CN115185568A - Function Hook updating method and device, electronic equipment and storage medium - Google Patents

Function Hook updating method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115185568A
CN115185568A CN202210813539.3A CN202210813539A CN115185568A CN 115185568 A CN115185568 A CN 115185568A CN 202210813539 A CN202210813539 A CN 202210813539A CN 115185568 A CN115185568 A CN 115185568A
Authority
CN
China
Prior art keywords
hook
package
memory
updating
bytecode
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210813539.3A
Other languages
Chinese (zh)
Inventor
刘旭
黄自力
杨阳
蔡水捷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202210813539.3A priority Critical patent/CN115185568A/en
Publication of CN115185568A publication Critical patent/CN115185568A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/656Updates while running
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a method and a device for updating a function Hook, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a position of the Hook and an inserted Hook code according to the updating package; modifying the Hook code by adopting a byte code modification tool in the memory of the application process to obtain a corresponding Hook byte code; and inserting the Hook byte codes into the positions of the hooks. When the target function is called next time, the latest bytecode can be directly executed, so that the bytecode corresponding to the injected hook code takes effect immediately, the application system does not need to be restarted, and the effect of hot update of the hook point is achieved.

Description

Function Hook updating method and device, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of information security, in particular to a method and a device for updating a function Hook, electronic equipment and a storage medium.
Background
In order to reduce the influence of security product or device update on applications, most of RASP (Runtime Application Self-Protection) security products have implemented functions of updating detection rules online, but these online updates only aim at detection rules with existing holes, and when a new hole occurs and a Hook (Hook function) point needs to be added, the principle of RASP technology is to Hook a dangerous underlying function of a programming language, the protected system or Application still needs to be restarted, such as OpenRASP, a new Hook code needs to close the protected system or Application, and the Application is restarted when the update is completed, so as to complete the validation of a new detection policy. The newly added Hook code of the RASP safety product causes the protected system application to be frequently restarted, so that the application has a vacuum period of service suspension, and the influence on a client system is large.
Disclosure of Invention
The embodiment of the invention provides a function Hook updating method, a function Hook updating device, electronic equipment and a storage medium, which are used for solving the problem that the application of the existing function Hook updating scheme has a vacuum period of suspended service and has a large influence on a client system.
The embodiment of the invention provides a method for updating a function Hook, which comprises the following steps:
acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a Hook position and an inserted Hook code according to the updating package;
modifying the Hook code by adopting a byte code modification tool in the memory of the application process to obtain a corresponding Hook byte code;
and inserting the Hook byte code into the Hook position.
Further, the obtaining a function Hook update package includes:
sending a heartbeat message to a server according to a preset period to determine whether the function Hook updating packet is stored in the server or not;
and when the function Hook updating package is determined to be stored in the server, acquiring the function Hook updating package, and loading the updating package into the memory of the application process.
Further, the inserting the Hook bytecode into the Hook-oriented position comprises:
determining the identification information of the class packet to be held according to the update packet, and judging whether the class packet is loaded according to the identification information;
if so, inserting the Hook bytecode into the Hook-processed position in the class packet in the memory of the application process;
if not, the class package is firstly obtained and loaded, and then the Hook byte codes are inserted into the Hook-carried positions in the class package in the application process memory.
Further, the inserting the Hook bytecode into the Hook-located position includes:
and if the Hook byte codes corresponding to the inserted Hook codes are at least two groups of Hook byte codes, sequentially inserting the at least two groups of Hook byte codes into the positions of the hooks.
Further, the method further comprises:
and when a Hook execution instruction is received, acquiring execution state indication information carried in the Hook bytecode, if the execution state indication information is the execution indication information, executing the Hook bytecode, and if the execution state indication information is the non-execution indication information, skipping the Hook bytecode.
On the other hand, an embodiment of the present invention provides a function Hook updating apparatus, where the apparatus includes:
the determining module is used for acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a Hook position and an inserted Hook code according to the updating package;
the modification module is used for modifying the Hook code by adopting a byte code modification tool in the internal memory of the application process to obtain a corresponding Hook byte code;
and the inserting module is used for inserting the Hook byte codes into the Hook positions.
Further, the determining module is specifically configured to send a heartbeat packet to a server according to a preset period, so as to determine whether the server stores the function Hook update package; and when the function Hook updating package is determined to be stored in the server, acquiring the function Hook updating package, and loading the updating package into the memory of the application process.
Further, the inserting module is specifically configured to determine, according to the update package, identification information of the class package that is Hook, and determine, according to the identification information, whether the class package is loaded; if so, inserting the Hook bytecode into the Hook-processed position in the class packet in the memory of the application process; if not, the class package is firstly obtained and loaded, and then the Hook byte codes are inserted into the Hook position in the class package in the application process memory.
Further, the inserting module is specifically configured to insert the at least two groups of Hook bytecodes into the Hook positions in sequence if the Hook bytecodes corresponding to the inserted Hook codes are the at least two groups of Hook bytecodes.
Further, the apparatus further comprises:
and the execution module is used for acquiring execution state indication information carried in the Hook bytecode when receiving a Hook execution instruction, executing the Hook bytecode if the execution state indication information is the execution indication information, and skipping the Hook bytecode if the execution state indication information is non-execution indication information.
On the other hand, the embodiment of the invention provides electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
a processor for implementing any of the above method steps when executing a program stored in the memory.
In another aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the method steps described in any one of the above.
The embodiment of the invention provides a method and a device for updating a function Hook, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a Hook position and an inserted Hook code according to the updating package; in the memory of the application process, modifying the Hook code by adopting a bytecode modification tool to obtain a corresponding Hook bytecode; and inserting the Hook byte code into the Hook position.
The technical scheme has the following advantages or beneficial effects:
in the embodiment of the invention, the function Hook updating packet is acquired, the updating packet is loaded into the memory of the application process, the Hook code is modified by adopting a byte code modification tool after the position of the Hook and the inserted Hook code are determined according to the function Hook updating packet, the corresponding Hook byte code is obtained, and then the Hook byte code is inserted into the position of the Hook. When the target function is called next time, the latest byte codes can be directly executed, so that the byte codes corresponding to the injected hook codes take effect immediately, an application system does not need to be restarted, and the effect of hot updating hook points is achieved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings may be obtained based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a Hook updating process of a function provided in an embodiment of the present invention;
fig. 2 is a schematic diagram of a Hook updating process of another function according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a function Hook updating system according to an embodiment of the present invention;
FIG. 4 is a flowchart of java method executed after a hook point is updated in a hot manner according to an embodiment of the present invention;
fig. 5 is a flowchart of an execution logic of a Hook point according to an embodiment of the present invention;
fig. 6 is a logic diagram of an Object part (String) method dynamic Hook for com.
FIG. 7 is a development flow chart provided by an embodiment of the present invention;
fig. 8 is a schematic diagram of configuring and packaging results according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a function Hook updating apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the attached drawings, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
In the technical field of information security, when a new vulnerability occurs and a Hook point needs to be newly added, in the prior art, application is generally updated in a cold standby mode or a dual application mode to deal with the new vulnerability. The cold standby mode refers to that an application or system update installation package is prepared in advance, the current RASP service is stopped, and the RASP service is restarted after the update is completed. The dual application mode is to prepare a version of application with updated RASP, switch network lines, disconnect old applications, and set new applications as original connection parameters. In the cold standby mode, due to the closing of the application, a vacuum period of suspended service exists, the dual-application mode has 2 times of interruption in network switching, the vacuum period of suspended service also exists, and the cost for deploying some dual applications is very high.
Based on the above consideration, the embodiment of the present invention provides a function Hook updating scheme, which is used for implementing that when a new application vulnerability using a sensitive function occurs, the UPRASP needs to be updated in time to deal with a potential risk, but the original application or service is required not to be interrupted. The function Hook updating scheme provided by the embodiment of the invention is explained in detail below.
Fig. 1 is a schematic diagram of a Hook update process of a function provided in an embodiment of the present invention, where the process includes the following steps:
s101: and acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining the position of the Hook and the inserted Hook code according to the updating package.
S102: and modifying the Hook code by adopting a byte code modification tool in the memory of the application process to obtain the corresponding Hook byte code.
S103: and inserting the Hook byte codes into the positions of the hooks.
The method for updating the function Hook provided by the embodiment of the invention is applied to electronic equipment, and the electronic equipment can be a PC (personal computer), a tablet computer, an Agent terminal and the like.
When a new bug occurs and a Hook point needs to be newly added, a function Hook update package is added in a server (or called a management background), wherein the function Hook update package can be added into the server by a manager, or can be generated by the server through analysis and learning of the new bug so as to deal with the new bug.
The electronic equipment sends a heartbeat message to the server according to a preset period so as to determine whether a function Hook updating packet is stored in the server or not; and when the function Hook updating package is determined to be stored in the server, acquiring the function Hook updating package, and loading the updating package into the memory of the application process. The preset period may be set according to an actual application scenario, for example, the heartbeat message is sent to the server every 3 seconds or 5 seconds for an isochronous duration, or the heartbeat message is sent to the server every 5 minutes or 10 minutes for an isochronous duration, and the like.
After receiving the heartbeat message, the server judges whether a newly added function Hook update package exists, if so, the server can directly send the function Hook update package to the electronic equipment, and also can send a response message to the electronic equipment when judging that the server has the newly added function Hook update package, wherein the response message is used for indicating the electronic equipment, and the server has the newly added function Hook update package. And after receiving the response message, the electronic equipment acquires a new function Hook update package in the server and loads the update package into the memory of the application process.
The heartbeat message sent by the electronic device to the server may carry identification information of a function Hook update package to be acquired, that is, identification information of a function Hook update package corresponding to a new vulnerability. After receiving the heartbeat message, the server judges whether a function Hook update packet corresponding to the identification information carried in the heartbeat message exists, if so, the server can directly send the function Hook update packet corresponding to the identification information to the electronic equipment, and can also send a response message to the electronic equipment when judging that the server has the function Hook update packet corresponding to the identification information. And after the electronic equipment receives the response message, acquiring a function Hook update package corresponding to the identification information in the server.
The function Hook updating package carries the position of the Hook and the inserted Hook code, and after the electronic equipment acquires the function Hook updating package, the electronic equipment determines the position of the Hook and the inserted Hook code by loading and analyzing the function Hook updating package. The location of the Hook is generally the specific Hook location of a certain method in a certain class package. For example between bytecode p and bytecode q of method m located by Hook as class package a. In the embodiment of the invention, after the electronic equipment determines the inserted Hook code, a byte code modification tool is adopted to modify the Hook code to obtain the corresponding Hook byte code. The bytecode modification tool is for example a javasist tool. And then writing the Hook byte code corresponding to the inserted Hook code into the Hook position. Taking the position of the Hook as the position between the byte code p and the byte code q of the method m of the class packet A as an example, the Hook byte code corresponding to the inserted Hook code is written into the position between the byte code p and the byte code q of the method m of the class packet A, so that the function Hook update is realized.
In the embodiment of the invention, the function Hook update package is acquired, the update package is loaded into the memory of the application process, the Hook code is modified by adopting a byte code modification tool after the position of the Hook and the inserted Hook code are determined according to the function Hook update package, the corresponding Hook byte code is obtained, and then the Hook byte code is inserted into the position of the Hook. When the target function is called next time, the latest bytecode can be directly executed, so that the bytecode corresponding to the injected hook code takes effect immediately, the application system does not need to be restarted, and the effect of hot update of the hook point is achieved.
In this embodiment of the present invention, the inserting the Hook bytecode into the Hook-located position includes:
determining the identification information of the class packet of the Hook according to the update packet, and judging whether the class packet is loaded according to the identification information;
if yes, inserting the Hook byte codes into the Hook-processed position in the class packet in the internal memory of the application process;
if not, the class package is firstly obtained and loaded, and then the Hook byte codes are inserted into the Hook-carried positions in the class package in the application process memory.
And acquiring a function Hook updating package, after determining the position of the Hook according to the updating package, acquiring identification information of the class package of the Hook in the position of the Hook, and then judging whether the class package of the identification information is loaded in the memory of the application process of the electronic equipment. And if the memory is loaded, inserting the Hook bytecode into the Hook position in the class packet. If the memory is not loaded, the corresponding class packet is obtained and loaded according to the identification information, the loading process can be manual loading by a user, namely the user gives an operation instruction to the electronic equipment, the electronic equipment loads the corresponding class packet after receiving the operation instruction, and then the Hook bytecode is inserted into a Hook position in the class packet in an application process memory.
In this embodiment of the present invention, the inserting the Hook bytecode into the Hook-oriented position includes:
and if the Hook byte codes corresponding to the inserted Hook codes are at least two groups of Hook byte codes, sequentially inserting the at least two groups of Hook byte codes into the positions of the hooks.
The electronic device may determine that the inserted Hook codes are at least two groups, and modify the at least two groups of Hook codes respectively by using a bytecode modification tool to obtain at least two corresponding groups of Hook bytecodes. And then at least two groups of Hook byte codes are sequentially inserted into the positions of the hooks.
For example, when the location of the Hook is between the bytecode p and the bytecode q of the method m of the class packet a, and at least two groups of Hook bytecodes are the bytecode x, the bytecode y and the bytecode z, respectively, the bytecode x, the bytecode y and the bytecode z are sequentially inserted between the bytecode p and the bytecode q of the method m of the class packet a, and the obtained results are, for example, the bytecode p, the bytecode x, the bytecode y, the bytecode z and the bytecode q. In the embodiment of the present invention, the insertion order of the at least two groups of inserted bytecodes is not limited, and according to an actual application scenario, the insertion order of the at least two groups of inserted bytecodes may be randomly inserted, or the insertion order of the at least two groups of inserted bytecodes may be determined according to a specified rule, and then the at least two groups of inserted bytecodes are inserted into a location of Hook according to the specified insertion order.
In the embodiment of the present invention, the method further includes:
and when a Hook execution instruction is received, acquiring execution state indication information carried in the Hook bytecode, if the execution state indication information is the execution indication information, executing the Hook bytecode, and if the execution state indication information is the non-execution indication information, skipping the Hook bytecode.
Each group of Hook byte codes carries execution state indication information, and the execution state indication information comprises execution indication information and non-execution indication information. The execution indication information is used for representing that the group of Hook bytecodes is executed, and the non-execution indication information is used for representing that the group of Hook bytecodes is not executed.
When the electronic equipment receives a Hook execution instruction, the electronic equipment sequentially acquires execution state indication information carried in each group of byte codes according to the sequence, if the execution state indication information is the execution indication information, the group of Hook byte codes are executed, and the electronic equipment acquires the execution state indication information carried in the next group of byte codes after the execution. And if the execution state indication information is the non-execution indication information, skipping the group of Hook byte codes, then acquiring the execution state indication information carried in the next group of byte codes and performing subsequent execution steps.
The embodiment of the invention provides a method for updating Hook points by RASP (unified provisioning of software) hot, which has a better application effect in an UPRASP hot updating scene, loads an updating packet into a memory of an application program, can modify the updating packet in the running process and completes updating under the condition of not influencing normal service. The main advantages are that: 1. without restarting the application: and in the running process of the protected application, dynamically adding a Rasp Hook code without restarting or suspending the application. 2. Backup application is not required: the hook code is modified and added, and the functions of the application are not required to be changed.
Fig. 2 is a schematic diagram of a function Hook updating process provided by the embodiment of the present invention, where the process includes:
s201: and acquiring a required update package, and loading and analyzing the content of the update package.
S202: and acquiring the code position to be hook and the hook code to be injected according to the updated package content.
S203: and determining the identification information of the Hook class package according to the update package, judging whether the class package is loaded according to the identification information, if so, performing S204, and if not, performing S205.
S204: and modifying at the corresponding class bytecode, and adding the bytecode corresponding to the hook code to the specified position.
S205: and manually loading the Hook-oriented class packet into the memory, and performing S202.
Fig. 3 is a schematic diagram of a function Hook updating system according to an embodiment of the present invention, where an Agent end is an electronic device. The back end of the electronic equipment is connected with a management background (server). The front end of the electronic equipment receives a normal request or a malicious request of a hacker. The electronic equipment comprises WEB application/API, UPRASP Agent, detection engine, sql injection command execution, data acquisition and detection, interception or log early warning. The management background is specifically an UPRASP management background and comprises Agent management, vulnerability management, processing strategy management, detection plug-in issuing and the like.
The system flow for hot updating hook points is as follows:
the agent end sends an http heartbeat message to the server at regular time, and if the server has a new hot update package, the server returns a hot update jar package;
dynamically loading a hot update jar package returned by the server by the agent end;
3. after the hot update jar package is loaded, the agent end scans classes containing specific annotations in the jar package, wherein the classes have uniform interfaces and comprise codes for injecting a class name, a method name and a hook of the hook;
4, traversing all the loaded class packages of the java virtual machine by the agent end, searching the class to be book according to the class name, and manually loading the target class if the target class is not loaded;
5. after finding the class to be hook, the agent end uses the javasissst to modify the byte codes of the target class in the memory of the java virtual machine.
The traditional method for updating the hook point is to compile an update code into a byte code file, load the new code when a java virtual machine is started, and restart the virtual machine is the restart of an application system, so that the hot update of the hook point cannot be realized.
The embodiment of the invention is based on the javascript, the hook code to be injected is inserted into the byte code initial position of the java method to be hooked in a byte code mode, the execution flow of the original code is changed, and the operation of adding a new hook point is completed. Since the bytecode in the memory of the java virtual machine is modified, when the target function is called next time, the latest bytecode (hook code + original bytecode) is directly executed, so that the injected hook code takes effect immediately, the java virtual machine (application system) does not need to be restarted, and the effect of hot updating the hook point is achieved.
Fig. 4 is a flowchart of executing a java method after hot updating a Hook point according to an embodiment of the present invention, where a Hook code is usually a short code segment, and for example, a Hook code in RASP technology is generally used to detect a function parameter or a stack and determine whether a security attack occurs. As shown in fig. 4, the hook code and the bytecode of the original java method are finally stored in the memory at the same time, and are not in a substitution relationship, but are executed in sequence, and the former only focuses on security detection and does not affect the functional logic of the original code.
Fig. 5 is a flowchart of an execution logic of a Hook point according to an embodiment of the present invention, where when multiple sections of Hook codes need to be added to the same java method, a later added Hook code is arranged before a previous added Hook code, and each section of Hook code has an activation switch (execution status indication information) for controlling whether the current section of Hook code will be executed. During operation, the judgment logic is as shown in fig. 5, if the activation switch of the current hook code segment is turned off, the current hook code segment is directly skipped over, and the subsequent code segment is executed continuously.
The function Hook update process is explained in detail below by a specific example. Taking a Hook update for detecting a fastjson vulnerability as an example, fig. 6 is a logic diagram of an Object part (String) method dynamic Hook for com. Modifying the Hook code to be injected by adopting a bytecode modification tool to obtain a form of 010101 \8230;, and then inserting the form into an Object space (String) method of com.
Fig. 7 is a development flowchart provided in an embodiment of the present invention. The method comprises the steps of newly building a Java project and package, newly building an entry class, newly building a checker class, newly building a Hook class, configuring and packaging. The method comprises the following specific steps:
1. newly creating a java project and a package, and introducing UPRaspHotfixBase-1.0.jar.
2. And newly establishing a HotFixMainClass class, and realizing com.hotfix.test.UPHotfixInterface interface. The class needs to implement both start and release methods, in which some actions in loading and unloading some hot update packages can be added. Examples are as follows:
Figure BDA0003740213700000111
3. the FastjsonChecker class is newly established.
Create a checker class, inherit from com, basic, openras, plugin, checker, attackchecker, along with a checkannotion note, declaring checkType and checkTypeName, examples of which are as follows:
Figure BDA0003740213700000121
4. and establishing a FastJsonHooke class.
This class is inherited from com.baidu.openras.hook.abstract classchook, with the @ HookAnnotation, exemplified as follows:
Figure BDA0003740213700000122
5. and (5) configuring and packaging.
In place of the xml, rasp-HotFix-Pkg and Rasp-HotFix-MainClass are arranged, and Rasp-HotFix-Pkg specifies the package to be scanned when a UPRASP heating update package is scanned, and Rasp-HotFix-MainClass specifies the entry class of the heating update package. And finally, the project is packed into a jar packet shown in figure 8.
Fig. 9 is a schematic structural diagram of a function Hook updating apparatus according to an embodiment of the present invention, where the apparatus includes:
the determining module 91 is configured to acquire an update package of a function Hook, load the update package into a memory of an application process, and determine a location of the Hook and an inserted Hook code according to the update package;
a modification module 92, configured to modify the Hook code by using a bytecode modification tool in the memory of the application process, to obtain a corresponding Hook bytecode;
and an inserting module 93, configured to insert the Hook bytecode into the Hook-oriented position.
The determining module 91 is specifically configured to send a heartbeat packet to a server according to a preset period, so as to determine whether the function Hook update package is stored in the server; and when the function Hook updating package is determined to be stored in the server, acquiring the function Hook updating package, and loading the updating package into the memory of the application process.
The inserting module 93 is specifically configured to determine, according to the update package, identification information of the class package that is held, and determine, according to the identification information, whether the class package is loaded; if yes, inserting the Hook byte codes into the Hook-processed position in the class packet in the internal memory of the application process; if not, the class package is firstly obtained and loaded, and then the Hook byte codes are inserted into the Hook-carried positions in the class package in the application process memory.
The inserting module 93 is specifically configured to insert the at least two groups of Hook bytecodes into the Hook positions in sequence if the Hook bytecodes corresponding to the inserted Hook codes are the at least two groups of Hook bytecodes.
The device further comprises:
the execution module 94 is configured to, when a Hook execution instruction is received, obtain execution state indication information carried in the Hook bytecode, execute the Hook bytecode if the execution state indication information is the execution indication information, and skip the Hook bytecode if the execution state indication information is non-execution indication information.
An embodiment of the present invention further provides an electronic device, as shown in fig. 10, including: the system comprises a processor 301, a communication interface 302, a memory 303 and a communication bus 304, wherein the processor 301, the communication interface 302 and the memory 303 complete mutual communication through the communication bus 304;
the memory 303 has stored therein a computer program which, when executed by the processor 301, causes the processor 301 to perform the steps of:
acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a position of the Hook and an inserted Hook code according to the updating package;
modifying the Hook code by adopting a byte code modification tool in the memory of the application process to obtain a corresponding Hook byte code;
and inserting the Hook byte codes into the positions of the hooks.
Based on the same inventive concept, the embodiment of the present invention further provides an electronic device, and since the principle of solving the problem of the electronic device is similar to the function Hook updating method, the implementation of the electronic device may refer to the implementation of the method, and repeated details are not described herein.
The electronic device provided by the embodiment of the invention can be a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), a network side device and the like.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 302 is used for communication between the above-described electronic apparatus and other apparatuses.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc.
An embodiment of the present invention further provides a computer storage readable storage medium, in which a computer program executable by an electronic device is stored, and when the program runs on the electronic device, the electronic device is caused to execute the following steps:
acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a Hook position and an inserted Hook code according to the updating package;
in the memory of the application process, modifying the Hook code by adopting a bytecode modification tool to obtain a corresponding Hook bytecode;
and inserting the Hook byte code into the Hook position.
Based on the same inventive concept, embodiments of the present invention further provide a computer-readable storage medium, and since a principle of solving a problem when a processor executes a computer program stored in the computer-readable storage medium is similar to that of the function Hook update method, the implementation of the computer program stored in the computer-readable storage medium by the processor may refer to implementation of the method, and repeated details are not repeated.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memory such as floppy disks, hard disks, magnetic tape, magneto-optical disks (MO), etc., optical memory such as CDs, DVDs, BDs, HVDs, etc., and semiconductor memory such as ROMs, EPROMs, EEPROMs, non-volatile memories (NAND FLASH), solid State Disks (SSDs), etc.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (12)

1.A method for updating a function Hook, the method comprising:
acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a position of the Hook and an inserted Hook code according to the updating package;
in the memory of the application process, modifying the Hook code by adopting a bytecode modification tool to obtain a corresponding Hook bytecode;
and inserting the Hook byte codes into the positions of the hooks.
2. The method of claim 1, wherein the obtaining a function Hook update package, and loading the update package into a memory of an application process comprises:
sending a heartbeat message to a server according to a preset period to determine whether the function Hook updating packet is stored in the server or not;
and when the function Hook updating package is determined to be stored in the server, acquiring the function Hook updating package, and loading the updating package into the memory of the application process.
3. The method of claim 1, wherein the inserting the Hook bytecode into the Hook-oriented location comprises:
determining the identification information of the class packet of the Hook according to the update packet, and judging whether the class packet is loaded according to the identification information;
if so, inserting the Hook bytecode into the Hook-processed position in the class packet in the memory of the application process;
if not, the class package is firstly obtained and loaded, and then the Hook byte codes are inserted into the Hook position in the class package in the application process memory.
4. The method of claim 1, wherein the inserting the Hook bytecode into the Hook-located location comprises:
and if the Hook byte codes corresponding to the inserted Hook codes are at least two groups of Hook byte codes, sequentially inserting the at least two groups of Hook byte codes into the positions of the hooks.
5. The method of claim 4, wherein the method further comprises:
and when a Hook execution instruction is received, acquiring execution state indication information carried in the Hook bytecode, if the execution state indication information is the execution indication information, executing the Hook bytecode, and if the execution state indication information is the non-execution indication information, skipping the Hook bytecode.
6. A function Hook updating apparatus, characterized in that the apparatus comprises:
the determining module is used for acquiring a function Hook updating package, loading the updating package into a memory of an application process, and determining a Hook position and an inserted Hook code according to the updating package;
the modification module is used for modifying the Hook code by adopting a byte code modification tool in the internal memory of the application process to obtain a corresponding Hook byte code;
and the inserting module is used for inserting the Hook byte codes into the Hook positions.
7. The apparatus according to claim 6, wherein the determining module is specifically configured to send a heartbeat message to a server according to a preset period, so as to determine whether the function Hook update package is stored in the server; and when the function Hook updating package is determined to be stored in the server, acquiring the function Hook updating package, and loading the updating package into the memory of the application process.
8. The apparatus according to claim 6, wherein the inserting module is specifically configured to determine, according to the update package, identification information of a class package that is taken from Hook, and determine, according to the identification information, whether the class package is loaded; if yes, inserting the Hook byte codes into the Hook-processed position in the class packet in the internal memory of the application process; if not, the class package is firstly obtained and loaded, and then the Hook byte codes are inserted into the Hook-carried positions in the class package in the application process memory.
9. The apparatus of claim 6, wherein the inserting module is specifically configured to insert the at least two groups of Hook bytecodes into the Hook positions in sequence if the Hook bytecodes corresponding to the inserted Hook codes are the at least two groups of Hook bytecodes.
10. The apparatus of claim 9, wherein the apparatus further comprises:
and the execution module is used for acquiring execution state indication information carried in the Hook bytecode when receiving a Hook execution instruction, executing the Hook bytecode if the execution state indication information is the execution indication information, and skipping the Hook bytecode if the execution state indication information is non-execution indication information.
11. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 5 when executing a program stored in the memory.
12. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1-5.
CN202210813539.3A 2022-07-11 2022-07-11 Function Hook updating method and device, electronic equipment and storage medium Pending CN115185568A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210813539.3A CN115185568A (en) 2022-07-11 2022-07-11 Function Hook updating method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210813539.3A CN115185568A (en) 2022-07-11 2022-07-11 Function Hook updating method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115185568A true CN115185568A (en) 2022-10-14

Family

ID=83517565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210813539.3A Pending CN115185568A (en) 2022-07-11 2022-07-11 Function Hook updating method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115185568A (en)

Similar Documents

Publication Publication Date Title
CN107038045B (en) Method and device for loading library file
US11221838B2 (en) Hot update method, operating system, terminal device, system, and computer-readable storage medium for a system process
CN107330320B (en) Method and device for monitoring application process
US20150371040A1 (en) Method, Device And System For Processing Notification Bar Message
CN107783776B (en) Processing method and device of firmware upgrade package and electronic equipment
CN102999720A (en) Program identification method and system
CN110795128A (en) Program bug fixing method and device, storage medium and server
CN114065204A (en) File-free Trojan horse searching and killing method and device
CN116502220B (en) Detection method and processing method for resistant Java memory horses
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium
CN108563472B (en) Service plug-in loading method and device based on multi-open application
CN114371859A (en) Application software RASP program updating method, server, electronic device and storage medium
WO2024125108A1 (en) On-demand enabling method and apparatus for security aspect of mobile terminal
CN102999721A (en) Program processing method and system
CN115809118A (en) Method, device, equipment and medium for dynamically protecting java process
US20100218261A1 (en) Isolating processes using aspects
CN115185568A (en) Function Hook updating method and device, electronic equipment and storage medium
CN115544507A (en) Memory horse searching and killing method, device, equipment and medium
CN113064601B (en) Method, device, terminal and storage medium for determining dynamic loading file
CN113282363A (en) Method and device for optimizing hybrid APP
US20200244461A1 (en) Data Processing Method and Apparatus
EP3040895A1 (en) System and method for protecting a device against return-oriented programming attacks
CN108959061B (en) Application function management method, terminal and device
TWI840252B (en) Whitelisting method for blocking script-based malware
CN110377293A (en) A kind of method for down loading, terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination