:
register data is adjusted in a soft-interrupt state and a dynamic library is loaded based on the adjusted register data.
Specifically, the step of adjusting the register data in the soft interrupt state may further include the following steps:
step 1), adjusting the value of the EPC register to be a kernel function call address.
And step 2), adjusting the value of the return value register to be the kernel symbol of the dlopen function.
And step 3), adjusting the parameter register value to be the dynamic library address loaded by the dlopen function.
After the target process is executed, breakpoint interruption is triggered, and after the target process falls into a kernel mode, the value of an EPC register, the value of a return value register and the value of a parameter register of the MIPS framework can be adjusted. For the EPC register value, it may be set as a kernel function call address; for the return value register value, it can be set to the kernel symbol syscall _ number of the dlopen function; the parameter register value may be set to the dynamic library address of the dlopen function load. At this point, the PTRACE executes the running process to load the dynamic library.
It is understood that, similar to the above embodiment, there is no order of execution between the above steps 1), 2), 3). As an embodiment, the steps 1), 2), 3) may be performed simultaneously; as another embodiment, the above steps 1), 2), and 3) may be performed sequentially. The embodiments of the present application are not specifically limited, and those skilled in the art can make appropriate adjustments according to actual situations.
In the above scheme, after the target process enters the soft interrupt state, the dynamic library can be loaded by adjusting the register data.
Further, on the basis of the above embodiments, the dynamic injection method provided by the embodiment of the present application can monitor the running state of the program process under the MIPS architecture of the domestic operating system, and can monitor the path of data leakage of the specified software in the working process in real time. Therefore, the dynamic injection method provided by the embodiment of the application fills up the dynamic injection mode under the MIPS framework of the domestic operating system, meets the diversity of the use of the hook mechanism and the use methods of other hot patches in the monitoring process under the framework, provides help support for the expansion, compatibility and adaptation of the cloud security terminal to the type of the domestic operating system, and enables the product technology to be widely used.
Referring to fig. 2, fig. 2 is a block diagram of a dynamic injection device according to an embodiment of the present disclosure, where the dynamic injection device 200 may include: a reading module 201, configured to track a target process and read register data of the target process; the control module 202 is configured to control the target process to enter a soft interrupt state according to the register data, and load a dynamic library in the soft interrupt state; the execution module 203 is configured to execute the loaded execution function in the dynamic library by using the address-independent code PIC, so as to achieve the purpose of dynamic injection.
In the embodiment of the present application, after the dynamic library is loaded in the soft interrupt state, referring to the PIC call mode in the MIPS architecture, the PIC is used to execute the execution function in the loaded dynamic library. Different from other architectures, the MIPS architecture cannot execute the execution function in the dynamic library only by adjusting the register value, and therefore, by adopting the above manner, the function of running the dynamic library under dynamic injection can be realized under the MIPS architecture.
Further, the executing module 203 is specifically configured to: jumping to a breakpoint address by using the PIC; wherein the breakpoint address corresponds to an address of the execution function; and adjusting the register data according to the breakpoint address, and executing the execution function by executing the adjusted register data.
In this embodiment, the PIC may jump to a breakpoint address, and adjust the register data based on the breakpoint address to execute an execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of running the dynamic library under dynamic injection can be realized under the MIPS framework.
Further, the executing module 203 is further configured to: storing the space occupied by the address of the execution function in a stack register; storing an address of the execution function in a temporary register; and storing the name of the execution function in an EPC register.
In the embodiment of the present application, after jumping to a breakpoint address using the PIC, the values of the stack register, the temporary register, and the EPC register may be adjusted based on the breakpoint address, so as to execute an execution function in the loaded dynamic library. Therefore, by adopting the mode, the function of operating the dynamic library under the dynamic injection can be realized under the MIPS framework.
Further, the control module 202 is specifically configured to: acquiring a free section of memory space of the target process; rewriting the numerical value of the return value register into the address of the memory space; and controlling the target process to enter a soft interrupt state based on the address of the memory space by executing a breakpoint instruction.
In this embodiment of the present application, a GDB breakpoint-like manner may be used to enable the target process to enter a soft interrupt state, that is, to rewrite the value of the return value register to the address of the memory space, and to control the target process to enter the soft interrupt state based on the address of the memory space by executing a breakpoint instruction. The interrupt mechanism of the MIPS framework is not suitable for process control, so that the control target process can enter a soft interrupt state under the MIPS framework by adopting the mode, and the function of running a dynamic library under dynamic injection is further realized.
Further, the control module 202 is specifically configured to: adjusting the register data in the soft interrupt state and loading the dynamic bank based on the adjusted register data.
In the embodiment of the application, after the target process enters the soft interrupt state, the dynamic library can be loaded by adjusting the register data.
Further, the control module 202 is further configured to: adjusting the value of the EPC register as a kernel function call address; adjusting the value of the return value register to be a kernel symbol of a dlopen function; and adjusting the parameter register value to the dynamic library address loaded by the dlopen function.
In the embodiment of the present application, the dynamic library may be loaded by adjusting the values of the EPC register, the return value register, and the parameter register.
Referring to fig. 3, fig. 3 is a block diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device 300 includes: at least one processor 301, at least one communication interface 302, at least one memory 303, and at least one communication bus 304. Wherein the communication bus 304 is used for realizing direct connection communication of these components, the communication interface 302 is used for communicating signaling or data with other node devices, and the memory 303 stores machine readable instructions executable by the processor 301. When the electronic device 300 is in operation, the processor 301 communicates with the memory 303 via the communication bus 304, and the machine-readable instructions, when called by the processor 301, perform the dynamic injection method described above.
For example, the processor 301 of the embodiment of the present application may implement the following method by reading the computer program from the memory 303 through the communication bus 304 and executing the computer program: step S101: and tracking the target process and reading the register data of the target process. Step S102: and controlling the target process to enter a soft interrupt state according to the register data, and loading the dynamic library in the soft interrupt state. Step S103: and executing the execution function in the loaded dynamic library by utilizing the address-independent code PIC so as to realize the aim of dynamic injection.
The processor 301 includes one or more chips, which may be integrated circuit chips, having signal processing capabilities. The Processor 301 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Network Processor (NP), or other conventional processors; the Processor may also be a dedicated Processor, including a Neural-Network Processing Unit (NPU), a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic devices, discrete gates or transistor logic devices, and discrete hardware components. Also, when the processor 301 is a plurality of processors, a part thereof may be a general-purpose processor, and another part thereof may be a dedicated processor.
The Memory 303 includes one or more memories, which may be, but not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an electrically Erasable Programmable Read-Only Memory (EEPROM), and the like.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative and that electronic device 300 may include more or fewer components than shown in fig. 3 or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof. In the embodiment of the present application, the electronic device 300 may be, but is not limited to, an entity device such as a desktop, a notebook computer, a smart phone, an intelligent wearable device, and a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device 300 is not necessarily a single device, but may also be a combination of multiple devices, such as a server cluster, and the like.
Embodiments of the present application further provide a computer program product, including a computer program stored on a computer-readable storage medium, where the computer program includes computer program instructions, and when the computer program instructions are executed by a computer, the computer can perform the steps of the dynamic injection method in the foregoing embodiments, for example, including: tracking a target process and reading register data of the target process; controlling the target process to enter a soft interrupt state according to the register data, and loading a dynamic library in the soft interrupt state; and executing the loaded execution function in the dynamic library by utilizing the address-independent code PIC so as to realize the purpose of dynamic injection.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that, if the functions are implemented in the form of software functional modules and sold or used as independent products, the functions may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A dynamic injection method, comprising:
tracking a target process and reading register data of the target process;
controlling the target process to enter a soft interrupt state according to the register data, and loading a dynamic library in the soft interrupt state;
and executing the loaded execution function in the dynamic library by utilizing the address-independent code PIC so as to realize the purpose of dynamic injection.
2. The dynamic injection method according to claim 1, wherein the executing the loaded execution function in the dynamic library by using the address-independent code PIC comprises:
jumping to a breakpoint address by using the PIC; wherein the breakpoint address corresponds to an address of the execution function;
and adjusting the register data according to the breakpoint address, and executing the execution function by executing the adjusted register data.
3. The dynamic injection method of claim 2, wherein the adjusting the register data according to the breakpoint address comprises:
storing the space occupied by the address of the execution function in a stack register;
storing an address of the execution function in a temporary register; and the number of the first and second groups,
storing the name of the execution function in an EPC register.
4. The dynamic injection method of claim 1, wherein the controlling the target process to enter a soft interrupt state according to the register data comprises:
acquiring a free section of memory space of the target process;
rewriting the numerical value of the return value register into the address of the memory space;
and controlling the target process to enter a soft interrupt state based on the address of the memory space by executing a breakpoint instruction.
5. The dynamic injection method of claim 4, wherein loading the dynamic library in the soft interrupt state comprises:
adjusting the register data in the soft interrupt state and loading the dynamic bank based on the adjusted register data.
6. The dynamic injection method of claim 5, wherein said adjusting the register data in the soft interrupt state comprises:
adjusting the value of the EPC register as a kernel function call address;
adjusting the value of the return value register to be a kernel symbol of a dlopen function; and the number of the first and second groups,
and adjusting the parameter register value to be the dynamic library address loaded by the dlopen function.
7. A dynamic infusion device, comprising:
the reading module is used for tracking a target process and reading register data of the target process;
the control module is used for controlling the target process to enter a soft interrupt state according to the register data and loading a dynamic library in the soft interrupt state;
and the execution module is used for executing the loaded execution function in the dynamic library by using the address-independent code PIC so as to realize the purpose of dynamic injection.
8. A computer program product comprising computer program instructions which, when read and executed by a processor, perform the method of any one of claims 1 to 6.
9. An electronic device, comprising: a processor, a memory, and a bus;
the processor and the memory are communicated with each other through the bus;
the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to perform the method of any of claims 1-6.
10. A computer-readable storage medium, storing computer program instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-6.
CN202210744879.5A 2022-06-27 2022-06-27 Dynamic injection method and device Pending CN115033873A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210744879.5A CN115033873A (en) 2022-06-27 2022-06-27 Dynamic injection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210744879.5A CN115033873A (en) 2022-06-27 2022-06-27 Dynamic injection method and device

Publications (1)

Publication Number Publication Date
CN115033873A true CN115033873A (en) 2022-09-09

Family

ID=83127360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210744879.5A Pending CN115033873A (en) 2022-06-27 2022-06-27 Dynamic injection method and device

Country Status (1)

Country Link
CN (1) CN115033873A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115469943A (en) * 2022-09-22 2022-12-13 安芯网盾(北京)科技有限公司 Detection method and device for JAVA virtual terminal command execution

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115469943A (en) * 2022-09-22 2022-12-13 安芯网盾(北京)科技有限公司 Detection method and device for JAVA virtual terminal command execution

Similar Documents

Publication Publication Date Title
CN111290952B (en) Tracking method and device for dynamic link library function
CN112130926B (en) Application program running method, device, terminal equipment and storage medium
CN115017058B (en) Test method and device of kernel module, electronic equipment and storage medium
CN108021405B (en) Method and device for driving storage medium in SOC system starting process
CN115033873A (en) Dynamic injection method and device
CN114756856B (en) Code reuse attack defense method based on function dynamic loading
CN110515671B (en) Initialization method, initialization device, terminal device and readable storage medium
CN115062307A (en) Open POWER-based program integrity verification method, system, terminal and storage medium
CN111797390B (en) Program running method, program running device, electronic equipment and computer readable storage medium
CN110688320B (en) Global variable detection method and device and terminal equipment
CN115905040B (en) Counter processing method, graphics processor, device and storage medium
CN111931191A (en) Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform
CN116155934A (en) Method, device, electronic equipment and storage medium for intelligent contract call account book
CN115185745A (en) Data processing method, system, electronic device and computer readable storage medium
CN115292000A (en) Method and device for dynamic migration of virtual machine and electronic equipment
CN111258617B (en) Electronic equipment
CN111737656B (en) Application program-oriented privileged hardware resource access method and electronic equipment
CN114048125A (en) Test case determination method and device, computing equipment and storage medium
US20130124925A1 (en) Method and apparatus for checking a main memory of a processor
CN113342376A (en) Method and device for upgrading operating system of Internet of things equipment
CN113609478A (en) IOS platform application program tampering detection method and device
CN109669722B (en) Method for executing instruction of kernel, method for debugging kernel system and kernel system
CN113282363A (en) Method and device for optimizing hybrid APP
CN112650549A (en) Page jump method, device, terminal and storage medium
CN106897588B (en) Processing method and device of label function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination