WO2007037640A1 - Methode pour detecter une modification de duree interne dans un systeme informatique - Google Patents

Methode pour detecter une modification de duree interne dans un systeme informatique Download PDF

Info

Publication number
WO2007037640A1
WO2007037640A1 PCT/KR2006/003902 KR2006003902W WO2007037640A1 WO 2007037640 A1 WO2007037640 A1 WO 2007037640A1 KR 2006003902 W KR2006003902 W KR 2006003902W WO 2007037640 A1 WO2007037640 A1 WO 2007037640A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
computer system
timer
standard
internal
Prior art date
Application number
PCT/KR2006/003902
Other languages
English (en)
Inventor
Ho Woong Lee
Hee An Park
Hang Hoon Ko
Soon Keun Kim
Deok Young Jung
Original Assignee
Ahn Lab, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020050090603A external-priority patent/KR100653545B1/ko
Application filed by Ahn Lab, Inc. filed Critical Ahn Lab, Inc.
Publication of WO2007037640A1 publication Critical patent/WO2007037640A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/04Generating or distributing clock signals or signals derived directly therefrom
    • G06F1/14Time supervision arrangements, e.g. real time clock

Definitions

  • the present invention relates to a method for detecting modification of internal time in a computer system. More particularly, the present invention relates to the method for detecting modification of internal time in a computer system by detecting that the information about internal time in computer system is modified by an external program which modifies time.
  • speed hacking or speed hack programs Programs that make either faster or slower the programs working in a computer system by modifying the time related information, are generally called speed hacking or speed hack programs.
  • the speed hack programs are classified into two groups; one is a method which returns abnormal values when API (Application Programming Interface) is called by hooking time related API, and the other is a method which manipulates the period of the timer used as the time related information in an actual system by manipulating PIT (Programmable Interrupt Timer).
  • API Application Programming Interface
  • This kind of speed hack program is mainly used in the client system which interfaces with the online game server. More particularly, the speed hack program is used to beat other users who are playing game simultaneously by making the time of the game client go faster or slower. Further, the speed hack programs cause the game client to transmit lots of data for a short period of time and thereby gives heavy loads to the game server. As a result, the number of the users of online game decreases and therefore a problem arises that game businesses are directly done harm in sales. The online game business companies perceive the use of the speed hack programs by the following methods.
  • a first method for detecting modification of internal time in computer system is a method for sensing the speed hack programs by hooking API.
  • the method is to diagnose whether or not the speed hack programs are used by examining the use of hooking, for example checking if the addresses of IAT (Import Address Table) for API are modified or if jump code is inserted in the very first part of each real API code.
  • IAT International Port Address Table
  • a second method for detecting modification of internal time in computer system is a most generally used way for detecting all the speed hack programs by the method comprising the steps of collecting speed hack program samples as much as possible and thereby diagnosing by using the patterns of the program on the basis of the collection of the samples as in the way similar to the method of virus check.
  • a third method for detecting modification of internal time in computer system is a method for diagnosing the use of speed hack programs by comparing the packet amount which is transmitted from the game server for a certain period of time.
  • the method may not perceive the speed hack program due to misperception except the time when the speed hack program changes time a lot and therefore the amount of packet which comes to the server is much different from the packet amount in a normal condition.
  • An objective of the present invention is to provide a method of detecting a modification of internal time in computer system by the speed hack programs.
  • Another objective of the present invention is to provide the method of detecting the modification of internal time in the computer system solely based on changes in time, and thereby a modification of internal time is not detected although a program hooks time related API in a normal way.
  • a further objective of the present invention is to provide the method of detecting modification of internal time in computer system wherein it does not take long when diagnosing all the areas where jump code may be inserted.
  • Still a further objective of the present invention is to provide the method for detecting modification of internal time in computer system wherein a small change in time may be detected by using accurate TSC (Time Stamp Counter) information and further wherein modification of internal time by any speed hack program may be detected by examining changes in real time regardless of the operational routines of the speed hack program.
  • TSC Time Stamp Counter
  • a method for detecting modification of internal time in computer system comprises the following steps of: [19] detecting a standard time through the chip providing time information at the kernel level of computer system;
  • a recording medium readable by computer having a program to embody a method according to the present invention comprises the following steps of: [24] setting a timer having first period at the kernel level of the computer system; storing variation data in TSC (Time Stamp Counter) if the timer is called every the first period and thereafter calling signal of the timer is detected; [25] deciding whether it passed a certain time with RCT (Real Time Clock) if the timer is called and setting a standard time by calculating a mean value of the variations for a certain period of time;
  • TSC Time Stamp Counter
  • the recording medium readable by computer having a program to embody a method according to the present invention comprises the following steps of: [32] setting RTC (Real Time Clock) as a standard time at kernel level of the computer system; [33] detecting an inner time of a program at user level of the computer system from PIT
  • Fig. 1 is general inner block diagram of computer system according to one embodiment of the present invention.
  • Fig. 2 is flow chart for illustrating a method of calculating standard time according to one embodiment of the present invention.
  • Fig. 3 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention.
  • Fig. 4 is flow chart for illustrating a method for detecting modification of internal time in computer system based on a calculated standard time according to one embodiment of the present invention.
  • Best embodiment of the present invention will be described in detail with reference to appended drawings in the following. [42]
  • FIG. 1 is general inner block diagram of computer system according to one embodiment of the present invention.
  • computer system is categorized into User Level 100 and
  • Kernel Level 200 Whether or not internal time of computer system is modified is decided by the method comprising following steps of: time modification detecting module 140 retrieving standard time calculated at device driver 220, drawing out the inner time by calling for the time related API of the operating program 120 driving at user level, and comparing the standard time and the internal time.
  • time modification detecting module 140 retrieves standard time calculated at device driver 220, drawing out the inner time by calling for the time related API of the operating program 120 driving at user level, and comparing the standard time and the internal time.
  • TSC Time Stamp Counter
  • RTC Real Time Counter
  • BIOS Basic Input Output
  • Fig. 2 is flow chart for illustrating how standard time is calculated according to one embodiment of the present invention.
  • TSC Time Stamp Counter
  • RCT Real Time Clock
  • the mean value of the variation of the TSC per 1 sec. is set up as standard time to be used by storing the data of variation of TSC per 10 ms and storing the mean value of the data of variation of the TSC per 1 sec (S240,
  • FIG. 3 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention.
  • a timer of a second period not affecting the performance of operating program is set for diagnosing periodically the time modification by the speed hack program
  • the second period is 200 ms, and whether or not internal time in computer system is modified is sensed by the timer every 200 ms.
  • time modification detecting module 140 detects internal time from the time related API (Application
  • a variation in time is calculated by using the time related API, and thereafter TSC variation according to the variation in time is calculated (S320).
  • TSC variation according to the variation in time is calculated (S320).
  • One example of the time related API in the online game is GetTickCount(), timeGetTime(), QueryPerformanceCounter(), or the like. Where the speed hack program is concerned, the speed hack program hooks the API of the one example, and thereby it is possible to use API.
  • the time modification detecting module 140 retrieves the TSC variation data according to the standard time illustrated with reference to the flow chart in Fig. 2 and thereafter the TSC variation data is compared with the other TSC variation data calculated at the prior step S320 for deciding whether internal time in computer system is modified by the activities of the speed hack program (S330).
  • the time modification detecting module 140 calculates the difference between the
  • TSC variation calculated at the prior step S320 and the other TSC variation set up on the basis of the standard time stores the difference in the Detect Window wherein the differences between the two have been stored during late a few seconds.
  • the oldest data is replaced with new data in the Detect Window as a simple disposition space where current TSC variations in late a few sections are stored.
  • a few of TSC variations are stored in the Direct Window, and thereafter it has to be decided whether the number of the stored TSC variations in the Detect Window is in the critical range (S340).
  • a multiple of 5 and more preferably 5 or 10 is set up for N value if the second period is 200 ms. Accordingly, if the N is 5 or 10 diagnosis period becomes 1 sec. or 2 sec.
  • the present invention minimizes the rate of mistaken diagnosis caused by temporary problems in computer system by adopting the concept of Detect Window which does not diagnose right after TSC variation is out of the scope of the critical range once but detects an occasion that the TSC variations are out of the scope of the critical range consecutive times.
  • a computer system has a CPU of 1 GHz, and that a timer used in a time modification detecting module has a period of 200 ms, and further that a time related API used in game is GetTickCount().
  • TSC variations are placed in the critical range.
  • the critical range is defined to be 10% (more or less than 1.1 times)
  • the method of detecting modification of time remains the same even when time is modified twice slower.
  • a method for detecting modification of internal time when time is modified twice faster by changing PIT Programmable Interrupt Timer
  • PIT Programmable Interrupt Timer
  • a method for detecting the speed hack program being active by changing PIT period is used for examining whether or not the speed hack program is used by comparing the variation in standard time and the other variation in real time based on the time information that is not affected by PIT, for example the RTC (Real Time
  • Fig. 4 is flow chart for illustrating a method for detecting modification of internal time in computer system according to one embodiment of the present invention based on the calculated standard time.
  • RTC Real Time Clock
  • S400 kernel level 200 in computer system
  • a minimum unit of the standard time of the RTC is 1 sec.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne une méthode pour détecter une modification de temps interne dans un système informatique. La méthode de l'invention comprend les étapes consistant à: détecter un temps standard à l'aide d'une puce qui fournit des informations de temps au niveau du noyau du système informatique; détecter un temps interne d'un programme, au niveau de l'utilisateur du système informatique; comparer le temps standard détectée et le temps interne; et décider si le système informatique doit être modifié en fonction du résultat de la comparaison.
PCT/KR2006/003902 2005-09-28 2006-09-28 Methode pour detecter une modification de duree interne dans un systeme informatique WO2007037640A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2005-0090603 2005-09-28
KR1020050090603A KR100653545B1 (ko) 2004-11-29 2005-09-28 컴퓨터 시스템에서 내부 시간 변경 감지 방법

Publications (1)

Publication Number Publication Date
WO2007037640A1 true WO2007037640A1 (fr) 2007-04-05

Family

ID=37900008

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/003902 WO2007037640A1 (fr) 2005-09-28 2006-09-28 Methode pour detecter une modification de duree interne dans un systeme informatique

Country Status (1)

Country Link
WO (1) WO2007037640A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2241953A1 (fr) * 2009-04-17 2010-10-20 Siemens Aktiengesellschaft Procédé et dispositif de réalisation d'une fonction temporelle protégée contre l'erreur
JP2012524325A (ja) * 2009-04-17 2012-10-11 エヌエイチエヌ ビジネス プラットフォーム コーポレーション フックを利用したコンピュータセキュリティサービス提供方法、装置及びコンピュータ読み取り可能な記録媒体

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023103A1 (en) * 1998-04-21 2002-02-21 Rejean Gagne System and method for accessing and manipulating time-based data using meta-clip objects
US20020064096A1 (en) * 2000-08-03 2002-05-30 Yoshitaka Ukita Reproduction apparatus and reproduction method
KR100457405B1 (ko) * 2003-12-08 2004-11-16 주식회사 잉카인터넷 타이머 api 후킹 여부 판단방식에 의한 스피드 핵 사용여부 검출방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023103A1 (en) * 1998-04-21 2002-02-21 Rejean Gagne System and method for accessing and manipulating time-based data using meta-clip objects
US20020064096A1 (en) * 2000-08-03 2002-05-30 Yoshitaka Ukita Reproduction apparatus and reproduction method
KR100457405B1 (ko) * 2003-12-08 2004-11-16 주식회사 잉카인터넷 타이머 api 후킹 여부 판단방식에 의한 스피드 핵 사용여부 검출방법

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2241953A1 (fr) * 2009-04-17 2010-10-20 Siemens Aktiengesellschaft Procédé et dispositif de réalisation d'une fonction temporelle protégée contre l'erreur
JP2012524325A (ja) * 2009-04-17 2012-10-11 エヌエイチエヌ ビジネス プラットフォーム コーポレーション フックを利用したコンピュータセキュリティサービス提供方法、装置及びコンピュータ読み取り可能な記録媒体
US8615674B2 (en) 2009-04-17 2013-12-24 Siemens Aktiegesellschaft Method and apparatus for the realization of a failsafe time function

Similar Documents

Publication Publication Date Title
US8286139B2 (en) Call stack sampling for threads having latencies exceeding a threshold
US7934126B1 (en) Resolution of computer operations problems using fault trend analysis
US8141053B2 (en) Call stack sampling using a virtual machine
US20080016412A1 (en) Performance metric collection and automated analysis
US8132170B2 (en) Call stack sampling in a data processing system
US20130024731A1 (en) Real time monitoring of computer for determining speed and energy consumption of various processes
US8566803B2 (en) Benchmark profiling for distributed systems
US20100017583A1 (en) Call Stack Sampling for a Multi-Processor System
US11748072B2 (en) Apparatus and method for source code optimisation
JP2008021274A (ja) プロセス監視装置及び方法
US20080195404A1 (en) Compliant-based service level objectives
EP2128768B1 (fr) Dispositif de détection, programme et procédé de détection
JP2010267128A (ja) 解析システム、解析装置、検知方法、解析方法及びプログラム
JP2013533553A (ja) システムテスト方法
JP2015026197A (ja) ジョブ遅延検知方法、情報処理装置、およびプログラム
JP2010257150A (ja) 不正処理検知装置、不正処理検知方法及びプログラム
US20180337817A1 (en) Performance evaluation of applications that access external resources
CN111124791A (zh) 一种系统测试方法及装置
CN111062642A (zh) 对象的行业风险程度识别方法、装置以及电子设备
JP6995146B2 (ja) 適応アプリケーションの性能分析
CN109992511B (zh) 获取代码测试覆盖率的装置及方法
WO2007037640A1 (fr) Methode pour detecter une modification de duree interne dans un systeme informatique
CN107135199A (zh) 网页后门的检测方法和装置
CN115794479B (zh) 日志数据处理方法、装置、电子设备及存储介质
US11244235B2 (en) Data analysis device and analysis method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06798985

Country of ref document: EP

Kind code of ref document: A1