CN115952491A - Method, device, electronic equipment and medium for hook target function - Google Patents
Method, device, electronic equipment and medium for hook target function Download PDFInfo
- Publication number
- CN115952491A CN115952491A CN202211732560.7A CN202211732560A CN115952491A CN 115952491 A CN115952491 A CN 115952491A CN 202211732560 A CN202211732560 A CN 202211732560A CN 115952491 A CN115952491 A CN 115952491A
- Authority
- CN
- China
- Prior art keywords
- function
- specified
- hook
- specified function
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a method, a device, electronic equipment and a medium for a hook target function, which relate to the technical field of data security, and when the target function is executed, the hook function jumps to a first specified function according to a first jump instruction in the target function; when the first specified function is executed, jumping to a second specified function according to a second jump instruction in the first specified function, and carrying out hook on the target function through the second specified function, wherein the three function interfaces of the target function, the first specified function and the second specified function are the same, and data in the target function is protected in a hook mode.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method, a device, electronic equipment and a medium for hook objective functions.
Background
With the development of network informatization, people pay more and more attention to data security, and in order to protect computer software data from being damaged, changed and leaked due to accidents and malicious reasons, measures need to be taken to ensure the availability, integrity and confidentiality of network data. The traditional function protection method is generally based on the whole application or code segment, and in practice, a part of application or a part of code segment may be very important, so that when the part of application or the part of code segment is attacked, the risk is existed and the protection is needed, while other applications or code segments do not need to be protected, and if all applications and code segments are protected, the waste of resources is caused.
For example, the Hook function is a code segment for processing a message, and the Hook function can Hook the target function, and if there is another function sending a message to the target function, the target function is not run first, but the Hook function is run first, and in the process of running the Hook function, the message transferred to the target function can be processed first and then transferred to the target function, or the message can be directly transferred to the target function, or the transfer of the message can be terminated forcibly.
Due to the complexity of the dynamic stack expansion/contraction mechanism of the Go language, no hook scheme at the machine instruction level in the Go language environment exists at present.
Disclosure of Invention
The invention provides a method, a device, electronic equipment and a medium for hook objective functions, and aims to solve the technical problems.
In order to solve the above technical problem, a first aspect of the present invention provides a method for hook objective function, where the method for hook objective function includes: when the target function is executed, jumping to a first specified function according to a first jump instruction in the target function; when the first specified function is executed, jumping to a second specified function according to a second jump instruction in the first specified function so as to hook the target function through the second specified function, wherein three function interfaces of the target function, the first specified function and the second specified function are the same.
The data in the target function is protected in a hook mode, function interfaces in the three functions are consistent, and smooth execution of a hook process is guaranteed.
Optionally, when the first specified function is executed, jumping to a second specified function according to a second jump instruction in the first specified function includes: detecting whether a calling object is the second specified function or not when the first specified function is executed; and if the calling object is not the second specified function, jumping to the second specified function according to the second jump instruction in the first specified function.
Optionally, the method further comprises: detecting whether a calling object is the second specified function or not when the first specified function is executed; and if the calling object is the second specified function, jumping to a first preset field of the first specified function according to a third jump instruction in the first specified function, and executing an instruction in the first preset field of the first specified function.
After the function is judged in the steps, the corresponding instruction is executed again, and the dead cycle is prevented from occurring when the function is executed.
Optionally, when the target function is executed, jumping to a position before the first specified function, further comprising: acquiring a primitive function to be processed; acquiring a code of a second preset field in the primitive function, processing the code of the second preset field in the primitive function into an overlay instruction, and writing the overlay instruction into a first preset field of a first designated function; and replacing the code of the second preset field of the original function with a first jump instruction number to obtain the target function.
Optionally, the target function sequentially includes a first jump instruction and a primitive function machine instruction.
Optionally, a fourth jump instruction is stored in a third preset field of the first specified function, where the third preset field is a field subsequent to the first preset field, and the method further includes: and after the covering instruction in the first preset field is executed, executing the fourth jump instruction stored in the third preset field, jumping to the position of the primitive function machine instruction, and executing the primitive function machine instruction.
Optionally, when the target function is executed, jumping to a position before the first specified function, further comprising: acquiring stack space capacity; and triggering stack expansion when the capacity of the stack space is lower than the preset capacity.
The new stack after the stack expansion can ensure the execution of subsequent functions or instructions, so that congestion on the stack is avoided.
The second aspect of the present invention provides an apparatus for hook target function, where the apparatus for hook target function includes: the first skipping module is used for skipping to a first specified function when the target function is executed; and the second jump module is used for jumping to a second specified function after the first specified function is executed so as to hook the target function through the second specified function, wherein the target function, the first specified function and the second specified function have the same function interface.
A third aspect of the present invention provides an electronic apparatus, comprising: one or more processors; a memory; one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of the first aspect.
A fourth aspect of the present invention provides a computer readable storage medium having stored thereon program code that is callable by a processor to perform the method of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required for the description of the embodiments will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without inventive efforts based on these drawings:
fig. 1 shows a schematic flow diagram of a method of hook function provided by the prior art;
FIG. 2 is a flowchart illustrating a method for hook objective function according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for hook objective function according to another embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for hook objective function according to another embodiment of the present invention;
FIG. 5 is a block diagram of an apparatus for hook objective function provided in an embodiment of the present application;
FIG. 6 shows a block diagram of an electronic device for performing a method of hook objective function according to an embodiment of the application;
fig. 7 illustrates a storage unit for storing or carrying program code implementing a method of hook objective function according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application.
In order to make the technical solutions of the present application better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application. .
Along with the development of network informatization, people pay more and more attention to data security, and in order to protect computer software data from being damaged, changed and leaked due to accidental and malicious reasons, some measures need to be taken to ensure the availability, integrity and confidentiality of network data. The traditional function protection method is generally based on the whole application or code segment, but in practice, a part of application or a part of code segment may be important, so that when the part of application or the part of code segment is attacked, the risk exists and needs to be protected, and other applications or code segments do not need to be protected, and if all the applications and code segments are protected, the waste of resources is caused.
The Hook function is a code segment for processing messages, the Hook function can Hook the target function, and if there are other functions sending messages to the target function, the target function is not operated first, but the Hook function is operated first, and in the operation process of the Hook function, the messages transmitted to the target function can be processed first and then transmitted to the target function, or the messages can be directly transmitted to the target function, or the transmission of the messages can be forcibly ended. Therefore, in the prior art, data is protected in a hook manner. For example, a java language compilation output/execution file the class file is a byte code file. jvm provides a performance profiling mechanism that allows an agent program to modify a bytecode file before executing it. An APM (Application Performance Management) tool program embeds monitoring codes into an inlet and an outlet of a target method in a way of agent to realize Performance monitoring. The specific process is as follows:
1) At the beginning of a transaction, an object is created that records the execution data of the transaction, captured by the buried point method.
2) And capturing relevant parameters through a buried point in the transaction execution process, and recording the transaction data object.
3) During the execution of the transaction, an object is created that records the execution data of the sub-process by the buried point method when the sub-process starts.
4) And in the sub-process execution, capturing key parameters of the sub-process execution through a point burying method, and recording the key parameters to the sub-process execution data object.
5) By the method of embedding points, when the execution of the sub-process is finished, the execution performance of the sub-process is obtained and recorded to the sub-process execution data object.
6) And capturing the transaction event by a point burying method to obtain the execution performance of the transaction.
However, the prior art has the following problems:
1) Manual placement of points can lead to increased learning costs outside of the user's business, causing a conflicting mood.
2) And due to the complex point burying process, the memory leakage of the application program is easily caused by manual point burying errors.
3) Manual burial is too invasive to facilitate maintenance of the application.
4) No developer is involved in manual embeddings development due to personnel changes, or for outsourcing reasons, the user does not know the code, and so on, resulting in low manual burial feasibility.
The prior art also provides a method, taking a hook-based function as an original function, as shown in fig. 1, where the diagram includes four components to become four roles, a role 1 is an original function, and the original function is composed of a JMP instruction and an original function machine instruction. The role 2 is a Hook function, and the Hook function is composed of machine instructions of the Hook function. Character 3 is rampoline memory, which consists of the equivalent of the overwritten instruction, JMP instruction, NOP, and long jump instruction. The role 4 is composed of function pointers for accessing the original function functions, and the function pointers comprise the corresponding relation between addresses and instructions in a ramploine memory. In the hook process in fig. 1, a block of memory is allocated to the first 2G of the primitive function address or the second 2G of the primitive function address, and is used as a ramploline memory. The code at the beginning of the primitive function is written to the start address D in trampoline memory. When the original function is executed, jumping to a trampoline memory short address E according to a JMP instruction in the original function. When executing the jump instruction written in the trampoline memory, jumping to the address B of the original function. When executing the long jump instruction in the trampeline memory, jump to address C of the Hook function. Wherein, the roles are all functions written in Go language. The function for executing the jump is a C language function.
However, the above-described conventional hook scheme has the following problems:
1) The binary call interface of the Go language is not consistent with the binary interface of the C language, and the C function cannot be used for direct hook.
2) When using trampoline memory, go language will find function instruction description data of Go language function during garbage collection and stack expansion, and determine the current stack frame according to the instruction pointer position. If the address pointer happens to be in the trampoline memory when the GC (Garbage Collection) occurs, the address pointer is limited to the trampoline memory itself, and in this case, valid function information cannot be found through the instruction address in the GC process (because meta data does not exist), and the last stage of call stack frame information of the current function cannot be located, so that a pandic error is thrown.
The present invention is explained in terms of a method, an apparatus, an electronic device, and a medium for hook objective functions by the following embodiments.
The first implementation mode comprises the following steps:
the present embodiment provides a method of hook objective function, which is applied to the apparatus 100 of hook objective function shown in fig. 5, the electronic device 200 configured with the apparatus 100 of hook objective function shown in fig. 6, and the computer-readable storage medium 400 shown in fig. 7. The embodiment is described by taking an example that the method of the hook objective function is applied to an electronic device, where the electronic device may include, but is not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, a wearable electronic device, a physical server, a cloud server, and the like. As will be described in detail with respect to the flow shown in fig. 2, the method of hook objective function may specifically include the following steps:
and step S110, when the target function is executed, jumping to a first specified function according to a first jump instruction in the target function.
Wherein the objective function refers to a hook-like function. According to the hook requirement, the function by hook cannot be directly executed or cannot be executed.
The electronic equipment monitors the target function through the monitoring function.
In one embodiment, the parameters of the listening function are configured as a listening target function, and it can be understood that the above configuration configures the listening objects of the listening function. For example, the snoop function may be a watch function. When the target function is running in the computer, the monitoring function can monitor the running event so as to monitor the target function. The snoop function snoops the target function, which may be understood as the target function being executed.
In another embodiment, there are many other functions on the electronic device in addition to the objective function. To listen for the objective function, the parameters of the listening function may be configured as all functions on the electronic device. For example, the snoop function may be a watch function. And monitoring all functions on the electronic equipment through the monitoring function. When the monitored function is an objective function, it is determined that the objective function is being executed.
The objective function is a function that needs to be hook, and when the objective function is executed, the executing objective function needs to be skipped to another function in order to detect the objective function or not execute the objective function. For example, a jump is made to a first specified function according to a first jump instruction on the target function, where the first jump instruction may be a JMP instruction. The first prescribed function is the trampoline function.
Compared with the trampoline memory in the prior art, the trampoline function does not need to configure the corresponding relation between the address pointer and the memory space, so that the trampoline function does not have the problem of GC caused by the trampoline memory, and does not have the problem that effective information cannot be found because meta data does not exist.
Step S120, when the first specified function is executed, jumping to a second specified function according to a second jump instruction in the first specified function, so as to hook the target function through the second specified function, where three function interfaces of the target function, the first specified function, and the second specified function are the same.
Where the first specified function is used for jumping, e.g. for jumping to the target function or to the second specified function, it is understood that the first specified function is an intermediary between the second specified function and the target function.
Optionally, the second specified function is a hook function, and the hook function machine instruction is included in the second specified function. The hook function machine instructions are used to implement a hook to an objective function. Illustratively, the hook content is that after jumping to the second specified function, a hook function machine instruction is executed, and in this scenario, it indicates that protection of the target function can be achieved by executing the hook function machine instruction and truncating execution of the target function. Illustratively, after jumping to the second specified function, the second specified function includes a JMP instruction, and the JMP instruction instructs to jump to the first specified function and then jump back to the target function from the first specified function. In this scenario, the method is used for monitoring the objective function, or delaying the execution of the objective function.
The present embodiment provides a method for a hook target function, which jumps to a first specified function according to a first jump instruction in a target function when the target function is executed; when the first appointed function is executed, jumping to a second appointed function according to a second jump instruction in the first appointed function, and carrying out hook on the target function through the second appointed function, wherein three function interfaces of the target function, the first appointed function and the second appointed function are the same, data in the target function are protected in a hook mode, and function interfaces in the three functions are consistent, so that smooth execution of a hook process is guaranteed. The stack space used by the first designated function is 0, which can avoid the GC problem caused by trampolin memory in the prior art.
The second embodiment:
the present embodiment provides a method for hook objective function, as shown in fig. 3, the method for hook objective function may specifically include the following steps:
and step S210, when the target function is executed, jumping to a first specified function according to a first jump instruction in the target function.
The description of step S210 may refer to the description of step S110 in the above embodiment, and is not repeated herein.
Step S220, when the first specified function is executed, detecting whether a call object is the second specified function.
If the called object is not the second designated function, indicating that the called object is the first designated function, in order to prevent endless loop, the flow proceeds to step S230, and the second designated function is executed. Otherwise, if the called object is the second designated function, to avoid endless loop, the process proceeds to step S240, and a target function is executed. .
And step S230, jumping to the second specified function according to the second jump instruction in the first specified function.
It can be understood that the target function which needs to be executed originally is switched to execute the second specified function, and hook is realized.
Step S240, jumping to a first preset field of the first specified function according to a third jump instruction in the first specified function, and executing an instruction in the first preset field of the first specified function.
The third embodiment is as follows:
optionally, before step S210, the method further includes: acquiring an original function to be processed;
and acquiring a code of a second preset field in the primitive function, processing the code of the second preset field in the primitive function into an overlay instruction, and writing the overlay instruction into a first preset field of a first designated function. And replacing the code of the second preset field of the original function with a first jump instruction number to obtain the target function. It will be appreciated that the primitive function includes a primitive function machine instruction following the code of the second predetermined field and the second predetermined field. The length of the second predetermined field may be the length of one jump instruction. The code of the second preset field is processed as an override instruction and the first preset field of the first specified function is written. It will be appreciated that the effect achieved by executing the second predetermined field code and executing the override instruction in the first predetermined field is consistent, and due to format and the like, the second predetermined field code needs to be processed as an override instruction.
Optionally, the method further comprises: acquiring the capacity of a stack space; and when the capacity of the stack space is lower than the preset capacity, triggering stack expansion in order to ensure that the subsequent function or instruction is smoothly executed. For example, the newstack () function first calculates the size of the old stack from the stack bottom address and the stack top address, and calculates the size of the new stack, which may be twice as large as the old stack, to achieve stack expansion. The new stack after stack expansion can ensure the execution of subsequent functions or instructions, and the congestion on the stack can not occur.
The fourth embodiment:
the embodiment provides a method for hook target function, the primitive function includes two parts, namely a code of a first preset field and a primitive function machine instruction, the code of the first preset field is covered by a first jump instruction, that is, as shown in fig. 4, the target function includes the first jump instruction and the primitive function machine instruction. And the code of the first preset field is processed into a covering instruction and then stored into the head of a first specified function, and the first specified function sequentially comprises the covering instruction, a fourth jump instruction in a third preset field, a NOP (non-orthogonal point), a judgment instruction, a second jump instruction and a third jump instruction. The second specified function includes a hook function machine instruction. The third preset field is a field subsequent to the first preset field. The target function, the first specified function and the second specified function in fig. 4 may all be written in the Go language. The method for hook target function comprises the following steps:
the target function is executed from the address a, and when the target function is executed, the target function jumps to the first specified function according to the first jump instruction in the target function, and as shown in fig. 4, jumps to the address E of the second specified function, where the address E is a NOP function, where the NOP function can be understood as a no-operation instruction. And executing the first specified function according to the sequence in the first specified function, jumping to a second specified function according to a second jump instruction in the first specified function when the first specified function is executed, namely jumping to the position C of the second specified function, and performing hook on the target function through the second specified function, namely executing a hook function machine instruction. And the target function, the first specified function and the second specified function have the same function interface. The three function interfaces can be ABI interfaces which are the same, and the problem that hook cannot be realized in the prior art is solved.
After the covering instruction in the first preset field at the position D is executed, the fourth jump instruction stored in the third preset field is executed, the position of the primitive function machine instruction is jumped to, as shown in FIG. 4, the position B is jumped to, and the primitive function machine instruction is executed.
The fifth embodiment:
in order to implement the above method embodiment, the present invention further provides a device for hook objective function, and as shown in fig. 5, the device 100 for hook objective function includes: a first skip module 110 and a second skip module 120;
a first jumping module 110, configured to jump to a first specified function when the target function is executed;
the second jumping module 120 is configured to jump to a second specified function after the first specified function is executed, so as to hook the target function through the second specified function, where three function interfaces of the target function, the first specified function, and the second specified function are the same.
Optionally, the second skip module 120 includes: the first detection module and the first skip submodule;
the first detection module is used for detecting whether a calling object is the second specified function or not when the first specified function is executed;
and the first jump submodule is used for jumping to the second specified function according to the second jump instruction in the first specified function if the calling object is not the second specified function.
Optionally, the apparatus 100 for hook objective function further includes: a second detection module and a second skip sub-module;
the second detection module is used for detecting whether a calling object is the second specified function or not when the first specified function is executed;
and the second jump submodule is used for jumping to a first preset field of the first specified function according to a third jump instruction in the first specified function and executing an instruction in the first preset field of the first specified function if the calling object is the second specified function.
Optionally, the apparatus 100 for hook objective function further includes: the device comprises a first acquisition module, a second acquisition module and a substitution module;
the first acquisition module is used for acquiring a primitive function to be processed;
a second obtaining module, configured to obtain a code of a second preset field in the primitive function, process the code of the second preset field in the primitive function into an override instruction, and write the override instruction into a first preset field of a first specified function;
and the replacing module is used for replacing the code of the second preset field of the primitive function with the first jump instruction number to obtain the target function.
Optionally, the target function sequentially includes a code of a first preset field, a first jump instruction, and a primitive function machine instruction.
Optionally, a fourth jump instruction is stored in a third preset field of the first specified function, where the third preset field is a field subsequent to the first preset field, and the apparatus 100 for hook target function further includes: a covering module;
and the coverage module is used for executing the fourth jump instruction stored in the third preset field after executing the coverage instruction in the first preset field, jumping to the position of the primitive function machine instruction and executing the primitive function machine instruction.
Optionally, the apparatus 100 for hook objective function further includes: a capacity acquisition module and a capacity expansion module;
the capacity acquisition module is used for acquiring the capacity of the stack space;
and the capacity expansion module is used for triggering stack capacity expansion when the capacity of the stack space is lower than the preset capacity.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the modules/units/sub-units/components in the above-described apparatus may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, the coupling or direct coupling or communication connection between the modules shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or modules may be in an electrical, mechanical or other form.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
Embodiment six:
fig. 6 is a block diagram of an electronic device for executing a hook objective function method according to an embodiment of the present application, please refer to fig. 6, which illustrates an electronic device 200 provided in an embodiment of the present application, where the electronic device may include a processor 231, a communication module 232, a memory 233, and a bus. The bus may be an ISA bus, PCI bus, EISA bus, CAN bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. Wherein:
the memory 233 stores programs. In particular, the memory 233 may be used to store software programs as well as various data. The memory 233 may mainly include a program storage area and a data storage area, wherein the program storage area may store a program required to operate at least one function and may include a program code including computer operation instructions. In addition to storing programs, the memory 233 may temporarily store messages or the like that the communication module 232 needs to send. The memory 233 may include a high-speed RAM memory, and may further include a non-volatile memory (non-volatile memory), such as at least one Solid State Disk (SSD).
The processor 231 is used to execute programs stored in the memory 233. The program, when executed by a processor, implements the steps of the page display method of the embodiments described above.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the page display method according to the foregoing embodiments, and can achieve the same technical effect, and in order to avoid repetition, the computer program is not described herein again. The computer-readable storage medium includes, for example, a Read-Only Memory (ROM), a Random Access Memory (RAM), an SSD, a charged Erasable Programmable Read-Only Memory (EEPROM), or a Flash Memory (Flash).
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, SSD, flash), and includes several instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the methods of the embodiments of the present application.
The seventh implementation mode:
fig. 7 shows a storage unit for storing or carrying program codes for implementing a hook objective function method according to an embodiment of the present application, please refer to fig. 7, which shows a block diagram of a computer-readable storage medium provided in an embodiment of the present application. The computer-readable medium 400 has stored therein a program code that can be called by a processor to execute the method described in the above-described method embodiments.
The computer-readable storage medium 400 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. Alternatively, the computer-readable storage medium 400 includes a non-volatile computer-readable storage medium. The computer readable storage medium 400 has storage space for program code 410 for performing any of the method steps of the method described above. The program code can be read from or written to one or more computer program products. Program code 410 may be compressed, for example, in a suitable form.
The present application also provides a computer program product comprising a computer program which when executed by a processor performs the above steps.
In summary, the present invention discloses a method, an apparatus, an electronic device, and a medium for a hook target function, wherein when the target function is executed, a jump is made to a first specified function according to a first jump instruction in the target function; when the first specified function is executed, jumping to a second specified function according to a second jump instruction in the first specified function, and carrying out hook on the target function through the second specified function, wherein the three function interfaces of the target function, the first specified function and the second specified function are the same, and data in the target function is protected in a hook mode.
While the invention has been described with reference to several particular embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (10)
1. A method of hook objective function, the method comprising:
when the target function is executed, jumping to a first specified function according to a first jump instruction in the target function;
when the first appointed function is executed, jumping to a second appointed function according to a second jump instruction in the first appointed function so as to hook the target function through the second appointed function, wherein the target function, the first appointed function and the second appointed function have the same function interface.
2. The method of claim 1, wherein jumping to a second specified function according to a second jump instruction in the first specified function while executing the first specified function comprises:
detecting whether a calling object is the second specified function or not when the first specified function is executed;
and if the calling object is not the second specified function, jumping to the second specified function according to the second jump instruction in the first specified function.
3. The method of hook objective function of claim 1, further comprising:
when the first specified function is executed, detecting whether a calling object is the second specified function;
and if the calling object is the second specified function, jumping to a first preset field of the first specified function according to a third jump instruction in the first specified function, and executing an instruction in the first preset field of the first specified function.
4. The method of claim 3, wherein jumping to a first specified function before executing the target function, further comprises:
acquiring a primitive function to be processed;
acquiring a code of a second preset field in the original function, processing the code of the second preset field in the original function into a covering instruction, and writing the covering instruction into a first preset field of a first specified function;
and replacing the code of the second preset field of the original function with a first jump instruction number to obtain the target function.
5. The method of hook objective function of claim 1, wherein the objective function comprises a first jump instruction and a primitive function machine instruction in sequence.
6. The method of claim 4, wherein a fourth jump instruction is stored in a third predetermined field of the first specified function, the third predetermined field being a field subsequent to the first predetermined field, the method further comprising:
and after the covering instruction in the first preset field is executed, executing the fourth jump instruction stored in the third preset field, jumping to the position of the primitive function machine instruction, and executing the primitive function machine instruction.
7. The method of hook objective function according to claim 1, wherein said jumping to a first designated function before executing said objective function, further comprises:
acquiring the capacity of a stack space;
and triggering stack expansion when the stack space capacity is lower than the preset capacity.
8. An apparatus for hook objective functions, the apparatus comprising:
the first skipping module is used for skipping to a first specified function when the target function is executed;
and the second jump module is used for jumping to a second specified function after the first specified function is executed so as to hook the target function through the second specified function, wherein the target function, the first specified function and the second specified function have the same function interface.
9. An electronic device, comprising:
one or more processors;
a memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of any of claims 1-7.
10. A computer-readable storage medium, having stored thereon program code that can be invoked by a processor to perform the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732560.7A CN115952491B (en) | 2022-12-30 | 2022-12-30 | Method, device, electronic equipment and medium for hook objective function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732560.7A CN115952491B (en) | 2022-12-30 | 2022-12-30 | Method, device, electronic equipment and medium for hook objective function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115952491A true CN115952491A (en) | 2023-04-11 |
| CN115952491B CN115952491B (en) | 2023-09-29 |
Family
ID=87285723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211732560.7A Active CN115952491B (en) | 2022-12-30 | 2022-12-30 | Method, device, electronic equipment and medium for hook objective function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115952491B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120102476A1 (en) * | 2010-02-11 | 2012-04-26 | Yu Jiaqiang | Method, device and system for activating on-line patch |
| US20140282431A1 (en) * | 2013-03-14 | 2014-09-18 | Riverbed Technology, Inc. | Native code profiler framework |
| CN106919458A (en) * | 2015-12-25 | 2017-07-04 | 腾讯科技(深圳)有限公司 | The method and device of Hook target kernel functions |
| CN107943517A (en) * | 2017-10-26 | 2018-04-20 | 北京奇虎科技有限公司 | The hook method and device of terminal applies |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN115017058A (en) * | 2022-08-04 | 2022-09-06 | 飞腾信息技术有限公司 | Test method and device of kernel module, electronic equipment and storage medium |
-
2022
- 2022-12-30 CN CN202211732560.7A patent/CN115952491B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120102476A1 (en) * | 2010-02-11 | 2012-04-26 | Yu Jiaqiang | Method, device and system for activating on-line patch |
| US20140282431A1 (en) * | 2013-03-14 | 2014-09-18 | Riverbed Technology, Inc. | Native code profiler framework |
| CN106919458A (en) * | 2015-12-25 | 2017-07-04 | 腾讯科技(深圳)有限公司 | The method and device of Hook target kernel functions |
| CN107943517A (en) * | 2017-10-26 | 2018-04-20 | 北京奇虎科技有限公司 | The hook method and device of terminal applies |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN115017058A (en) * | 2022-08-04 | 2022-09-06 | 飞腾信息技术有限公司 | Test method and device of kernel module, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115952491B (en) | 2023-09-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106844136B (en) | Method and system for collecting program crash information | |
| CN111124906B (en) | Tracking method, compiling method and device based on dynamic embedded points and electronic equipment | |
| WO2018227822A1 (en) | Acquisition method and apparatus for abnormal stack information, and computer readable storage medium | |
| CN111427596B (en) | Software upgrading method and device and terminal equipment | |
| CN104049986A (en) | Plugin loading method and device | |
| CN110442502B (en) | Point burying method, device, equipment and storage medium | |
| CN110704131B (en) | Method and device for calling native application by HTML5 application | |
| CN111767056A (en) | Source code compiling method, executable file running method and terminal equipment | |
| CN106484779B (en) | File operation method and device | |
| CN111200744B (en) | Multimedia playing control method and device and intelligent equipment | |
| CN110045952B (en) | Code calling method and device | |
| CN112416496A (en) | Page display method and device and storage medium | |
| KR101455668B1 (en) | Definition apparatus of basic block group separating execution based contents, method thereof and computer recordable medium storing the basic block group and the method | |
| CN110889116A (en) | Advertisement blocking method and device and electronic equipment | |
| CN115952491A (en) | Method, device, electronic equipment and medium for hook target function | |
| CN110688320A (en) | Global variable detection method and device and terminal equipment | |
| CN115955557A (en) | Kadun analysis method and device thereof | |
| CN111124627A (en) | Method, device, terminal and storage medium for determining application program caller | |
| CN107092601B (en) | Resource file construction method, resource file application method and device | |
| CN114253587A (en) | Application program updating method and device, electronic equipment and readable storage medium | |
| CN114356290A (en) | Data processing method and device and computer readable storage medium | |
| CN112052054A (en) | Function calling method and device, electronic equipment and storage medium | |
| CN104850551A (en) | Data processing method, data processing apparatus and mobile terminal | |
| CN112732568B (en) | System log acquisition method and device, storage medium and terminal | |
| CN108664293B (en) | Application control method and device in android system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |