TW202129505A - Console application control management method and system - Google Patents

Console application control management method and system Download PDF

Info

Publication number
TW202129505A
TW202129505A TW109102023A TW109102023A TW202129505A TW 202129505 A TW202129505 A TW 202129505A TW 109102023 A TW109102023 A TW 109102023A TW 109102023 A TW109102023 A TW 109102023A TW 202129505 A TW202129505 A TW 202129505A
Authority
TW
Taiwan
Prior art keywords
stroke
dynamic link
link library
console
specific function
Prior art date
Application number
TW109102023A
Other languages
Chinese (zh)
Other versions
TWI739284B (en
Inventor
黃文昌
劉雨芊
Original Assignee
精品科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 精品科技股份有限公司 filed Critical 精品科技股份有限公司
Priority to TW109102023A priority Critical patent/TWI739284B/en
Publication of TW202129505A publication Critical patent/TW202129505A/en
Application granted granted Critical
Publication of TWI739284B publication Critical patent/TWI739284B/en

Links

Images

Landscapes

  • Stored Programmes (AREA)

Abstract

A console application control management method includes the following steps: injecting a dynamic link library to a first process; executing the dynamic link library injected to the first process to determine whether the first process belongs to one of a plurality of console applications; hooking a particular function of the first process, which is used to output a character content on a window, when the first process belongs to one of the plurality of console applications; recording the character content output on the window of the first process when the hooked particular function of the first process outputs the character content on the window of the first process.

Description

控制台程式的控制管理方法及系統Control management method and system of console program

本發明是有關一種電腦程式的控制管理方法,尤其是一種控制台程式(Console Appilcation)的控制管理方法以及控制台程式的控制管理系統。The invention relates to a control and management method of a computer program, in particular to a control and management method of a console application (Console Appilcation) and a control and management system of the console application.

控制台程式是一種文字介面的電腦程式,由於其不需要複雜的圖形化使用者介面,可以簡化流程,對於電腦相關產品的開發、維護、管理等而言,控制台程式是很常使用且功能強大的工具。但也因為如此,控制台程式也時常被駭客或是資料竊取者用於攻擊或竊取資料。因此,如何提供一種控制台程式的控制管理方法是資訊安全領域所重視的課題。The console program is a computer program with a text interface. Because it does not require a complicated graphical user interface, it can simplify the process. For the development, maintenance, and management of computer-related products, the console program is very commonly used and functional Powerful tool. But also because of this, console programs are often used by hackers or data stealers to attack or steal data. Therefore, how to provide a control management method for a console program is a subject that the field of information security attaches great importance to.

本發明提供一種控制台程式的控制管理方法,能夠記錄在控制台程式的視窗輸出的字元內容。The invention provides a control and management method of a console program, which can record the content of characters output in the window of the console program.

本發明另提供一種控制台程式的控制管理系統,能夠記錄在控制台程式的視窗輸出的字元內容。The present invention also provides a control management system of a console program, which can record the content of characters output in the window of the console program.

本發明所提供的控制台程式的控制管理方法包括下列步驟: 注入動態連結函式庫(Dynamic-link library,DLL)至第一行程(Process); 執行注入至第一行程的動態連結函式庫以判斷第一行程是否屬於多個控制台程式的其中之一,當判斷第一行程屬於控制台程式的其中之一時,對第一行程包括的特定函數進行鉤子編程(Hooking),第一行程包括的特定函數用於在第一行程的視窗輸出字元內容;以及 當調用被進行過鉤子編程的第一行程包括的特定函數而在第一行程的視窗輸出字元內容時,記錄第一行程的視窗所輸出的字元內容。The control management method of the console program provided by the present invention includes the following steps: Inject a dynamic-link library (DLL) to the first process (Process); Execute the dynamic link library injected into the first process to determine whether the first process belongs to one of the multiple console programs. When it is determined that the first process belongs to one of the console programs, the specific included in the first process The function performs hooking programming (Hooking), and the specific function included in the first stroke is used to output character content in the window of the first stroke; and When the specific function included in the first stroke that has been hook-programmed is called and the character content is output in the window of the first stroke, the character content output by the window of the first stroke is recorded.

在本發明的一實施例中,上述之控制台程式的控制管理方法,更包括下列步驟: 對第一行程包括的創建行程函數進行鉤子編程; 當第一行程執行被進行過鉤子編程的創建行程函數而創建第二行程時,注入動態連結函式庫至第二行程; 執行注入至第二行程的動態連結函式庫以判斷第二行程是否屬於控制台程式的其中之一,當判斷第二行程屬於控制台程式時,對第二行程包括的特定函數進行鉤子編程,第二行程包括的特定函數用於在第二行程的視窗輸出字元內容;以及 當調用被進行過鉤子編程的第二行程包括的特定函數而在第二行程的視窗輸出字元內容時,記錄第二行程的視窗所輸出的字元內容。In an embodiment of the present invention, the control management method of the above-mentioned console program further includes the following steps: Perform hook programming on the creation stroke function included in the first stroke; When the first trip executes the create trip function that has been hook-programmed to create the second trip, inject the dynamic link library to the second trip; Execute the dynamic link library injected into the second stroke to determine whether the second stroke belongs to one of the console programs. When it is determined that the second stroke belongs to the console program, perform hook programming on the specific functions included in the second stroke, The specific function included in the second stroke is used to output character content in the window of the second stroke; and When the specific function included in the second course that has been hook-programmed is called and the character content is output in the window of the second course, the character content output by the window of the second course is recorded.

在本發明的一實施例的控制管理方法中,上述之特定函數包括應用程式介面(Application Programming Interface,API)函數。In the control management method of an embodiment of the present invention, the above-mentioned specific function includes an Application Programming Interface (API) function.

在本發明的一實施例的控制管理方法中,上述之控制台程式包括命令列介面(Command-Line Interface,CLI) 程式。In the control management method of an embodiment of the present invention, the above-mentioned console program includes a command-line interface (Command-Line Interface, CLI) program.

在本發明的一實施例的控制管理方法中,上述之注入動態連結函式庫至第一行程的步驟,包括遠端執行緒注入(Remote Thread Injection),其中遠端執行緒注入包括下列步驟: 取得第一行程的控制代碼(handle); 於第一行程的記憶體地址空間申請分配記憶體地址空間; 將動態連結函式庫加載至分配記憶體地址空間;以及 建立執行緒(thread)於第一行程並透過執行緒加載動態連結函式庫。In the control management method of an embodiment of the present invention, the above-mentioned step of injecting the dynamic link library into the first process includes Remote Thread Injection, wherein the remote thread injection includes the following steps: Get the control code (handle) of the first trip; Apply for allocation of memory address space in the memory address space of the first trip; Load the dynamic link library into the allocated memory address space; and Create a thread in the first process and load the dynamic link library through the thread.

在本發明的一實施例的控制管理方法中,上述之對第一行程包括的特定函數進行鉤子編程的步驟包括:將特定函數對應的記憶體地址中的第一個指令轉換成跳轉指令,其中跳轉指令指向動態連結函式庫被寫入的分配記憶體地址空間。In the control management method of an embodiment of the present invention, the step of hook programming the specific function included in the first stroke includes: converting the first instruction in the memory address corresponding to the specific function into a jump instruction, wherein The jump instruction points to the allocated memory address space where the dynamic link library is written.

本發明所提供的控制台程式的控制管理系統包括電腦,電腦包括 處理器以及儲存單元,其中處理器執行儲存於儲存單元中的指令以執行下列步驟: 注入動態連結函式庫至第一行程; 執行注入至第一行程的動態連結函式庫以判斷第一行程是否屬於多個控制台程式的其中之一,當判斷第一行程屬於控制台程式的其中之一時,對第一行程包括的特定函數進行鉤子編程,第一行程包括的特定函數用於在第一行程的視窗輸出字元內容;以及 當調用被進行過鉤子編程的第一行程包括的特定函數而在第一行程的視窗輸出字元內容時,記錄第一行程的視窗所輸出的字元內容。The control management system of the console program provided by the present invention includes a computer, and the computer includes A processor and a storage unit, wherein the processor executes instructions stored in the storage unit to perform the following steps: Inject the dynamic link library to the first stroke; Execute the dynamic link library injected into the first process to determine whether the first process belongs to one of the multiple console programs. When it is determined that the first process belongs to one of the console programs, the specific included in the first process The function performs hook programming, and the specific function included in the first stroke is used to output character content in the window of the first stroke; and When the specific function included in the first stroke that has been hook-programmed is called and the character content is output in the window of the first stroke, the character content output by the window of the first stroke is recorded.

在本發明的一實施例的控制管理系統中,上述處理器更執行下列步驟: 對第一行程包括的創建行程函數進行鉤子編程; 當第一行程執行被進行過鉤子編程的創建行程函數而創建第二行程時,注入動態連結函式庫至第二行程; 執行注入至第二行程的動態連結函式庫以判斷第二行程是否屬於控制台程式的其中之一,當判斷第二行程屬於控制台程式時,對第二行程包括的特定函數進行鉤子編程,第二行程包括的特定函數用於在第二行程的視窗輸出字元內容;以及 當調用被進行過鉤子編程的第二行程包括的特定函數而在第二行程的視窗輸出字元內容時,記錄第二行程的視窗所輸出的字元內容。In the control management system of an embodiment of the present invention, the above-mentioned processor further executes the following steps: Perform hook programming on the creation stroke function included in the first stroke; When the first trip executes the create trip function that has been hook-programmed to create the second trip, inject the dynamic link library to the second trip; Execute the dynamic link library injected into the second stroke to determine whether the second stroke belongs to one of the console programs. When it is determined that the second stroke belongs to the console program, perform hook programming on the specific functions included in the second stroke, The specific function included in the second stroke is used to output character content in the window of the second stroke; and When the specific function included in the second course that has been hook-programmed is called and the character content is output in the window of the second course, the character content output by the window of the second course is recorded.

在本發明的一實施例的控制管理系統中,上述之注入動態連結函式庫至第一行程的步驟,包括遠端執行緒注入,其中遠端執行緒注入包括下列步驟: 取得第一行程的控制代碼; 於第一行程的記憶體地址空間申請分配記憶體地址空間; 將動態連結函式庫加載至分配記憶體地址空間;以及 建立執行緒於第一行程並透過執行緒加載動態連結函式庫。In the control management system of an embodiment of the present invention, the above-mentioned step of injecting the dynamic link library into the first process includes remote thread injection, wherein the remote thread injection includes the following steps: Get the control code of the first trip; Apply for allocation of memory address space in the memory address space of the first trip; Load the dynamic link library into the allocated memory address space; and Create a thread in the first process and load the dynamic link library through the thread.

在本發明的一實施例的控制管理系統中,上述之對第一行程包括的特定函數進行鉤子編程的步驟包括:將特定函數對應的記憶體地址中的第一個指令轉換成跳轉指令,其中跳轉指令指向動態連結函式庫被寫入的分配記憶體地址空間。In the control management system of an embodiment of the present invention, the above step of hook programming the specific function included in the first stroke includes: converting the first instruction in the memory address corresponding to the specific function into a jump instruction, wherein The jump instruction points to the allocated memory address space where the dynamic link library is written.

當控制台程式調用上述特定函數在控制台程式的視窗輸出字元內容時,本發明提供的控制管理方法及控制管理系統可以記錄控制台程式的視窗所輸出的字元內容,因此能夠保留控制台程式調用上述特定函數的歷程,可藉此取得潛在的惡意內容,而實現對控制台程式的控制管理。When the console program calls the above-mentioned specific function to output character content in the window of the console program, the control management method and control management system provided by the present invention can record the content of the characters output by the window of the console program, so the console can be retained The process of the program calling the above-mentioned specific function can be used to obtain potentially malicious content and realize the control and management of the console program.

為讓本發明之上述和其他目的、特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式,作詳細說明如下。In order to make the above and other objects, features and advantages of the present invention more comprehensible, the following specific examples are given in conjunction with the accompanying drawings, which are described in detail as follows.

圖1為本發明一實施例的控制台程式的控制管理系統的示意圖。在一實施例中,本發明提供了一種控制台程式的控制管理系統,控制管理系統包括電腦10,例如為個人電腦、平板電腦、伺服器等,但不以此為限。其中,電腦10包括處理器11以及儲存單元12,處理器11與儲存單元12電性連接,儲存單元12例如為記憶體或硬碟等。處理器11執行儲存於儲存單元12中的指令以執行控制台程式的控制管理方法。控制台程式可包括命令列介面(Command-Line Interface,CLI) 程式,例如COMMAND.COM、命令提示字元(cmd.exe)、Windows PowerShell、Bash Shell等,控制台程式也可以是CygWin、MSys等。FIG. 1 is a schematic diagram of a control management system of a console program according to an embodiment of the present invention. In one embodiment, the present invention provides a control management system of a console program. The control management system includes a computer 10, such as a personal computer, a tablet computer, a server, etc., but is not limited to this. The computer 10 includes a processor 11 and a storage unit 12. The processor 11 is electrically connected to the storage unit 12. The storage unit 12 is, for example, a memory or a hard disk. The processor 11 executes the instructions stored in the storage unit 12 to execute the control and management method of the console program. The console program can include Command-Line Interface (CLI) programs, such as COMMAND.COM, command prompt (cmd.exe), Windows PowerShell, Bash Shell, etc. The console program can also be CygWin, MSys, etc. .

圖2為本發明一實施例的控制台程式的控制管理方法的流程示意圖,其包括步驟S101~S105。以下將對各個步驟做進一步說明。2 is a schematic flowchart of a control management method of a console program according to an embodiment of the present invention, which includes steps S101 to S105. The steps will be further explained below.

步驟S101:注入動態連結函式庫至第一行程。舉例而言,步驟S101是透過遠端執行緒注入的方式將預先設計的動態連結函式庫注入至第一行程,例如調用CreateRemoteThread函數來建立執行緒於第一行程,並讓執行緒呼叫LoadLibrary函數來加載動態連結函式庫。請參考圖3,圖3為本發明一實施例的步驟S101的流程示意圖。詳細而言,步驟S101可包括下列步驟:取得第一行程的控制代碼(步驟S1011),控制代碼用於定位出第一行程的記憶體地址空間;於第一行程的記憶體地址空間申請分配記憶體地址空間(步驟S1013),分配記憶體地址空間的大小例如是動態連結函式庫所需的大小;將動態連結函式庫加載至上述的分配記憶體地址空間(步驟S1015);以及建立執行緒於第一行程並透過執行緒加載動態連結函式庫(步驟S1017)。此外,在步驟S101中,第一行程可以是一個行程或是多個行程,例如可將已存在的所有行程都視為第一行程,而在步驟S101時對已存在的所有行程注入動態連結函式庫。Step S101: Inject the dynamic link library to the first process. For example, step S101 is to inject a pre-designed dynamic link library into the first process through remote thread injection, for example, call the CreateRemoteThread function to create a thread in the first process, and let the thread call the LoadLibrary function To load the dynamic link library. Please refer to FIG. 3, which is a schematic flowchart of step S101 according to an embodiment of the present invention. In detail, step S101 may include the following steps: obtain the control code of the first stroke (step S1011), the control code is used to locate the memory address space of the first stroke; apply for memory allocation in the memory address space of the first stroke Body address space (step S1013), the size of the allocated memory address space is, for example, the size required by the dynamic link library; load the dynamic link library into the aforementioned allocated memory address space (step S1015); and create and execute Thread in the first process and load the dynamic link library through the thread (step S1017). In addition, in step S101, the first itinerary can be one or multiple itineraries. For example, all the existing itineraries can be regarded as the first itinerary, and in step S101, the dynamic link function is injected into all the existing itineraries.式库。 Style library.

請再參考圖2,當第一行程加載動態連結函式庫後,執行步驟S103:執行注入至第一行程的動態連結函式庫以判斷第一行程是否屬於多個控制台程式的其中之一,當判斷第一行程屬於控制台程式的其中之一時,對第一行程包括的特定函數進行鉤子編程,其中第一行程包括的特定函數用於在第一行程的視窗輸出字元內容。例如可調用GetConsoleWindow等函數來判斷第一行程是否屬於控制台程式。藉由只對控制台程式進行特定函數的鉤子編程,可以有效節省系統運算資源。詳細而言,特定函數可包括應用程式介面函數,例如Windows Console API函數中的WriteConsole、ReadConsole、ReadConsoleInput、WriteConsoleInput等;或是File API函數中的ReadFile、WriteFile等;或是C Runtime Library API函數中的fprintf、fgets、printf、wprintf、_getch、fputwc、_write等。進行鉤子編程的步驟包括將上述特定函數對應的記憶體地址中的第一個指令轉換成跳轉指令,其中跳轉指令指向動態連結函式庫被寫入的分配記憶體地址空間。意即,當被進行鉤子編程的特定函數被執行時,會先執行動態連結函式庫中對應特定函數的內容。Please refer to Figure 2 again. After the dynamic link library is loaded in the first process, step S103 is executed: execute the dynamic link library injected into the first process to determine whether the first process belongs to one of the multiple console programs. When it is determined that the first stroke belongs to one of the console programs, hook programming is performed on the specific function included in the first stroke, wherein the specific function included in the first stroke is used to output character content in the window of the first stroke. For example, functions such as GetConsoleWindow can be called to determine whether the first stroke belongs to a console program. By only performing hook programming of specific functions on the console program, system computing resources can be effectively saved. In detail, specific functions can include application programming interface functions, such as WriteConsole, ReadConsole, ReadConsoleInput, WriteConsoleInput, etc. in the Windows Console API function; or ReadFile, WriteFile, etc. in the File API function; or in the C Runtime Library API function fprintf, fgets, printf, wprintf, _getch, fputwc, _write, etc. The step of hook programming includes converting the first instruction in the memory address corresponding to the specific function into a jump instruction, where the jump instruction points to the allocated memory address space where the dynamic link library is written. That is, when the specific function that is hooked programming is executed, the content of the corresponding specific function in the dynamic link library will be executed first.

步驟S105:當調用被進行過鉤子編程的第一行程包括的特定函數而在第一行程的視窗輸出字元內容時,記錄第一行程的視窗所輸出的字元內容。舉例而言,被進行過鉤子編程的特定函數為Windows Console API函數中的WriteConsole函數,當第一行程調用了WriteConsole時,會跳轉至被注入至第一行程的動態連結函式庫中對應WriteConsole函數的內容。舉例來說,將藉由WriteConsole函數輸出至視窗的字元內容或多個字元組成的字串進行儲存後,再執行WriteConsole函數應有的功能,或是先執行WriteConsole函數應有的功能,再將輸出至視窗的字元內容或字串進行儲存。記錄字元內容的方式例如是將字元內容完整的儲存,但不限於此,也可以是根據需求對字元內容進行調整後再儲存。在其他實施例中,字元內容可以是透過網際網路發送出去,或是以文件格式等儲存於上述儲存單元12或是外接硬碟等儲存介質。Step S105: When the specific function included in the first stroke that has been hook-programmed is called and the character content is output in the window of the first stroke, the character content output by the window of the first stroke is recorded. For example, the specific function that has been hooked is the WriteConsole function in the Windows Console API function. When the WriteConsole is called in the first stroke, it will jump to the corresponding WriteConsole function in the dynamic link library that is injected into the first stroke. Content. For example, after storing the character content or a string composed of multiple characters output to the window by the WriteConsole function, execute the function of the WriteConsole function, or execute the function of the WriteConsole function first, and then Save the character content or string output to the window. The method of recording the character content is, for example, storing the character content completely, but it is not limited to this, and the character content can also be stored after adjusting the character content according to requirements. In other embodiments, the character content may be sent out via the Internet, or stored in the storage unit 12 in a file format, or a storage medium such as an external hard disk.

藉此,能夠保留作為控制台程式的第一行程調用上述特定函數的歷程,以取得第一行程中潛在的惡意內容,而實現對第一行程的控制管理。若將已存在的所有行程都視為第一行程,則能使保護更加完善。In this way, it is possible to retain the history of calling the above-mentioned specific function in the first trip as a console program, so as to obtain the potentially malicious content in the first trip, and realize the control and management of the first trip. If all the existing trips are regarded as the first trip, the protection can be more perfect.

圖4為本發明一實施例的控制台程式的控制管理方法部分的流程示意圖。在本發明的一實施例中,上述之控制台程式的控制管理方法,可更包括下列步驟S201~S207。以下將對各個步驟做進一步說明。FIG. 4 is a schematic flowchart of a control management method part of a console program according to an embodiment of the present invention. In an embodiment of the present invention, the above-mentioned control and management method of the console program may further include the following steps S201 to S207. The steps will be further explained below.

步驟S201:對第一行程包括的創建行程函數進行鉤子編程。可以是在上述步驟S101後進行步驟S201,例如是在步驟S103中,執行注入至第一行程的動態連結函式庫時對第一行程包括的創建行程函數進行鉤子編程。對創建行程函數進行鉤子編程的方式可以是和上述對特定函數進行鉤子編程的方式相同,於此不再贅述。創建行程函數例如是CreateProcess、CreateProcessAsUser、CreateProcessWithLogon等函數。Step S201: Perform hook programming on the creation stroke function included in the first stroke. Step S201 may be performed after step S101. For example, in step S103, when the dynamic link library injected into the first stroke is executed, hook programming is performed on the creation stroke function included in the first stroke. The way of hook programming for creating a stroke function can be the same as the way of hook programming for a specific function described above, and will not be repeated here. The creation process functions are, for example, functions such as CreateProcess, CreateProcessAsUser, CreateProcessWithLogon.

步驟S203:當第一行程執行被進行過鉤子編程的創建行程函數而創建第二行程時,注入動態連結函式庫至第二行程。例如是當第二行程完成創建時注入動態連結函式庫至第二行程。注入至第一行程與第二行程的動態連結函式庫可以是相同或不同。再者,注入動態連結函式庫至第二行程的方式可以是與步驟S101相同或不同,於此不再贅述。Step S203: When the first trip executes the create trip function that has been hook-programmed to create the second trip, inject the dynamic link library into the second trip. For example, when the creation of the second process is completed, the dynamic link library is injected into the second process. The dynamic link library injected into the first stroke and the second stroke can be the same or different. Furthermore, the method of injecting the dynamic link library into the second process can be the same as or different from that of step S101, and will not be repeated here.

步驟S205:執行注入至第二行程的動態連結函式庫以判斷第二行程是否屬於控制台程式的其中之一,當判斷第二行程屬於控制台程式時,對第二行程包括的特定函數進行鉤子編程,第二行程包括的特定函數用於在第二行程的視窗輸出字元內容。第一行程與第二行程可以是不同類型的控制台程式,意即執行所設計的動態連結函式庫可以判斷各種類型的控制台程式。步驟S205可以是與步驟S103相同,於此不再贅述。Step S205: Execute the dynamic link library injected into the second stroke to determine whether the second stroke belongs to one of the console programs. When it is determined that the second stroke belongs to the console program, perform the specific function included in the second stroke In hook programming, the specific function included in the second stroke is used to output character content in the window of the second stroke. The first stroke and the second stroke can be different types of control panel programs, which means that various types of control panel programs can be judged by executing the designed dynamic link library. Step S205 may be the same as step S103, and will not be repeated here.

步驟S207:當調用第二行程包括的被進行過鉤子編程的特定函數而在第二行程的視窗輸出字元內容時,記錄第二行程的視窗所輸出的字元內容。步驟S207可以是與步驟S105相同,於此不再贅述。Step S207: When the specific function included in the second stroke that has been hook-programmed is called and the character content is output in the window of the second stroke, the content of the character output by the window of the second stroke is recorded. Step S207 may be the same as step S105, and will not be repeated here.

藉由步驟S201~S207,能夠對被注入動態連結函式庫的行程(第一行程)所創建的其他行程(第二行程)更進一步執行本發明的控制管理方法。Through steps S201 to S207, it is possible to further execute the control management method of the present invention on other trips (second trips) created by the trips (first trips) injected into the dynamic link library.

以此類推,當第二行程創建第三行程時,可以將第二行程對於第三行程的關係視為第一行程對於第二行程的關係,而參考上述步驟S201~S207在第二行程與第三行程間也執行步驟S201~S207。藉此,在步驟S101時注入過動態連結函式庫之後,可不須再手動進行注入,而針對任何新創建的行程注入動態連結函式庫以執行本發明的控制管理方法。By analogy, when the second itinerary creates the third itinerary, the relationship between the second itinerary and the third itinerary can be regarded as the relationship between the first itinerary and the second itinerary. Steps S201 to S207 are also executed during the three strokes. In this way, after the dynamic link library is injected in step S101, there is no need to manually inject it, and the dynamic link library is injected for any newly created schedule to execute the control management method of the present invention.

當控制台程式調用上述特定函數在控制台程式的視窗輸出字元內容時,本發明提供的控制管理方法及控制管理系統可以記錄控制台程式的視窗所輸出的字元內容,因此能夠保留控制台程式調用上述特定函數的歷程,可藉此取得潛在的惡意內容,而實現對控制台程式的控制管理。When the console program calls the above-mentioned specific function to output character content in the window of the console program, the control management method and control management system provided by the present invention can record the content of the characters output by the window of the console program, so the console can be retained The process of the program calling the above-mentioned specific function can be used to obtain potentially malicious content and realize the control and management of the console program.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,本發明所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Those with ordinary knowledge in the technical field of the present invention can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the protection scope of the present invention shall be subject to those defined by the attached patent application scope.

10:電腦 11:處理器 12:儲存單元 S101、S103、S105、S1011、S1013、S1015、S1017、S201、S203、S205、S207:步驟10: Computer 11: processor 12: storage unit S101, S103, S105, S1011, S1013, S1015, S1017, S201, S203, S205, S207: steps

圖1為本發明一實施例的控制台程式的控制管理系統的示意圖。 圖2為本發明一實施例的控制台程式的控制管理方法的流程示意圖。 圖3為本發明一實施例的注入動態連結函式庫的流程示意圖。 圖4為本發明一實施例的控制台程式的控制管理方法部分的流程示意圖。FIG. 1 is a schematic diagram of a control management system of a console program according to an embodiment of the present invention. 2 is a schematic flowchart of a control management method of a console program according to an embodiment of the present invention. FIG. 3 is a schematic diagram of a flow of injecting a dynamic link library according to an embodiment of the present invention. FIG. 4 is a schematic flowchart of a control management method part of a console program according to an embodiment of the present invention.

S101、S103、S105:步驟S101, S103, S105: steps

Claims (10)

一種控制台程式的控制管理方法,應用於一電腦,該電腦包括一處理器以及一儲存單元,該處理器用於執行儲存於該儲存單元中的指令以執行該控制管理方法,該控制管理方法包括下列步驟: 注入動態連結函式庫至一第一行程; 執行注入至該第一行程的該動態連結函式庫以判斷該第一行程是否屬於多個控制台程式的其中之一,當判斷該第一行程屬於該些控制台程式的其中之一時,對該第一行程包括的特定函數進行鉤子編程,該第一行程包括的該特定函數用於在該第一行程的一視窗輸出一字元內容;以及 當調用被進行過鉤子編程的該第一行程包括的該特定函數而在該第一行程的該視窗輸出該字元內容時,記錄該第一行程的該視窗所輸出的該字元內容。A control and management method of a console program is applied to a computer. The computer includes a processor and a storage unit. The processor is used to execute instructions stored in the storage unit to execute the control management method. The control management method includes The following steps: Inject the dynamic link library to a first stroke; Execute the dynamic link library injected into the first process to determine whether the first process belongs to one of the multiple console programs. When it is determined that the first process belongs to one of the console programs, the Hook programming is performed on a specific function included in the first stroke, and the specific function included in the first stroke is used to output a character content in a window of the first stroke; and When the specific function included in the first stroke that has been hook-programmed is called and the character content is output in the window of the first stroke, the character content output by the window of the first stroke is recorded. 如請求項1所述的控制台程式的控制管理方法,更包括下列步驟: 對該第一行程包括的一創建行程函數進行鉤子編程; 當該第一行程執行被進行過鉤子編程的該創建行程函數而創建一第二行程時,注入一動態連結函式庫至該第二行程; 執行注入至該第二行程的該動態連結函式庫以判斷該第二行程是否屬於該些控制台程式的其中之一,當判斷該第二行程屬於該些控制台程式的其中之一時,對該第二行程包括的特定函數進行鉤子編程,該第二行程包括的該特定函數用於在該第二行程的一視窗輸出一字元內容;以及 當調用被進行過鉤子編程的該第二行程包括的該特定函數而在該第二行程的該視窗輸出該字元內容時,記錄該第二行程的該視窗所輸出的該字元內容至該儲存單元。The control management method of the console program as described in claim 1, further includes the following steps: Perform hook programming on a creation stroke function included in the first stroke; When the first stroke executes the stroke creation function that has been hook-programmed to create a second stroke, inject a dynamic link library into the second stroke; Execute the dynamic link library injected into the second process to determine whether the second process belongs to one of the console programs. When it is determined that the second process belongs to one of the console programs, the Hook programming is performed on a specific function included in the second stroke, and the specific function included in the second stroke is used to output a character content in a window of the second stroke; and When the specific function included in the second process that has been hook-programmed is called and the content of the character is output in the window of the second process, the content of the character output by the window of the second process is recorded to the Storage unit. 如請求項1所述的控制台程式的控制管理方法,其中該些特定函數包括應用程式介面函數。The control and management method for a console program according to claim 1, wherein the specific functions include application program interface functions. 如請求項1所述的控制台程式的控制管理方法,其中該控制台程式包括一命令列介面程式。The control management method of a control panel program according to claim 1, wherein the control panel program includes a command line interface program. 如請求項1所述的控制台程式的控制管理方法,其中注入該動態連結函式庫至該第一行程的步驟,包括遠端執行緒注入,其中該遠端執行緒注入包括下列步驟: 取得該第一行程的一控制代碼; 於該第一行程的記憶體地址空間申請一分配記憶體地址空間; 將該動態連結函式庫寫入該分配記憶體地址空間;以及 建立一執行緒於該第一行程並透過該執行緒加載該動態連結函式庫。The control management method of a console program according to claim 1, wherein the step of injecting the dynamic link library into the first process includes remote thread injection, wherein the remote thread injection includes the following steps: Obtain a control code of the first itinerary; Apply for an allocation of memory address space in the memory address space of the first process; Write the dynamic link library into the allocated memory address space; and Create a thread in the first process and load the dynamic link library through the thread. 如請求項1所述的控制台程式的控制管理方法,其中對該第一行程包括的該特定函數進行鉤子編程的步驟包括:將該特定函數對應的記憶體地址中的第一個指令轉換成一跳轉指令,其中該跳轉指令指向該動態連結函式庫被寫入的一分配記憶體地址空間。The control and management method of the console program according to claim 1, wherein the step of hook programming the specific function included in the first stroke includes: converting the first instruction in the memory address corresponding to the specific function into a A jump instruction, where the jump instruction points to an allocated memory address space where the dynamic link library is written. 一種控制台程式的控制管理系統,包括: 一電腦,包括: 一處理器;以及 一儲存單元; 其中該處理器執行儲存於該儲存單元中的指令以執行下列步驟: 注入一動態連結函式庫至一第一行程; 執行注入至該第一行程的該動態連結函式庫以判斷該第一行程是否屬於多個控制台程式的其中之一,當判斷該第一行程屬於該些控制台程式的其中之一時,對該第一行程包括的特定函數進行鉤子編程,該第一行程包括的該特定函數用於在該第一行程的一視窗輸出一字元內容;以及 當調用被進行過鉤子編程的該第一行程包括的該特定函數而在該第一行程的該視窗輸出該字元內容時,記錄該第一行程的該視窗所輸出的該字元內容至該儲存單元。A control management system of a console program, including: A computer including: A processor; and A storage unit; The processor executes the instructions stored in the storage unit to perform the following steps: Inject a dynamic link library to a first stroke; Execute the dynamic link library injected into the first process to determine whether the first process belongs to one of the multiple console programs. When it is determined that the first process belongs to one of the console programs, the Hook programming is performed on a specific function included in the first stroke, and the specific function included in the first stroke is used to output a character content in a window of the first stroke; and When the specific function included in the first stroke that has been hook-programmed is called and the content of the character is output in the window of the first stroke, the content of the character output by the window of the first stroke is recorded to the Storage unit. 如請求項7所述的控制台程式的控制管理系統,其中該處理器更執行下列步驟: 對該第一行程包括的一創建行程函數進行鉤子編程; 當該第一行程執行被進行過鉤子編程的該創建行程函數而創建一第二行程時,注入一動態連結函式庫至該第二行程; 執行注入至該第二行程的該動態連結函式庫以判斷該第二行程是否屬於該些控制台程式的其中之一,當判斷該第二行程屬於該些控制台程式的其中之一時,對該第二行程包括的特定函數進行鉤子編程,該第二行程包括的該特定函數用於在該第二行程的一視窗輸出一字元內容;以及 當調用被進行過鉤子編程的該第二行程包括的該特定函數而在該第二行程的該視窗輸出該字元內容時,記錄該第二行程的該視窗所輸出的該字元內容。The control management system of the console program according to claim 7, wherein the processor further executes the following steps: Perform hook programming on a creation stroke function included in the first stroke; When the first stroke executes the stroke creation function that has been hook-programmed to create a second stroke, inject a dynamic link library into the second stroke; Execute the dynamic link library injected into the second process to determine whether the second process belongs to one of the console programs. When it is determined that the second process belongs to one of the console programs, the Hook programming is performed on a specific function included in the second stroke, and the specific function included in the second stroke is used to output a character content in a window of the second stroke; and When the specific function included in the second process that has been hook-programmed is called and the character content is output in the window of the second process, the character content output by the window of the second process is recorded. 如請求項7所述的控制台程式的控制管理系統,其中注入該動態連結函式庫至該第一行程的步驟,包括遠端執行緒注入,其中該遠端執行緒注入包括下列步驟: 取得該第一行程的一控制代碼; 於該第一行程的記憶體地址空間申請一分配記憶體地址空間; 將該動態連結函式庫寫入該分配記憶體地址空間;以及 建立一執行緒於該第一行程並透過該執行緒加載該動態連結函式庫。The control management system for a console program according to claim 7, wherein the step of injecting the dynamic link library into the first process includes remote thread injection, wherein the remote thread injection includes the following steps: Obtain a control code of the first itinerary; Apply for an allocation of memory address space in the memory address space of the first process; Write the dynamic link library into the allocated memory address space; and Create a thread in the first process and load the dynamic link library through the thread. 如請求項7所述的控制台程式的控制管理系統,其中對該第一行程包括的該特定函數進行鉤子編程的步驟包括:將該特定函數對應的記憶體地址中的第一個指令轉換成一跳轉指令,其中該跳轉指令指向該動態連結函式庫被寫入的一分配記憶體地址空間。The control management system of the console program according to claim 7, wherein the step of hook programming the specific function included in the first stroke includes: converting the first instruction in the memory address corresponding to the specific function into a A jump instruction, where the jump instruction points to an allocated memory address space where the dynamic link library is written.
TW109102023A 2020-01-20 2020-01-20 Console application control management method and system TWI739284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109102023A TWI739284B (en) 2020-01-20 2020-01-20 Console application control management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109102023A TWI739284B (en) 2020-01-20 2020-01-20 Console application control management method and system

Publications (2)

Publication Number Publication Date
TW202129505A true TW202129505A (en) 2021-08-01
TWI739284B TWI739284B (en) 2021-09-11

Family

ID=78282759

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109102023A TWI739284B (en) 2020-01-20 2020-01-20 Console application control management method and system

Country Status (1)

Country Link
TW (1) TWI739284B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7600222B2 (en) * 2002-01-04 2009-10-06 Microsoft Corporation Systems and methods for managing drivers in a computing system
CN1179269C (en) * 2002-08-09 2004-12-08 联想(北京)有限公司 Method for accurately obtaining computer screen change
US8255931B2 (en) * 2008-02-11 2012-08-28 Blue Coat Systems, Inc. Method for implementing ejection-safe API interception
CN105045605B (en) * 2015-08-28 2019-05-24 成都卫士通信息产业股份有限公司 A kind of method and system by DLL injection target process
CN107479874B (en) * 2017-07-11 2021-04-16 北京明朝万达科技股份有限公司 DLL injection method and system based on Windows platform

Also Published As

Publication number Publication date
TWI739284B (en) 2021-09-11

Similar Documents

Publication Publication Date Title
US9110682B2 (en) State machine control of a debugger
TWI617914B (en) Specialized boot path for speeding up resume from sleep state
US6738926B2 (en) Method and apparatus for recovering a multi-threaded process from a checkpoint
US8849753B2 (en) Automating asynchronous programming in single threaded systems
JP2013520744A (en) Method and apparatus for generating minimum boot image
CN108932406A (en) Virtualization software guard method and device
TW201011538A (en) Managing cache data and metadata
CN101446915B (en) Method and device for recording BIOS level logs
WO2017096917A1 (en) Method and apparatus for injecting hot patch
US20120331489A1 (en) Bypassing user mode redirection
JP2007172602A (en) Method and apparatus for persistently resolving event to event source
US8886962B2 (en) Systems and methods for disk encryption with two keys
CN110826099A (en) Safe storage method and system suitable for embedded real-time operating system
CN100514305C (en) System and method for implementing safety control of operation system
TWI739284B (en) Console application control management method and system
US20100199067A1 (en) Split Vector Loads and Stores with Stride Separated Words
US8788785B1 (en) Systems and methods for preventing heap-spray attacks
CN113220355A (en) Control management method and system for console program
US8972708B2 (en) Plurality of interface files usable for access to BIOS
US20120185875A1 (en) Interprocess communication using a single semaphore
CN110515751B (en) Method and system for loading and running VxWorks real-time protection process
US8321606B2 (en) Systems and methods for managing memory using multi-state buffer representations
JP7285907B2 (en) Internet of Things Device and Method for Detecting and Treating Malware Using Server Resources
US20230359591A1 (en) Offloading data processing into computational storage using journaling
JP6143038B1 (en) OS program and method for accessing file without depending on application