CN116150021A - Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment - Google Patents
Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment Download PDFInfo
- Publication number
- CN116150021A CN116150021A CN202310184988.0A CN202310184988A CN116150021A CN 116150021 A CN116150021 A CN 116150021A CN 202310184988 A CN202310184988 A CN 202310184988A CN 116150021 A CN116150021 A CN 116150021A
- Authority
- CN
- China
- Prior art keywords
- address
- conditional jump
- instruction
- program
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 94
- 230000006870 function Effects 0.000 claims description 59
- 230000002159 abnormal effect Effects 0.000 claims description 27
- 230000015654 memory Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 14
- 238000010606 normalization Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 16
- 101100348848 Mus musculus Notch4 gene Proteins 0.000 description 14
- 230000005856 abnormality Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 101710092886 Integrator complex subunit 3 Proteins 0.000 description 1
- 102100025254 Neurogenic locus notch homolog protein 4 Human genes 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/3005—Arrangements for executing specific machine instructions to perform operations for flow control
- G06F9/30069—Instruction skipping instructions, e.g. SKIP
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30098—Register arrangements
- G06F9/30101—Special purpose registers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/32—Address formation of the next instruction, e.g. by incrementing the instruction counter
- G06F9/322—Address formation of the next instruction, e.g. by incrementing the instruction counter for non-sequential address
- G06F9/327—Address formation of the next instruction, e.g. by incrementing the instruction counter for non-sequential address for interrupts
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a tracking method, a comparison method, a device and computing equipment of a program running track, and relates to the field of computers. The tracking method of the program running track comprises the following steps: and acquiring all conditional jump instructions in the code segment to be tracked in the program. Then, for each conditional jump instruction, modifying the conditional jump instruction into a soft interrupt instruction to call a hook function, the hook function including obtaining an exception address at which an exception occurred and a value of a flag register at which the exception occurred, restoring the soft interrupt instruction into the conditional jump instruction and executing a next instruction, and modifying the conditional jump instruction into the soft interrupt instruction again. Finally, the program is run, and the addresses of the conditional jump instructions and the values of the flag registers when the conditional jump instructions are executed are obtained based on the values of the different addresses and the flag registers obtained by the hook function. The tracking method of the program running track can ensure the validity of data and can also promote the tracking efficiency.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a method, a device, and a computing apparatus for tracking a program running track.
Background
In the development process of computer program codes, sometimes, programs enter incorrect branches due to abnormality or parameter errors, and running breakdown or data errors occur. At this time, if the developer has all source codes of the program running, the problem can be located by reading the source codes and combining the debugging method. However, if the developer does not have complete project source code, for example, invokes a link library from a function implemented by the closed source system, or invokes a file (mainly a driver file) implemented by a specific development group or vendor in a specific category, the error can only be traced back in a reverse manner, and once the code amount of the project is large, tracing back the error source becomes a very troublesome and time-consuming problem.
Therefore, the invention provides a tracking method of the program running track to solve the technical problems.
Disclosure of Invention
Accordingly, the present invention provides a method, a device, and a computing device for tracking a program running track, so as to solve or at least alleviate the above problems.
According to one aspect of the present invention, there is provided a program running trace tracking method, including: acquiring all conditional jump instructions in a code segment to be tracked in a program; modifying the conditional jump instruction into a soft interrupt instruction to call a hook function aiming at each conditional jump instruction, wherein the hook function comprises the steps of acquiring an abnormal address of an abnormal occurrence and a value of a mark register of the abnormal occurrence, restoring the soft interrupt instruction into the conditional jump instruction and executing the next instruction, and modifying the conditional jump instruction into the soft interrupt instruction again; and running the program, and acquiring the address of each conditional jump instruction and the value of the flag register when executing each conditional jump instruction based on the different addresses and the values of the flag registers obtained by the hook function.
Optionally, in the method for tracking a program running track according to the present invention, acquiring all conditional jump instructions in a code segment to be tracked in a program includes: all conditional jump instructions in the code segment to be traced are obtained using the disassembly engine.
Optionally, in the tracking method of a program running track according to the present invention, the obtaining the address where each conditional jump instruction is located and the value of the flag register when each jump instruction is executed includes: normalizing the abnormal address obtained based on the hook function at each soft interrupt instruction, and determining the normalized address as the address of the conditional jump instruction corresponding to the soft interrupt instruction; the value of the flag register obtained at each soft interrupt instruction based on the hook function is determined as the value of the flag register at the time of executing the conditional jump instruction corresponding to the soft interrupt instruction.
Optionally, in the method for tracking a program running track according to the present invention, the code segment to be tracked is a code segment of a linked library linked in the program.
Optionally, in the tracking method of a program running track according to the present invention, normalizing the abnormal address obtained based on the hook function at each soft interrupt instruction includes: and taking the difference between the abnormal address obtained based on the hook function at each soft interrupt instruction and the base address of the link library, and taking the obtained difference as the normalized address.
Optionally, in the tracking method of a program running track according to the present invention, acquiring an abnormal address where an abnormality occurs includes: and acquiring an eip value when an exception occurs, and taking the eip value as an exception address.
According to still another aspect of the present invention, there is provided a program running trace comparing method, including: by utilizing the tracking method of the program running track, when the program runs in the first operating system, the first address of each conditional jump instruction in the code section to be tracked in the program and the value of a first mark register when executing each conditional jump instruction are obtained; the method for tracking the program running track is utilized to acquire a second address where each conditional jump instruction in the code section to be tracked in the program is located and a value of a second flag register when each conditional jump instruction is executed when the program runs in a second operating system; comparing the value of the first flag register with the value of the second flag register when executing each conditional jump instruction based on each first address and each second address; when the first address is the same as the second address and the value of the first flag register corresponding to the first address is different from the value of the second flag register corresponding to the second address, the position of the first address is judged to be the position where the difference occurs in the program running track.
According to still another aspect of the present invention, there is provided a tracking apparatus for a program running trace, comprising: the first acquisition module is suitable for acquiring all conditional jump instructions in a code segment to be tracked in a program; the instruction modifying module is suitable for modifying the conditional jump instruction into a soft interrupt instruction to call a hook function aiming at each conditional jump instruction, wherein the hook function comprises the steps of acquiring an abnormal address of an abnormal occurrence and a value of a mark register of the abnormal occurrence, restoring the soft interrupt instruction into the conditional jump instruction and executing the next instruction, and modifying the conditional jump instruction into the soft interrupt instruction again; and the program running module is suitable for running the program and acquiring the address of each conditional jump instruction and the value of the flag register when executing each conditional jump instruction based on the values of each abnormal address and each flag register obtained by the hook function.
According to still another aspect of the present invention, there is provided a program running trace comparing apparatus including: the second acquisition module is suitable for acquiring a first address of each conditional jump instruction in the code section to be tracked in the program and a value of a first flag register when executing each conditional jump instruction when the program runs in the first operating system by using the tracking method of the program running track, and is also suitable for acquiring a second address of each conditional jump instruction in the code section to be tracked in the program and a value of a second flag register when executing each conditional jump instruction when the program runs in the second operating system by using the tracking method of the program running track; the comparison module is suitable for comparing the value of the first mark register and the value of the second mark register when executing each conditional jump instruction based on each first address and each second address; and the judging module is suitable for judging that the first address position is the position where the difference occurs in the program running track when the first address is the same as the second address and the value of the first mark register corresponding to the first address is different from the value of the second mark register corresponding to the second address.
According to yet another aspect of the present invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by at least one processor, the program instructions comprising instructions for performing any of the methods above.
According to yet another aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform any one of the methods above.
According to the method for tracking the running track of the program, only the running track of the conditional jump instruction in the code section to be tracked in the program is tracked. The instructions such as calculation, comparison, data transmission and the like in the program are sequentially executed according to the sequence, no unexpected path branches are generated, no conditional jump instruction, no function call instruction, no function return instruction and the like are generated, the target address is fixed, no unexpected path branches are generated, and therefore the method for tracking the running track of the program by recording the running track of the conditional jump instruction can ensure the effectiveness of data and improve the tracking efficiency.
In addition, the normalization processing is carried out when the addresses of the conditional jump instructions are obtained, so that the addresses of the conditional jump instructions with the same offset in the code segments to be tracked on different operating systems are the same, and the positions with different running tracks can be positioned quickly and conveniently only by comparing the sign register values corresponding to the same addresses.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which set forth the various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to fall within the scope of the claimed subject matter. The above, as well as additional objects, features, and advantages of the present disclosure will become more apparent from the following detailed description when read in conjunction with the accompanying drawings. Like reference numerals generally refer to like parts or elements throughout the present disclosure.
FIG. 1 illustrates a schematic diagram of executing instructions when running a program according to one embodiment of the invention;
FIG. 2 illustrates a block diagram of a computing device 200, according to one embodiment of the invention;
FIG. 3 illustrates a flowchart of a method 300 of tracking a program trajectory, according to one embodiment of the invention;
FIG. 4 is a schematic diagram showing the constituent structure of a conditional jump instruction according to one embodiment of the invention;
FIG. 5 illustrates a diagram of modifying a conditional jump instruction in a code segment to be traced into a soft interrupt instruction according to one embodiment of the invention;
FIG. 6 is a schematic diagram illustrating logic performed after invoking a hook function when executing a soft interrupt instruction in accordance with one embodiment of the invention;
FIG. 7 illustrates a schematic diagram of a link library loaded by a program according to one embodiment of the present invention;
FIG. 8 illustrates a schematic diagram of a piece of run code taken from the link library ad220ui. Dll, according to one embodiment of the present invention;
FIG. 9 illustrates a schematic diagram of a piece of run code taken from a linked library in accordance with yet another embodiment of the present invention;
FIG. 10 illustrates a flow chart of a comparison method 1000 of program trajectories according to one embodiment of the invention;
FIG. 11 illustrates a block diagram of a tracking device 1100 of a program trace according to an embodiment of the present invention;
fig. 12 shows a block diagram of a comparison apparatus 1200 of program running trajectories according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Currently, major computer software ecologies are intensively developed in windows operating systems, which can be implemented by a window migration technique when it is desired to use these windows software on other operating systems. The wire realizes the simulation of the related behavior by simulating the api of the windows. However, in a window, most of the windows source program and the link library called by the windows source program exist as input are available for reference without source codes, so in order to ensure the correctness of the program running to the greatest extent, the running track of the program under the current operating system is generally required to be consistent with that under the windows. If the running tracks are inconsistent, the implementation of a certain api in the wire is usually caused by the difference between the implementation of the api and the windows, and in this case, a branch point where the program is different needs to be found, where the finding can be performed based on a reverse approach.
The same application program can normally run on windows, but cannot run under the linux through a wire compatible layer as an example. Specifically, the debugging tool can be assembled to begin to check in reverse order from the position where the difference finally appears, such as breakdown, window non-output and other obvious problems, the point is broken to observe whether the program passes through the position, and finally the position where the difference appears first is obtained. Based on the above, the invention provides a tracking method of the program running track.
The computer executes the instructions sequentially when running the program, so that after executing the general instructions of the computing class, the computer will necessarily execute the next instruction of the instructions. That is, when the computer executes instructions such as calculation, comparison, data transmission, etc. under any circumstances, no unexpected path branches (such as the left diagram in fig. 1) will be generated, so that executing the instructions sequentially will not cause inconsistent running paths of the program on different operating systems. The unconditional jump instruction jmp, the function call instruction, the function return instruction ret, and the like have fixed target addresses, and thus do not cause any difference in paths. For the conditional jump instruction, when the jump condition (i.e. the condition code) is satisfied, the jump is performed to the designated position, when the jump condition is not satisfied, the next instruction is sequentially executed (as shown in the right diagram in fig. 1), obviously, when the same jump statement is executed on different operating systems, different branches may be entered due to different condition codes, so that the running paths of the program are inconsistent, and therefore, the conditional jump instruction is a root instruction that causes the running paths of the program on different operating systems to be inconsistent.
Based on the above, the method for tracking the program running track provided by the invention only tracks the running path of the conditional jump instruction in the program. The path of the conditional jump instruction in one program generally has two branches, and when the jump condition is satisfied, the target offset address is jumped to, and when the jump condition is not satisfied, the next instruction of the conditional jump instruction is executed. The judgment whether the condition is satisfied is generally based on the value of a flag register (i.e. the eflags value, eflags is a flag register under the x86 architecture, and is used for recording the result flag of the operations such as comparison and summation, and is generally used as the judgment basis of the condition jump). Such as je and jz instructions, which determine whether to jump based on the ZF flag bit in the eflags register. That is, the conditional jump instruction determines the address of the instruction to be executed next according to the current eflags value, in other words, the running path of the conditional jump instruction is determined by the current eflags value. Therefore, the invention adopts a mode of recording the address of each conditional jump instruction in the program and the eflags value when executing each conditional jump instruction to track the running path of the conditional jump instruction in the program. The tracking method of the program running track can ensure the validity of data and can also promote the tracking efficiency.
Fig. 2 illustrates a block diagram of the physical components (i.e., hardware) of a computing device 200. In a basic configuration, computing device 200 includes at least one processing unit 202 and system memory 204. According to one aspect, the processing unit 202 may be implemented as a processor, depending on the configuration and type of computing device. The system memory 204 includes, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read only memory), flash memory, or any combination of such memories. According to one aspect, the system memory 204 includes an operating system 205 and a program module 206, the program module 206 includes a program running trace tracing apparatus 1100 and a program running trace comparing apparatus 1200, the program running trace tracing apparatus 1100 is configured to execute the program running trace tracing method 300 of the present invention, and the program running trace comparing apparatus 1200 is configured to execute the program running trace comparing method 1000 of the present invention.
According to one aspect, operating system 205 is suitable for controlling the operation of computing device 200, for example. Further, examples are practiced in connection with a graphics library, other operating systems, or any other application program and are not limited to any particular application or system. This basic configuration is illustrated in fig. 2 by those components within dashed line 208. According to one aspect, computing device 200 has additional features or functionality. For example, according to one aspect, computing device 200 includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in fig. 2 by removable storage device 209 and non-removable storage device 210.
As set forth hereinabove, according to one aspect, program modules are stored in the system memory 204. According to one aspect, program modules may include one or more applications, the invention is not limited in the type of application, for example, the application may include: email and contacts applications, word processing applications, spreadsheet applications, database applications, slide show applications, drawing or computer-aided application, web browser applications, etc.
According to one aspect, the examples may be practiced in a circuit comprising discrete electronic components, a packaged or integrated electronic chip containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic components or a microprocessor. For example, examples may be practiced via a system on a chip (SOC) in which each or many of the components shown in fig. 2 may be integrated on a single integrated circuit. According to one aspect, such SOC devices may include one or more processing units, graphics units, communication units, system virtualization units, and various application functions, all of which are integrated (or "burned") onto a chip substrate as a single integrated circuit. When operating via an SOC, the functionality described herein may be operated via dedicated logic integrated with other components of computing device 200 on a single integrated circuit (chip). Embodiments of the invention may also be practiced using other techniques capable of performing logical operations (e.g., AND, OR, AND NOT), including but NOT limited to mechanical, optical, fluidic, AND quantum techniques. In addition, embodiments of the invention may be practiced within a general purpose computer or in any other circuit or system.
According to one aspect, the computing device 200 may also have one or more input devices 212, such as a keyboard, mouse, pen, voice input device, touch input device, and the like. Output device(s) 214 such as a display, speakers, printer, etc. may also be included. The foregoing devices are examples and other devices may also be used. Computing device 200 may include one or more communication connections 216 that allow communication with other computing devices 218. Examples of suitable communication connections 216 include, but are not limited to: RF transmitter, receiver and/or transceiver circuitry; universal Serial Bus (USB), parallel and/or serial ports.
The term computer readable media as used herein includes computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information (e.g., computer readable instructions, data structures, or program modules). System memory 204, removable storage 209, and non-removable storage 210 are all examples of computer storage media (i.e., memory storage). Computer storage media may include Random Access Memory (RAM), read Only Memory (ROM), electrically erasable read only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture that can be used to store information and that can be accessed by computer device 200. According to one aspect, any such computer storage media may be part of computing device 200. Computer storage media does not include a carrier wave or other propagated data signal.
According to one aspect, communication media is embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal (e.g., carrier wave or other transport mechanism) and includes any information delivery media. According to one aspect, the term "modulated data signal" describes a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio Frequency (RF), infrared, and other wireless media.
Fig. 3 illustrates a flowchart of a method 300 of tracking a program trajectory, the method 300 being suitable for execution in a computing device (e.g., the computing device 200 shown in fig. 2), according to one embodiment of the invention. As shown in fig. 3, the method 300 begins at 310.
At 310, all conditional jump instructions in the code segment to be traced in the program are obtained. Here, the program in the present embodiment refers to an executable program, so that the code segment to be traced refers to a code segment composed of binary machine code. Specifically, in some embodiments, the code segment to be traced may be a code segment of a linked library linked in the program. For example, when a developer suspects that a problem exists in a dynamic link library linked in a program, a code segment of the dynamic link library may be regarded as a code segment to be traced. Of course, if the developer also has doubt about another dynamic library linked in the program, this dynamic linked library can also be used as a code segment to be traced. That is, the code segment to be tracked is the code segment of interest to the user, and in a specific embodiment, the code segment to be tracked can be set by the user according to the actual needs. By first screening the executable file, locking some potentially problematic dynamic link libraries or address ranges, and then using them as code segments to be tracked, the tracking range can be reduced, and the amount of data to be processed can be reduced.
According to one embodiment of the invention, a disassembly engine may be utilized to obtain all conditional jump instructions in a code segment to be traced. Specifically, the address range of the code segment to be traced (the address range of any code segment in the program is fixed) is scanned, and the positions of all conditional jump instructions therein are found by the disassembly engine.
Here, a conditional jump instruction is described, which is composed of two parts, namely, a conditional jump instruction code (7X) indicating a judgment type and an offset address (addr), as shown in fig. 4. Wherein, in the 32-bit x86 architecture, the conditional jump instruction code includes 0x70-0x7f. That is, in the 32-bit x86 architecture, the conditional jump instruction is an instruction with 0x70-0x7f as the instruction code. Thus, in a 32-bit x86 architecture, fetching conditional jump instructions in a code segment to be traced is by a disassembly engine fetching instructions in the code segment to be traced that are instruction codes of 0x70-0x7f.
Taking a conditional jump instruction in a code segment to be traced in a 32-bit x86 architecture as an example, an example is given below. The code segment to be traced is a code segment of a dynamic link library linked in the program, and after the dynamic link library is loaded into the program, the address range of the code segment is 0x1000-0x2000, the address range of 0x1000-0x2000 is firstly scanned, then each instruction taking 0x70-0x7f as instruction code is searched by a disassembly engine, and the searched instruction is the conditional jump instruction in the dynamic link library.
Subsequently, proceeding to 320, for each conditional jump instruction, the conditional jump instruction is modified to a soft interrupt instruction to invoke a hook function. The soft interrupt instruction may be 0xCC (i.e., int 3 instruction), i.e., each conditional jump instruction in the code segment to be traced is modified to 0xCC. For example, fig. 5 illustrates, to the left, several instructions in a code segment to be traced, jz ox1050 is a conditional jump instruction, and jz ox1050 is modified to int 3.
Obviously, after modifying the conditional jump instruction into the soft interrupt instruction int 3, when the program is executed to the position where the conditional jump instruction is located, the instruction int 3 is essentially executed, and then the instruction int 3 is captured by the code of the debugger portion. According to one embodiment of the invention, a pre-set hook function is invoked when code of the debugger portion is captured. That is, when the program executes to the int 3 instruction, then the hook function is called.
The hook function may include fetching the exception address where the exception occurred and the value of the flag register where the exception occurred, restoring the soft interrupt instruction to a conditional jump instruction and executing the next instruction, and modifying the conditional jump instruction to a soft interrupt instruction again. That is, when the hook function is called, the abnormal address where the abnormality occurs and the value of the mark register where the abnormality occurs are obtained, then the soft interrupt instruction is restored to the conditional jump instruction replaced by the soft interrupt instruction, an instruction is executed downwards, and finally the jump instruction is modified to the soft interrupt instruction.
The eip is a register used to record the current program location, that is, the instruction to be executed currently is stored at the eip address. Thus, according to one embodiment of the present invention, an exception address at which an exception occurs may be obtained by obtaining the eip value at the time of the exception. Specifically, the eip value at the time of occurrence of an exception is acquired, and the acquired eip value is taken as an exception address. Here, since an Exception of the exception_break point (0 x 80000003) is triggered when the program runs to 0xCC, the eip value at the time of Exception generation can be obtained from the parameters transferred by the Exception. In addition, when an exception occurs in the execution of 0xCC (i.e., an INT3 instruction), the value of the instruction pointer (eip) is decremented by one, and the eip points to the next byte of 0xCC when the 0xCC is just executed, so that the eip points to 0xCC again after the decrement, that is, the eip value when the exception occurs is the address where 0xCC is located. Therefore, the eip value at the time of occurrence of an exception is the address at which the exception occurred, i.e., the eip value is the address of the exception.
In addition, the hook function has been pointed out that the soft interrupt instruction is modified to be replaced by the soft interrupt instruction, so that when each conditional jump instruction is replaced by the soft interrupt instruction, each replaced conditional jump instruction is also stored. Wherein, according to one embodiment of the invention, when each conditional jump instruction is modified into a soft interrupt instruction, the conditional jump instruction at the modification position can be stored in global data.
For better understanding of the hook function, the logic performed after invoking the hook function when executing the int 3 instruction is described below with respect to the example given in fig. 5 above (i.e., modifying jz ox1050 to int 3). Specifically, firstly, an abnormal address where an abnormality occurs and a value of a mark register where the abnormality occurs are acquired, that is, an eip value and an eflags value when the abnormality occurs are acquired. Next, the original instruction is restored. Specifically, a conditional jump instruction corresponding to the soft interrupt instruction is obtained from the global data, and the soft interrupt instruction herein is modified to the obtained conditional jump instruction, i.e., int 3 (as shown at 610 in fig. 6) is modified to jz ox1050 (as shown at 620 in fig. 6). Then, a single step down executes an instruction, as 620 and 630 in FIG. 6. Finally, the last conditional jump instruction is modified to be a soft interrupt instruction, i.e., jz ox1050 (shown as 630 in fig. 6) is modified to be int 3 (shown as 640 in fig. 6) again.
The procedure of modifying the conditional jump instruction again to a soft interrupt instruction when executing the hook function is described herein, which is performed so that the hook function can still be invoked by executing the int 3 instruction when the program is again running to that location.
Thus, each conditional jump instruction in the code segment to be traced is modified into a soft interrupt instruction, and then 330, the program is run, and the address where each conditional jump instruction is located and the value of the flag register when executing each conditional jump instruction are obtained based on the value of each exception address and each flag register obtained by the hook function.
Because each conditional jump instruction in the code segment to be traced is replaced by a soft interrupt instruction, when the program is run, the soft interrupt instruction triggers an exception every time the program is executed, and a hook function is called to acquire the exception address of the exception and the value of the flag register when the exception occurs, so that after the program executes a complete flow, the program can acquire the exception address of each exception and the value of the flag register when each exception occurs in the code segment to be traced through the hook function.
The invention modifies each conditional jump instruction in code segment to be traced into soft interrupt instruction, so that address of abnormal triggered by executing each soft interrupt instruction is address of conditional jump instruction replaced by soft interrupt instruction, value of flag register when executing each soft interrupt instruction is value of flag register when executing conditional jump instruction replaced by soft interrupt instruction. Thus, according to one embodiment of the present invention, an exception address obtained based on a hook function at each soft-interrupt instruction may be determined as an address where a conditional jump instruction corresponding to the soft-interrupt instruction is located, and a value of a flag register obtained based on a hook function at each soft-interrupt instruction may be determined as a value of a flag register at the time of executing the conditional jump instruction corresponding to the soft-interrupt instruction.
In addition, the base addresses of the same code segment (for example, the code segment of the dynamic link library) loaded on different operating systems (for example, windows system and linux system) are not necessarily the same, and when the base addresses of the same code segment are not the same on different operating systems, the addresses of the same instruction in the code segment on different operating systems are not necessarily the same. Obviously, this can be cumbersome when analyzing whether the paths of travel of the same instruction in the same code segment on different operating systems are consistent. Therefore, in order to more conveniently analyze whether the running paths of the same instruction in the same code segment on different operating systems are consistent, normalization processing can be performed when the addresses of the instructions are acquired, so that the addresses of the instructions with the same offset in the same code segment on different operating systems are the same.
Therefore, according to still another embodiment of the present invention, when the address where each conditional jump instruction is located is acquired, the abnormal address obtained based on the hook function at each soft interrupt instruction is normalized, and the normalized address is determined as the address where the conditional jump instruction corresponding to the soft interrupt instruction is located. Wherein the normalization processing may be to make a difference between an abnormal address obtained based on the hook function at each soft interrupt instruction and a preset value. In some embodiments, the preset value may be a base address of the code segment to be traced. In this way, the normalization processing is performed on the abnormal address obtained based on the hook function at each soft interrupt instruction, that is, the abnormal address obtained based on the hook function at each soft interrupt instruction is differenced from the base address of the code segment to be traced, and the obtained difference is used as the address after normalization processing. Obviously, when the code segment to be traced is a link library, the step is to make the difference between the abnormal address obtained based on the hook function at each soft interrupt instruction and the base address of the link library, and take the obtained difference (i.e. the address after normalization processing) as the address of the conditional jump instruction corresponding to the soft interrupt instruction. Here, the normalization process of the present embodiment may be understood as normalizing the base address of the code segment to be traced to a predetermined value, for example, normalizing the base address of the code segment to be traced to 0 when the predetermined value is the base address of the code segment to be traced.
As for the base address, an example is given herein. FIG. 7 is a block diagram of a plurality of linked libraries loaded by a program. As can be seen from FIG. 7, the code segment of the link library ad220ui.dll is based on the segment 900000-975000. Thus, the base address of the link library ad220ui. Dll is 900000.
In addition, in order to better understand this step, an example of capturing a running code from the above-mentioned link library ad220ui. It can be seen that the intercepted code segment includes the conditional jump instruction jz, so when tracking the running track of the ad220ui.dll based on the method, the conditional jump instruction jz is modified to be int3, so when running to the point, the hook function is called to acquire the abnormal address where the abnormality occurs. Obviously, when the conditional jump instruction jz is modified to int3, the instruction stored at address 944838 is then int3, and the exception address thus obtained is 944838. After the exception address 944838 is obtained, it is normalized by taking 944838 and 900000 (the base address of the link library ad220ui. Dll is 900000 already indicated), and taking the obtained difference 44838 as the address where the conditional jump instruction jz is located. Since the normalization processing is performed when the address where the conditional jump instruction is located is obtained in this embodiment, even if the base address of the link library ad220ui.dll in other operating systems is not 900000, the address where the conditional jump instruction jz is finally obtained will still be 44838 (assuming that the base address of the link library ad220ui.dll in other operating systems is 800000, the obtained abnormal address is 844838, and obviously, after the normalization processing is performed— 844838 and 800000 are worse, the obtained difference is 44838).
Thus, the address of each conditional jump instruction in the code segment to be tracked and the value of the flag register when each conditional jump instruction is executed are obtained. In some embodiments, the address where each conditional jump instruction is located in the code segment to be tracked and the value of the flag register when each conditional jump instruction is executed may be presented in a list. An example is given below. Referring to fig. 9, the left side is a code segment in a link library of interest to the user, and the right side is a disassembly corresponding to the code segment, wherein the base address of the link library has been normalized to 0. As can be seen from fig. 9, there are two conditional jump instructions in the code segment, 91144a and 911466 respectively, and after the code segment is tracked based on the above method, the output information is:
eip value: 91144A eflags values: xxxxx
eip value: 911466eflags values: xxxxx
The eip value is the address where the conditional jump instruction is located, and the eflags value is the value of the flag register when the conditional jump instruction is executed.
By acquiring the eip value and the eflags value of the program in the condition jump mode of the 0xCC, a large amount of invalid data can be prevented from being generated, the running track of the program is obtained with the minimum data amount, and the difficulty of positioning the problem is reduced.
Based on the tracking method of the program running track in the embodiment, the invention also provides a comparison method of the program running track. Referring now to FIG. 10, which illustrates a flowchart of a method 1000 of comparing program trajectories according to one embodiment of the invention, the method 1000 is suitable for execution in a computing device (e.g., the computing device shown in FIG. 2), and the method 1000 begins at 1010.
In 1010, the tracking method of the program running track provided in the above embodiment is used to obtain, when the program runs in the first operating system, the first address where each conditional jump instruction in the code section to be tracked in the program is located and the value of the first flag register when each conditional jump instruction is executed. Next, in 1020, the tracking method of the program running track provided in the foregoing embodiment is used to obtain, when the program runs in the second operating system, the second address where each conditional jump instruction in the code section to be tracked in the program is located and the value of the second flag register when each conditional jump instruction is executed.
The first operating system may be a Linux operating system, and the second operating system may be a Windows operating system, which is only an example, and the present invention is not limited to what the first operating system and the second operating system are specifically. In addition, for specific details regarding the first operating system and the second operating system to obtain the address where each conditional jump instruction in the code segment to be traced is located and the value of the flag register when each conditional jump instruction is executed, reference is made to the description of the above embodiments, and details are not repeated herein.
Subsequently, the process proceeds to 1030, and the value of the first flag register and the value of the second flag register at the time of executing each conditional jump instruction are compared based on the obtained first addresses and second addresses. The above embodiment has pointed out that, when the address of each conditional jump instruction is obtained, the exception address obtained based on the hook function at each soft interrupt instruction is differenced from the base address of the code segment to be traced, and then the obtained difference is used as the address of the conditional jump instruction corresponding to the soft interrupt instruction. Thus, for the same conditional jump instruction, the address at which it is obtained on the first operating system and the address at which it is obtained on the second operating system are the same. In this way, when comparing the value of the first flag register and the value of the second flag register when executing each conditional jump instruction, the first address and the second address (which are the same conditional jump instruction) may be acquired first, and then for each pair of the first address and the second address that are equal, the value of the first flag register when executing the conditional jump instruction stored in the first address (i.e., the value of the flag register when executing the conditional jump instruction on the first operating system) is compared with the value of the second flag register when executing the conditional jump instruction stored in the second address (i.e., the value of the flag register when executing the conditional jump instruction on the second operating system).
When the first address is the same as the second address and the value of the first flag register corresponding to the first address is different from the value of the second flag register corresponding to the second address, the process proceeds to 1040, and the first address position is determined to be the position where the difference occurs in the program running track. Specifically, for the same first address and second address, if the value of the first flag register at the time of executing the conditional jump instruction stored in the first address (i.e., the value of the first flag register corresponding to the first address) is different from the value of the second flag register at the time of executing the conditional jump instruction stored in the second address (i.e., the value of the second flag register corresponding to the second address), it is determined that the conditional jump instruction (i.e., the conditional jump instruction stored at the first address and the second address, in which the same conditional jump instruction is stored at the first address and the second address) is different in the running tracks of the first operating system and the second operating system, the first address location (or the second address) is the location where the difference in the running tracks of the program occurs, and if the value of the first flag register is the same as the value of the second flag register, it is determined that the running tracks of the conditional jump instruction at the first operating system and the second operating system are the same.
To better understand this step, the following description will take the code segment shown in fig. 9 as an example, and compare the running tracks of the code segment on the windows operating system and the Linux operating system (assuming that this code segment runs on the Linux operating system through the wire migration technology). When the code segment runs on a Window operating system, the first address where jnz is located is 91144A, the value of a first flag register when jnz is executed is a1, the first address where jz is located is 911466, and the value of the first flag register when jz is executed is a2; when the code segment runs on the Linux operating system, the obtained second address of jnz is 91144a, the value of the second flag register when jnz is executed is b1, the second address of jz is 911466, and the value of the second flag register when jz is executed is b2.
It can be seen that first address 91144a is the same as second address 91144a, first address 911466 is the same as second address 911466, and a1 is compared with b1 and a2 is compared with b2. If a1 is the same as b1 and a2 is the same as b2, the running track of the jnz and jz conditional jump instructions in the Window operating system is the same as the running track of the Linux operating system, namely the running track of the code segment in the Window operating system is the same as the running track of the Linux operating system. If a1 is different from b1 (i.e. the zf value in a1 is different from the zf value in b 1), the running track of the conditional jump instruction jnz in the Window operating system and the Linux operating system is different, the code on the conditional jump instruction jnz is analyzed. By analyzing the returned value of zf from the function GetJobW, the function implementation in the wire in the linux is determined to have access to windows, and then the function GetJobW is analyzed. If a2 is different from b2, it indicates that the running tracks of the conditional jump instruction jz in the Window operating system and the Linux operating system are different, the code on the conditional jump instruction jz is analyzed, and the specific analysis process is similar to the analysis process when a1 and b1 are different, and is not described herein.
The invention also provides a device for tracking the program running track. Fig. 11 shows a block diagram of a program running trace tracking apparatus 1100 according to an embodiment of the present invention. As shown in fig. 11, the tracking device for a program running track includes a first acquisition module 1110, an instruction modification module 1120, and a program running module 1130.
The first obtaining module 1110 is adapted to obtain all conditional jump instructions in the code segment to be traced in the program.
The instruction modifying module 1120 is adapted to modify the conditional jump instruction into a soft interrupt instruction for each conditional jump instruction to call a hook function, wherein the hook function includes obtaining an abnormal address of an occurrence of an abnormality and a value of a mark register of the occurrence of the abnormality, restoring the soft interrupt instruction into the conditional jump instruction and executing a next instruction, and modifying the conditional jump instruction into the soft interrupt instruction again.
The program running module 1130 is adapted to run a program and obtain an address where each conditional jump instruction is located and a value of a flag register when executing each conditional jump instruction based on each of the abnormal addresses and the values of the flag registers obtained by the hook function.
The specific details of the tracking device 1100 for the program running track according to the present invention are disclosed in the descriptions based on fig. 1 to 9, and are not described herein again.
The invention also provides a device for comparing the program running tracks. Fig. 12 shows a block diagram of a comparison apparatus 1200 of program running trajectories according to an embodiment of the present invention. As shown in fig. 12, the comparison device of the program running track includes a second acquisition module 1210, a comparison module 1220 and a determination module 1230.
The second obtaining module 1210 is adapted to obtain, by using the method for tracing a program running track provided in the foregoing embodiment, a first address where each conditional jump instruction in a code section to be traced in the program is located and a value of a first flag register when each conditional jump instruction is executed when the program runs in the first operating system, and is further adapted to obtain, by using the method for tracing a program running track provided in the foregoing embodiment, a second address where each conditional jump instruction in the code section to be traced in the program is located and a value of a second flag register when each conditional jump instruction is executed when the program runs in the second operating system.
The comparing module 1220 is adapted to compare the value of the first flag register with the value of the second flag register when executing each conditional jump instruction based on each first address and each second address.
The determining module 1230 is adapted to determine that the first address location is a location where a difference occurs in the program running track when the first address is the same as the second address and the value of the first flag register corresponding to the first address is different from the value of the second flag register corresponding to the second address.
The details of the comparison device 1200 of the program running track according to the present invention are disclosed in detail in the descriptions based on fig. 1 to 10, and are not described herein.
According to the method for tracking the running track of the program, only the running track of the conditional jump instruction in the code section to be tracked in the program is tracked, so that a great amount of time is prevented from being consumed in the process of single-step and tracking by using an assembly debugging tool. The instructions such as calculation, comparison, data transmission and the like in the program are sequentially executed according to the sequence, no unexpected path branches are generated, no conditional jump instruction, no function call instruction, no function return instruction and the like are generated, the target address is fixed, no unexpected path branches are generated, and therefore the method for tracking the running track of the program by recording the running track of the conditional jump instruction can ensure the effectiveness of data and improve the tracking efficiency.
In addition, the normalization processing is carried out when the addresses of the conditional jump instructions are obtained, so that the addresses of the conditional jump instructions with the same offset in the code segments to be tracked on different operating systems are the same, and the positions with different running tracks can be positioned quickly and conveniently only by comparing the sign register values corresponding to the same addresses.
In addition, in the positioning of the even problem, the invention has the advantages that the difference point of the running track of the program on different operating systems can be obtained by running the program for a plurality of times, and the method is more efficient than the traditional single-step follow-up or log adding method.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions of the methods and apparatus of the present invention, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U-drives, floppy diskettes, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the tracking method of the program running trace or the comparing method of the program running trace of the present invention according to the instructions in the program code stored in the memory.
By way of example, and not limitation, readable media comprise readable storage media and communication media. The readable storage medium stores information such as computer readable instructions, data structures, program modules, or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with examples of the invention. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
It should be appreciated that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into a plurality of sub-modules.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the embodiments are described herein as methods or combinations of method elements that may be implemented by a processor of a computer system or by other means of performing the functions. Thus, a processor with the necessary instructions for implementing the described method or method element forms a means for implementing the method or method element. Furthermore, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is for carrying out the functions performed by the elements for carrying out the objects of the invention.
As used herein, unless otherwise specified the use of the ordinal terms "first," "second," "third," etc., to describe a general object merely denote different instances of like objects, and are not intended to imply that the objects so described must have a given order, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is defined by the appended claims.
Claims (11)
1. A tracking method of a program running track comprises the following steps:
acquiring all conditional jump instructions in a code segment to be tracked in the program;
modifying the conditional jump instruction into a soft interrupt instruction for each conditional jump instruction to call a hook function, the hook function comprising obtaining an exception address of an exception occurrence and a value of a flag register of the exception occurrence, restoring the soft interrupt instruction into the conditional jump instruction and executing a next instruction, and modifying the conditional jump instruction into the soft interrupt instruction again;
And running the program, and acquiring the address of each conditional jump instruction and the value of the flag register when executing each conditional jump instruction based on the values of each abnormal address and each flag register obtained by the hook function.
2. The method of claim 1, wherein obtaining all conditional jump instructions in the code segment to be traced in the program comprises:
and acquiring all conditional jump instructions in the code segment to be tracked by using a disassembly engine.
3. The method of claim 1 or 2, wherein obtaining the address at which each conditional jump instruction is located and the value of the flag register at the time each jump instruction is executed, comprises:
normalizing the abnormal address obtained based on the hook function at each soft interrupt instruction, and determining the normalized address as the address of the conditional jump instruction corresponding to the soft interrupt instruction;
and determining the value of the flag register obtained at each soft interrupt instruction based on the hook function as the value of the flag register when the conditional jump instruction corresponding to the soft interrupt instruction is executed.
4. A method as claimed in claim 3, wherein the code segment to be traced is a code segment of a linked library linked in the program.
5. The method of claim 4, wherein normalizing the exception address obtained at each soft interrupt instruction based on the hook function comprises:
and taking the difference between the abnormal address obtained based on the hook function at each soft interrupt instruction and the base address of the link library, and taking the obtained difference as the address after normalization processing.
6. The method of any of claims 1-5, wherein obtaining an exception address at which an exception occurred comprises:
and acquiring an eip value when an exception occurs, and taking the eip value as the exception address.
7. A program running track comparison method comprises the following steps:
the method according to any one of claims 1-6, wherein the values of a first address where each conditional jump instruction in a code section to be traced in the program is located and a first flag register when each conditional jump instruction is executed are obtained when the program runs in a first operating system;
the method according to any one of claims 1-6, wherein the values of a second address where each conditional jump instruction in the code section to be traced in the program is located and a second flag register when each conditional jump instruction is executed are obtained when the program runs in a second operating system;
Comparing the value of the first flag register with the value of the second flag register when executing each conditional jump instruction based on each of the first address and each of the second address;
when the first address is the same as the second address and the value of the first flag register corresponding to the first address is different from the value of the second flag register corresponding to the second address, determining that the first address position is the position where the difference occurs in the program running track.
8. A program running trace tracking apparatus, comprising:
the first acquisition module is suitable for acquiring all conditional jump instructions in a code segment to be tracked in the program;
an instruction modifying module adapted to modify, for each conditional jump instruction, the conditional jump instruction into a soft interrupt instruction to call a hook function, the hook function including obtaining an exception address at which an exception occurred and a value of a flag register at which an exception occurred, restoring the soft interrupt instruction into the conditional jump instruction and executing a next instruction, and modifying the conditional jump instruction again into the soft interrupt instruction;
and the program running module is suitable for running the program and acquiring the address of each conditional jump instruction and the value of the flag register when executing each conditional jump instruction based on each abnormal address and the value of each flag register obtained by the hook function.
9. A program running trajectory comparison device, comprising:
a second obtaining module, adapted to obtain, by using the method of any one of claims 1 to 6, a first address where each conditional jump instruction in the code section to be traced in the program is located and a value of a first flag register when each conditional jump instruction is executed when the program runs in the first operating system, and further adapted to obtain, by using the method of any one of claims 1 to 6, a second address where each conditional jump instruction in the code section to be traced in the program is located and a value of a second flag register when each conditional jump instruction is executed when the program runs in the second operating system;
a comparison module adapted to compare the value of the first flag register with the value of the second flag register when executing each conditional jump instruction based on each of the first address and each of the second address;
and the judging module is suitable for judging that the first address position is a position where a difference occurs in the program running track when the first address is the same as the second address and the value of the first mark register corresponding to the first address is different from the value of the second mark register corresponding to the second address.
10. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-7.
11. A readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310184988.0A CN116150021A (en) | 2023-02-24 | 2023-02-24 | Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310184988.0A CN116150021A (en) | 2023-02-24 | 2023-02-24 | Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116150021A true CN116150021A (en) | 2023-05-23 |
Family
ID=86356193
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310184988.0A Pending CN116150021A (en) | 2023-02-24 | 2023-02-24 | Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116150021A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117389842A (en) * | 2023-12-12 | 2024-01-12 | 北京紫光芯能科技有限公司 | Program flow monitoring system and method |
-
2023
- 2023-02-24 CN CN202310184988.0A patent/CN116150021A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117389842A (en) * | 2023-12-12 | 2024-01-12 | 北京紫光芯能科技有限公司 | Program flow monitoring system and method |
| CN117389842B (en) * | 2023-12-12 | 2024-03-19 | 北京紫光芯能科技有限公司 | Program flow monitoring system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113672515B (en) | WASM intelligent contract vulnerability detection method based on symbol execution | |
| US20080270842A1 (en) | Computer operating system handling of severe hardware errors | |
| CN112286828B (en) | Testing method and system for intelligent contracts of block chains | |
| CN111045927A (en) | Performance test evaluation method and device, computer equipment and readable storage medium | |
| KR101979329B1 (en) | Method and apparatus for tracking security vulnerable input data of executable binaries thereof | |
| EP3752945B1 (en) | Automatic generation of patches for security violations | |
| CN116150021A (en) | Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment | |
| CN111897711B (en) | Positioning method and device for bug in code, electronic equipment and readable storage medium | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| CN118094567A (en) | Binary code static analysis method based on x86-64 instruction set | |
| CN118152298A (en) | Memory access detection method and device, electronic equipment and computer storage medium | |
| US20110265050A1 (en) | Representing binary code as a circuit | |
| Tripathi et al. | Exniffer: Learning to prioritize crashes by assessing the exploitability from memory dump | |
| CN114741700B (en) | Public component library vulnerability availability analysis method and device based on symbolized stain analysis | |
| CN116992453A (en) | Method and system for automatically positioning vulnerability root cause based on Hash stack | |
| Ren et al. | A dynamic taint analysis framework based on entity equipment | |
| CN115374017A (en) | Method for capturing site during simulation running of executable file and computing equipment | |
| CN115185638A (en) | Method for acquiring call stack during simulation running of application program and computing equipment | |
| CN116340081A (en) | RISCV memory access violation detection method and device based on hardware virtualization | |
| Hoffmann et al. | Experiences with software-based soft-error mitigation using AN codes | |
| CN115470151B (en) | Application operation analysis method, computing device and storage medium | |
| CN117472711A (en) | Tracking method, computing device and storage medium for image data processing flow | |
| CN117008972B (en) | Instruction analysis method, device, computing equipment and storage medium | |
| CN114707143B (en) | Method and device for monitoring memory data damage attack | |
| KR102421394B1 (en) | Apparatus and method for detecting malicious code using tracing based on hardware and software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |