CN115952491B - Method, device, electronic equipment and medium for hook objective function - Google Patents
Method, device, electronic equipment and medium for hook objective function Download PDFInfo
- Publication number
- CN115952491B CN115952491B CN202211732560.7A CN202211732560A CN115952491B CN 115952491 B CN115952491 B CN 115952491B CN 202211732560 A CN202211732560 A CN 202211732560A CN 115952491 B CN115952491 B CN 115952491B
- Authority
- CN
- China
- Prior art keywords
- function
- instruction
- designated
- jump
- executing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application discloses a method, a device, electronic equipment and a medium for a hook objective function, which relate to the technical field of data security, and when the objective function is executed, the method, the device, the electronic equipment and the medium jump to a first designated function according to a first jump instruction in the objective function; when the first designated function is executed, the second designated function is jumped to according to a second jump instruction in the first designated function, so that a hook is conducted on the target function through the second designated function, wherein the interfaces of the target function, the first designated function and the second designated function are identical, and data in the target function are protected in a hook mode.
Description
Technical Field
The present application relates to the field of data security technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for hook objective function.
Background
With the development of network informatization, people pay more and more attention to data security, and in order to protect computer software data from being destroyed, altered and revealed due to accidental and malicious reasons, some measures need to be taken to ensure the availability, integrity and confidentiality of network data. The conventional function protection method is generally based on the whole application or code segment, and in practice, it may be very important that a part of the application or the part of the code segment is present, so that when the part of the application or the part of the code segment is attacked, risks need to be protected, and other applications or code segments need not be protected, if all the applications and the code segments are protected, resource waste is caused.
For example, the Hook function is a code segment for processing a message, and the Hook function is adopted to Hook an objective function, at this time, if other functions send a message to the objective function, the objective function is not operated first, but the Hook function is operated first, and in the operation process of the Hook function, the message transferred to the objective function can be processed first and then transferred to the objective function, or the message can be directly transferred to the objective function, or the transfer of the message can be forcedly ended.
Because of the complexity of the Go language dynamic stack expansion/contraction mechanism, there is currently no one machine instruction level hook scheme in the Go language environment.
Disclosure of Invention
The application provides a method, a device, electronic equipment and a medium for hook objective function, and aims to solve the technical problems.
To solve the above technical problem, a first aspect of the present application provides a method for preparing a hook objective function, where the method for preparing the hook objective function includes: when the objective function is executed, jumping to a first designated function according to a first jump instruction in the objective function; and when the first designated function is executed, jumping to a second designated function according to a second jump instruction in the first designated function so as to carry out hook on the target function through the second designated function, wherein three function interfaces of the target function, the first designated function and the second designated function are the same.
The data in the objective function is protected in a hook mode, and function interfaces in the three functions are consistent, so that smooth execution of the hook process is ensured.
Optionally, when executing the first designated function, the step of jumping to a second designated function according to a second jump instruction in the first designated function includes: detecting whether a calling object is the second specified function or not when the first specified function is executed; and if the calling object is not the second designated function, jumping to the second designated function according to the second jump instruction in the first designated function.
Optionally, the method further comprises: detecting whether a calling object is the second specified function or not when the first specified function is executed; and if the call object is the second designated function, jumping to a first preset field of the first designated function according to a third jump instruction in the first designated function, and executing the instruction in the first preset field of the first designated function.
After the function is judged in the steps, the corresponding instruction is executed, and the dead loop is prevented when the function is executed.
Optionally, before the step of jumping to the first designated function when executing the objective function, the method further includes: acquiring a primary function to be processed; acquiring codes of a second preset field in the original function, processing the codes of the second preset field in the original function into a coverage instruction, and writing the coverage instruction into a first preset field of a first designated function; and replacing codes of a second preset field of the original function with the first jump instruction number to obtain the objective function.
Optionally, the objective function sequentially includes a first jump instruction and a primitive function machine instruction.
Optionally, a fourth jump instruction is stored in a third preset field of the first specified function, where the third preset field is a field subsequent to the first preset field, and the method further includes: after the overlay instruction in the first preset field is executed, executing the fourth jump instruction stored in the third preset field, jumping to the position of the original function machine instruction, and executing the original function machine instruction.
Optionally, before the step of jumping to the first designated function when executing the objective function, the method further includes: acquiring stack space capacity; and triggering stack capacity expansion when the stack space capacity is lower than the preset capacity.
The new stack after stack expansion can ensure the execution of the subsequent functions or instructions, so that congestion on the stack is avoided.
In a second aspect, the present application provides a device for a hook objective function, the device for a hook objective function comprising: a first jump module for jumping to a first designated function when executing the objective function; and the second jump module is used for jumping to a second designated function after executing the first designated function so as to carry out hook on the target function through the second designated function, wherein the three function interfaces of the target function, the first designated function and the second designated function are the same.
A third aspect of the present application provides an electronic apparatus, comprising: one or more processors; a memory; one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of the first aspect.
A fourth aspect of the application provides a computer readable storage medium having stored therein program code which is callable by a processor to perform the method of the first aspect.
Drawings
For a clearer description of the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without inventive effort from these drawings:
FIG. 1 shows a flow diagram of a method of the hook function provided by the prior art;
FIG. 2 is a flow diagram of a method for hook objective function provided by one embodiment of the present application;
FIG. 3 is a flow chart of a method for providing a hook objective function according to another embodiment of the present application;
FIG. 4 is a flow chart of a method for providing a hook objective function according to another embodiment of the present application;
FIG. 5 shows a block diagram of an apparatus for hook objective functions provided by an embodiment of the present application;
FIG. 6 shows a block diagram of an electronic device for performing a method of hook objective function according to an embodiment of the present application;
FIG. 7 illustrates a memory unit for storing or carrying program code for implementing a method of hook objective functions according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for explaining the present application and are not to be construed as limiting the present application.
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application. .
With the development of network informatization, people pay more and more attention to data security, and in order to protect computer software data from being destroyed, altered and revealed due to accidental and malicious reasons, some measures need to be taken to ensure the availability, integrity and confidentiality of network data. The conventional function protection method is generally based on the whole application or code segment, and in practice, it may be very important that a part of the application or the part of the code segment is present, so that when the part of the application or the part of the code segment is attacked, risks need to be protected, and other applications or code segments need not be protected, if all the applications and the code segments are protected, resource waste is caused.
The Hook function is a code segment for processing the message, and can Hook the objective function by adopting the Hook function, at the moment, if other functions send the message to the objective function, the objective function is not operated first, but the Hook function is operated first, and in the operation process of the Hook function, the message transferred to the objective function can be processed first and then transferred to the objective function, the message can be directly transferred to the objective function, and the transfer of the message can be forcedly ended. Thus, the prior art uses a hook to protect the data. For example, a compiled output/execution file in java language, a class file is a bytecode file. jvm provides a performance profiling mechanism that allows agent programs to modify a bytecode file before executing the bytecode file. The APM (Application Performance Management) application performance management) tool program embeds the monitoring code into the entry and exit of the target method in the manner of agent to realize performance monitoring. The specific process is as follows:
1) At the beginning of a transaction, an object recording the execution data of the transaction is created by capturing by a buried point method.
2) And capturing related parameters through buried points in the execution process of the transaction, and recording the related parameters to the transaction data object.
3) During the execution of the transaction, an object for recording the execution data of the subprocess is created by a buried point method when the subprocess starts.
4) In the execution of the sub-process, key parameters of the execution of the sub-process are captured by a buried point method, and the key parameters are recorded into an execution data object of the sub-process.
5) And obtaining the execution performance of the sub-process by a buried point method and recording the execution performance of the sub-process to the sub-process execution data object when the execution of the sub-process is finished.
6) Capturing transaction events by a buried point method to obtain the execution performance of the transaction.
However, the prior art has the following problems:
1) Manual buried points can cause the increase of learning cost beyond user business, and cause contradiction emotion.
2) Because of the complex process of burying the points, the problems of memory leakage of the application program and the like are easily caused by the manual point burying errors.
3) The manual buried point is too strong in invasiveness and is not beneficial to maintenance of application.
4) Because of personnel variation and other reasons, no developer participates in manual embedded code development, or because of outsourcing, a user does not know the code, and the like, so that the feasibility of manual embedded point is low.
The prior art also provides a way to take a function of a hook as a primitive function, as shown in fig. 1, wherein the figure comprises four components to become four roles, and role 1 is a primitive function, and the primitive function is composed of a JMP instruction and a primitive function machine instruction. Role 2 is a Hook function, which consists of machine instructions of the Hook function. Role 3 is a trapline memory consisting of the equivalent of the covered instruction, JMP instruction, NOP, and long jump instruction. The role 4 is composed of function pointers for accessing the original function functions, wherein the function pointers comprise the corresponding relation between addresses and instructions in a trapline memory. The hook procedure in fig. 1 is to allocate a block of memory as a trapline memory before the address of the primitive function or after the address of the primitive function 2G. The code in the beginning of the primitive function is written to the starting address D in the trapline memory. When the original function is executed, according to the JMP instruction in the original function, jumping to the short address E of the trapline memory. When executing the jump instruction written in the trapline memory, jumping to the address B of the original function. When executing the long jump instruction in the trapline memory, jump to the address C of the Hook function. Wherein, the roles are all functions written in the Go language. The function performing the jump is a C language function.
However, the above-mentioned conventional hook scheme has the following problems:
1) The binary call interface of the Go language is inconsistent with the binary interface of the C language, and the hook cannot be directly used by the C function.
2) When using a trapline memory, the Go language searches for function instruction description data of the Go language function during garbage collection and stack capacity expansion, and determines a current stack frame according to the instruction pointer position. If the address pointer is just in the trapline memory when GC (Garbage Collection ) occurs, the address pointer is limited to the trapline memory itself, and in this case, effective function information cannot be found through the instruction address (because there is no meta data) in the GC process, and therefore, the last-level call stack frame information of the current function cannot be located, so that a panic error may be thrown.
The application is illustrated by the following examples of methods, apparatuses, electronic devices and media for hook objective functions.
Embodiment one:
the present embodiment provides a method for a hook objective function, which is applied to the apparatus 100 for a hook objective function shown in fig. 5, the electronic device 200 configured with the apparatus 100 for a hook objective function shown in fig. 6, and the computer readable storage medium 400 shown in fig. 7. The method of the hook objective function is applied to electronic equipment, wherein the electronic equipment can include, but is not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, a wearable electronic equipment, a physical server, a cloud server and the like. The following describes the procedure shown in fig. 2 in detail, and the method for the hook objective function specifically includes the following steps:
step S110, when executing the objective function, jumping to a first designated function according to a first jump instruction in the objective function.
Wherein the objective function refers to a function of a hook. Depending on the hook requirements, the functions that are hook cannot be executed directly or cannot be executed.
The electronic device monitors the objective function through the monitoring function.
In one embodiment, the parameters of the monitoring function are configured as the monitoring target function, and it can be understood that the configuration configures the monitoring object of the monitoring function. For example, the snoop function may be a watch function. When the objective function is running in the computer, the monitoring function can monitor the running event, so as to monitor the objective function. The listening function listens to the objective function, which can be understood as the objective function is being executed.
In another embodiment, the electronic device includes a number of other functions in addition to the objective function. To monitor the target function, the parameters of the monitor function may be configured as all functions on the electronic device. For example, the snoop function may be a watch function. All functions on the electronic device are listened to by the listening function. When the monitored function is an objective function, it is determined that the objective function is executing.
The objective function is a function that needs to be checked, and when the objective function is executed, in order to detect the objective function, or when the objective function is not executed, the objective function that is being executed needs to be jumped to other functions. For example, the jump is made to the first designated function according to a first jump instruction on the target function, wherein the first jump instruction may be a JMP instruction. The first specified function is a trapnoline function.
Compared with a trapole memory in the prior art, the trapole function does not need to configure the corresponding relation between the address pointer and the memory space, so that the trapole function also has no GC problem caused by the trapole memory and no problem that effective information cannot be found because meta data are not available.
And step S120, when the first designated function is executed, jumping to a second designated function according to a second jump instruction in the first designated function so as to carry out hook on the target function through the second designated function, wherein the three function interfaces of the target function, the first designated function and the second designated function are the same.
Wherein the first designated function is used for jumping, for example, to jump to the objective function or the second designated function, it is understood that the first designated function is the jumping medium between the second designated function and the objective function.
Optionally, the second specified function is a hook function, and the hook function machine instructions are included in the second specified function. The hook function machine instructions are used to implement a hook for an objective function. Illustratively, the hook content is that after jumping to the second designated function, the hook function machine instruction is executed, in this scenario, it is indicated that by executing the hook function machine instruction, the execution of the target function is truncated, and protection of the target function can be achieved. Illustratively, the hook includes a JMP instruction in the second designated function after jumping to the second designated function, the JMP instruction indicating to jump to the first designated function and then jump back to the target function by the first designated function. In this scenario, it is used to monitor the objective function, or delay the execution of the objective function.
The embodiment provides a method for a hook objective function, which is characterized in that when the objective function is executed, a first designated function is jumped to according to a first jump instruction in the objective function; when the first designated function is executed, the second designated function is jumped to according to a second jump instruction in the first designated function, so that a hook is carried out on the target function through the second designated function, wherein the interfaces of the target function, the first designated function and the second designated function are the same, data in the target function are protected in a hook mode, and the function interfaces in the three functions are consistent, so that smooth execution of a hook process is ensured. The stack space used by the first designated function is 0, so that GC problems caused by the trapolin memory in the prior art can be avoided.
Embodiment two:
the embodiment provides a method for a hook objective function, as shown in fig. 3, where the method for a hook objective function specifically includes the following steps:
step S210, when executing the objective function, jumping to a first designated function according to a first jump instruction in the objective function.
The description of step S210 may be referred to the description of step S110 in the previous embodiment, and will not be repeated here.
Step S220, detecting whether the calling object is the second specified function when executing the first specified function.
If the call object is not the second specified function, which means that the call object is the first specified function, the flow proceeds to step S230 to execute the second specified function in order to prevent the dead loop. Otherwise, if the call object is the second specified function, in order to avoid dead loop, the flow proceeds to step S240 to execute the objective function. .
Step S230, jumping to the second designated function according to the second jump instruction in the first designated function.
It can be appreciated that the hook is implemented by switching the objective function that would otherwise need to be executed to execute the second specified function.
Step S240, according to a third jump instruction in the first specified function, jumping to a first preset field of the first specified function, and executing an instruction in the first preset field of the first specified function.
Embodiment III:
optionally, before step S210, the method further includes: acquiring a primary function to be processed;
acquiring codes of a second preset field in the original function, processing the codes of the second preset field in the original function into a coverage instruction, and writing the coverage instruction into a first preset field of a first designated function. And replacing codes of a second preset field of the original function with the first jump instruction number to obtain the objective function. It will be appreciated that the primitive functions include the code of the second predetermined field and the primitive function machine instructions following the second predetermined field. The length of the second preset field may be the length of one jump instruction. The code of the second preset field is processed as an override instruction and written into the first preset field of the first specified function. It will be appreciated that the effect achieved in executing the code of the second preset field and executing the override instruction in the first preset field is consistent, and that the code of the second preset field needs to be processed as the override instruction due to format issues and the like.
Optionally, the method further comprises: acquiring stack space capacity; when the stack space capacity is lower than the preset capacity, the stack expansion is triggered in order to ensure that the subsequent functions or instructions are smoothly executed. For example, the newstack () function first calculates the size of the old stack from the bottom address and the top address, and calculates the size of the new stack, which may be twice as large as the old stack, to realize stack expansion. The new stack after stack expansion can ensure the execution of the subsequent functions or instructions, so that congestion on the stack is avoided.
Embodiment four:
the present embodiment provides a method for preparing an objective function, where the original function includes two parts, namely, a code of a first preset field and an original function machine instruction, and the code of the first preset field is covered by a first jump instruction, that is, as shown in fig. 4, the objective function includes the first jump instruction and the original function machine instruction. The code of the first preset field is processed into a covering instruction and then stored in the head of a first appointed function, and the first appointed function sequentially comprises the covering instruction, a fourth jump instruction, NOP, a judging instruction, a second jump instruction and a third jump instruction in the third preset field. The second specified function includes a hook function machine instruction. The third preset field is a field subsequent to the first preset field. Wherein the objective function, the first specified function, and the second specified function in fig. 4 may be written in Go language. The method for the hook objective function comprises the following steps:
the target function starts to execute from the address A, when the target function is executed, the target function jumps to the first designated function according to the first jump instruction in the target function, as shown in fig. 4, the target function jumps to the address E of the second designated function, and the address E is a NOP function, wherein the NOP function can be understood as a non-operation instruction. Executing a first designated function according to the sequence in the first designated function, and when the first designated function is executed, jumping to a second designated function according to a second jump instruction in the first designated function, namely jumping to a position C of the second designated function, and executing a hook on the target function through the second designated function, namely executing a hook function machine instruction. The three function interfaces of the target function, the first specified function and the second specified function are the same. The three function interfaces can be ABI interfaces, and the interfaces are the same, so that the problem that the hook cannot be used in the prior art is avoided.
After the overlay instruction in the first preset field at the D is executed, executing the fourth jump instruction stored in the third preset field, jumping to the position of the original function machine instruction, as shown in fig. 4, jumping to the B, and executing the original function machine instruction.
Fifth embodiment:
in order to implement the above method class embodiment, the present application further provides a device for a hook objective function, as shown in fig. 5, where the device 100 for a hook objective function includes: a first skip module 110 and a second skip module 120;
a first jump module 110 for jumping to a first designated function when executing the objective function;
and a second jump module 120, configured to jump to a second designated function after executing the first designated function, so as to perform hook on the objective function through the second designated function, where the three function interfaces of the objective function, the first designated function, and the second designated function are the same.
Optionally, the second skip module 120 includes: the first detection module and the first rotor jumping module;
the first detection module is used for detecting whether a calling object is the second specified function or not when the first specified function is executed;
and the first jump rotor module is used for jumping to the second designated function according to the second jump instruction in the first designated function if the calling object is not the second designated function.
Optionally, the apparatus 100 for hook objective function further comprises: the second detection module and the second rotor jumping module;
the second detection module is used for detecting whether a calling object is the second specified function or not when the first specified function is executed;
and the second jump rotor module is used for jumping to a first preset field of the first specified function according to a third jump instruction in the first specified function if the calling object is the second specified function, and executing the instruction in the first preset field of the first specified function.
Optionally, the apparatus 100 for hook objective function further comprises: the device comprises a first acquisition module, a second acquisition module and a substitution module;
the first acquisition module is used for acquiring a primitive function to be processed;
the second acquisition module is used for acquiring codes of a second preset field in the original function, processing the codes of the second preset field in the original function into an overlay instruction, and writing the overlay instruction into a first preset field of a first designated function;
and the replacing module is used for replacing codes of a second preset field of the original function with the first jump instruction number to obtain the objective function.
Optionally, the objective function includes a code of a first preset field, a first jump instruction and a primitive function machine instruction in sequence.
Optionally, a fourth jump instruction is stored in a third preset field of the first specified function, where the third preset field is a field subsequent to the first preset field, and the apparatus 100 for hook objective function further includes: a cover module;
and the coverage module is used for executing the fourth jump instruction stored in the third preset field after executing the coverage instruction in the first preset field, jumping to the position of the original function machine instruction and executing the original function machine instruction.
Optionally, the apparatus 100 for hook objective function further comprises: the capacity acquisition module and the capacity expansion module;
the capacity acquisition module is used for acquiring the space capacity of the stack;
and the capacity expansion module is used for triggering the expansion of the stack when the volume capacity of the stack space is lower than the preset volume capacity.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working processes of the modules/units/sub-units/components in the above-described apparatus may refer to corresponding processes in the foregoing method embodiments, which are not described herein again.
In the several embodiments provided by the present application, the illustrated or discussed coupling or direct coupling or communication connection of the modules to each other may be through some interfaces, indirect coupling or communication connection of devices or modules, electrical, mechanical, or other forms.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
Embodiment six:
fig. 6 shows a block diagram of an electronic device for performing a hook objective function method according to an embodiment of the present application, please refer to fig. 6, which shows an electronic device provided by an embodiment of the present application, the electronic device 200 may include a processor 231, a communication module 232, a memory 233 and a bus. The bus may be an ISA bus, a PCI bus, an EISA bus, a CAN bus, or the like. The buses may be divided into address buses, data buses, control buses, etc. Wherein:
and a memory 233 for storing programs. In particular, the memory 233 may be used to store software programs as well as various data. The memory 233 may mainly include a storage program area and a storage data area, wherein the storage program area may store a program required for operating at least one function may include program code including computer operation instructions. In addition to storing programs, the memory 233 may store messages and the like that the communication module 232 needs to transmit. The memory 233 may include a high-speed RAM memory or may further include a non-volatile memory (non-volatile memory), such as at least one Solid State Disk (SSD).
The processor 231 is used for executing programs stored in the memory 233. The program, when executed by the processor, implements the steps of the page display method of each of the above embodiments.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements each process of the page display method of the above embodiments, and can achieve the same technical effects, so that repetition is avoided, and no further description is provided herein. Among them, the computer readable storage medium is Read-Only Memory (ROM), random access Memory (Random Access Memory RAM), SSD, charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read Only Memory EEPROM), flash Memory (Flash Memory) or the like.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the method of the above embodiments may be implemented by means of software plus a necessary general purpose hardware platform, or of course by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, SSD, flash) comprising several instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method of the embodiments of the present application.
Embodiment seven:
fig. 7 shows a storage unit for storing or carrying program codes for implementing the hook objective function method according to an embodiment of the present application, and referring to fig. 7, a block diagram of a computer readable storage medium according to an embodiment of the present application is shown. The computer readable medium 400 has stored therein program code which can be invoked by a processor to perform the methods described in the method embodiments described above.
The computer readable storage medium 400 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. Optionally, the computer readable storage medium 400 comprises a non-volatile computer readable medium (non-transitory computer-readable storage medium). The computer readable storage medium 400 has storage space for program code 410 that performs any of the method steps described above. The program code can be read from or written to one or more computer program products. Program code 410 may be compressed, for example, in a suitable form.
The application also provides a computer program product comprising a computer program which, when executed by a processor, carries out the above steps.
In summary, the application discloses a method, a device, an electronic device and a medium for a hook objective function, wherein when the objective function is executed, the method jumps to a first designated function according to a first jump instruction in the objective function; when the first designated function is executed, the second designated function is jumped to according to a second jump instruction in the first designated function, so that a hook is conducted on the target function through the second designated function, wherein the interfaces of the target function, the first designated function and the second designated function are identical, and data in the target function are protected in a hook mode.
While the application has been described with reference to several particular embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the application. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the application without departing from its scope. Therefore, it is intended that the application not be limited to the particular embodiment disclosed, but that the application will include all embodiments falling within the scope of the appended claims.
Claims (8)
1. A method of hook objective function, the method comprising:
when the objective function is executed, jumping to a first designated function according to a first jump instruction in the objective function, wherein the objective function sequentially comprises the first jump instruction and an original function machine instruction;
detecting whether a calling object is a second designated function or not when the first designated function is executed;
if the call object is not the second designated function, jumping to the second designated function according to a second jump instruction in the first designated function so as to carry out hook on the target function through the second designated function, wherein three function interfaces of the target function, the first designated function and the second designated function are the same; and
if the call object is the second specified function, then:
according to a third jump instruction in the first specified function, jumping to a first preset field of the first specified function, and executing an instruction in the first preset field, wherein the instruction in the first preset field is an instruction covered by the first jump instruction in the original function; and
after executing the instruction in the first preset field, executing a fourth jump instruction to jump to the original function machine instruction, and executing the original function machine instruction.
2. The method of claim 1, wherein the step of jumping to a first designated function when executing the objective function, further comprises:
acquiring a primary function to be processed;
acquiring an instruction of a second preset field in the original function, processing the instruction of the second preset field in the original function into a coverage instruction, and writing the coverage instruction into a first preset field of a first designated function, wherein the second preset field starts from an entry address of the original function;
and replacing an instruction of a second preset field of the original function with a first jump instruction to obtain the target function, wherein the first jump instruction starts from an entry address of the target function.
3. The method of claim 1, wherein the first jump instruction starts at an entry address of the objective function.
4. The method of claim 2, wherein the fourth jump instruction is stored in a third predetermined field of the first specified function, the third predetermined field being located after the first predetermined field, the first predetermined field beginning at an entry address of the first specified function.
5. The method of claim 1, wherein the step of jumping to a first designated function when executing the objective function, further comprises:
acquiring stack space capacity;
and triggering stack capacity expansion when the stack space capacity is lower than the preset capacity.
6. An apparatus for hook objective functions, the apparatus comprising:
the first jump module is used for jumping to a first designated function according to a first jump instruction in the target function when the target function is executed, and the target function sequentially comprises the first jump instruction and an original function machine instruction;
means for detecting whether a call object is a second specified function while executing the first specified function;
the first jump rotor module is used for jumping to the second designated function according to a second jump instruction in the first designated function if the calling object is not the second designated function so as to carry out hook on the target function through the second designated function, wherein the three function interfaces of the target function, the first designated function and the second designated function are the same;
a second jump rotor module, configured to, if the call object is the second specified function:
according to a third jump instruction in the first specified function, jumping to a first preset field of the first specified function, and executing an instruction in the first preset field, wherein the instruction in the first preset field is an instruction covered by the first jump instruction in the original function; and
after executing the instruction in the first preset field, executing a fourth jump instruction to jump to the original function machine instruction, and executing the original function machine instruction.
7. An electronic device, comprising:
one or more processors;
a memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of any of claims 1-5.
8. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a program code, which is callable by a processor for executing the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732560.7A CN115952491B (en) | 2022-12-30 | 2022-12-30 | Method, device, electronic equipment and medium for hook objective function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732560.7A CN115952491B (en) | 2022-12-30 | 2022-12-30 | Method, device, electronic equipment and medium for hook objective function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115952491A CN115952491A (en) | 2023-04-11 |
| CN115952491B true CN115952491B (en) | 2023-09-29 |
Family
ID=87285723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211732560.7A Active CN115952491B (en) | 2022-12-30 | 2022-12-30 | Method, device, electronic equipment and medium for hook objective function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115952491B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106919458A (en) * | 2015-12-25 | 2017-07-04 | 腾讯科技(深圳)有限公司 | The method and device of Hook target kernel functions |
| CN107943517A (en) * | 2017-10-26 | 2018-04-20 | 北京奇虎科技有限公司 | The hook method and device of terminal applies |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN115017058A (en) * | 2022-08-04 | 2022-09-06 | 飞腾信息技术有限公司 | Test method and device of kernel module, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102156661B (en) * | 2010-02-11 | 2013-06-12 | 华为技术有限公司 | Method, device and system for online activating patches |
| US9465717B2 (en) * | 2013-03-14 | 2016-10-11 | Riverbed Technology, Inc. | Native code profiler framework |
-
2022
- 2022-12-30 CN CN202211732560.7A patent/CN115952491B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106919458A (en) * | 2015-12-25 | 2017-07-04 | 腾讯科技(深圳)有限公司 | The method and device of Hook target kernel functions |
| CN107943517A (en) * | 2017-10-26 | 2018-04-20 | 北京奇虎科技有限公司 | The hook method and device of terminal applies |
| CN110554998A (en) * | 2018-03-30 | 2019-12-10 | 腾讯科技(深圳)有限公司 | hook method, device, terminal and storage medium for replacing function internal instruction |
| CN115017058A (en) * | 2022-08-04 | 2022-09-06 | 飞腾信息技术有限公司 | Test method and device of kernel module, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115952491A (en) | 2023-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109284217B (en) | Application program exception handling method and device, electronic equipment and storage medium | |
| CN106844136B (en) | Method and system for collecting program crash information | |
| CN107948744B (en) | Interface detection method, interface detection device, and computer-readable storage medium | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN110413432B (en) | Information processing method, electronic equipment and storage medium | |
| CN111258921B (en) | Garbage memory recycling method and device, electronic equipment and storage medium | |
| CN105607986A (en) | Acquisition method and device of user behavior log data | |
| CN110442502B (en) | Point burying method, device, equipment and storage medium | |
| CN108334415A (en) | A kind of fault-tolerance processing method, device, terminal and storage medium | |
| CN112445686A (en) | Memory leak detection method, device and computer-readable storage medium | |
| CN111966603B (en) | Memory leakage detection method and device, readable storage medium and electronic equipment | |
| CN110704131B (en) | Method and device for calling native application by HTML5 application | |
| CN113467981A (en) | Exception handling method and device | |
| CN115952491B (en) | Method, device, electronic equipment and medium for hook objective function | |
| CN105512552A (en) | Method and device for parameter detection | |
| CN109784054B (en) | Behavior stack information acquisition method and device | |
| US11630714B2 (en) | Automated crash recovery | |
| CN116719696A (en) | Method, device, equipment and storage medium for monitoring application program interface data | |
| CN112989323B (en) | Process detection method, device, terminal and storage medium | |
| CN114385457A (en) | Application program data acquisition method, device, equipment and storage medium | |
| CN113609478A (en) | IOS platform application program tampering detection method and device | |
| WO2021102849A1 (en) | Resource acquisition method and apparatus, and electronic device | |
| CN112416698A (en) | Monitoring system expansion method and device, storage medium and electronic equipment | |
| CN117573418B (en) | Processing method, system, medium and equipment for video memory access exception | |
| CN104850551A (en) | Data processing method, data processing apparatus and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |