Nothing Special   »   [go: up one dir, main page]

CN105808256B - It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection - Google Patents

It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection Download PDF

Info

Publication number
CN105808256B
CN105808256B CN201610128818.0A CN201610128818A CN105808256B CN 105808256 B CN105808256 B CN 105808256B CN 201610128818 A CN201610128818 A CN 201610128818A CN 105808256 B CN105808256 B CN 105808256B
Authority
CN
China
Prior art keywords
storehouse
function
address
createdeviceex
press
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610128818.0A
Other languages
Chinese (zh)
Other versions
CN105808256A (en
Inventor
周志刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Douyu Network Technology Co Ltd
Original Assignee
Wuhan Douyu Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Douyu Network Technology Co Ltd filed Critical Wuhan Douyu Network Technology Co Ltd
Priority to CN201610128818.0A priority Critical patent/CN105808256B/en
Publication of CN105808256A publication Critical patent/CN105808256A/en
Application granted granted Critical
Publication of CN105808256B publication Critical patent/CN105808256B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Executing Machine-Instructions (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of method that legal storehouse return value of construction bypasses function call detection, including:Construction recursive call is toward the address of any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of multiple press-in process in storehouse, wherein the number of times of press-in address is more than or equal to the number of plies that storehouse detection is called;In toward storehouse repeatedly after press-in address above mentioned, the parameter that construction system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to system function CreateDeviceEx.By constructing a recursive call toward any continuous two assembly instructions sequence pop ebp in the code segment of the d3d9.dll modules of multiple press-in process in storehouse, the address of retn, so as to the legal address of the number of plies is called in press-in more than storehouse detection in storehouse, so that can be by legitimate verification, so as to ensure live being normally carried out when game developer is checked the caller for calling CreateDeviceEx functions.

Description

It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection
Technical field
The invention belongs to computer development technical field, bypassed more particularly, to one kind legal storehouse return value of construction The method and system of function call detection.
Background technology
At present, live software when live can preview to live content, it is all logical to obtain live display content One dynamic link library of injection is crossed in game process, the d3d9.dll's that the dynamic link library of injection can be in hook processes Present functions obtain the display content of video card, in order to get the address of Present functions, then need first to get The pointer of IDirect3DDevice9Ex, obtains function address from the pointer, and the pointer then can be by calling CreateDeviceEx functions are obtained.But because current a lot " plug-in " can call the function to realize some " plug-in " work( Can, so cause the development of games chamber of commerce to be exchanged checked with the caller of the function, if not calling then for game itself Can judge that " plug-in " is calling, so as to be punished.For how to detect that who have invoked certain function, then can utilize The function call mechanism of intel x86, extension base pointer register (extended base can be used in function call Pointer, EBP) and storehouse stack top register (Extended Stack Pointer, ESP) preserve the stack bottom of current stack Address and stack top address.And the return address for calling this function is deposited in stack bottom address.Thus, posted by continuous backtracking EBP Storage obtains the return address of function call, it is possible to the whole call chain for calling this function is got, such that it is able to area Whether separate is legal call address.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of method for bypassing storehouse detection, This invention by one section of assembly code of construction meticulously, by constantly being covered really toward legal address is pressed into storehouse Call.
To achieve the above object, according to one aspect of the present invention, there is provided the legal storehouse return value of one kind construction is bypassed The method of function call detection, including:Code of the construction recursive call toward the d3d9.dll modules of multiple press-in process in storehouse The address of any continuous two assembly instructions sequence pop ebp, retn in section, wherein the number of times of press-in address is more than or equal to The number of plies that storehouse detection is called;After being repeatedly pressed into address above mentioned in toward storehouse, construction system function CreateDeviceEx is needed The parameter wanted simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to system function CreateDeviceEx.
In one embodiment of the invention, the acquisition modes toward the address of press-in in storehouse are:In process It is 0x5D that continuous value is searched in the code segment of d3d9.dll modules, and the address of the instruction of 0xC3, wherein 0x5D, 0xC3 are compilations 16 systems corresponding to command sequence pop ebp, retn.
In one embodiment of the invention, the method that the legal storehouse return value of construction bypasses function call detection, Specially:
Initialization i=n;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process Address press-in storehouse;
The value of i is subtracted one;
If:i>=0
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the legal storehouse return value of construction bypasses the method tool of function call detection Body is:
Initialization i=0;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process Address press-in storehouse;
The value of i is subtracted one;
If:i<=n
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the recursive call is more than or equal to 5 toward the number of times of press-in address in storehouse.
It is another aspect of this invention to provide that additionally providing a kind of legal storehouse return value of construction bypasses function call detection System, including recurrence module, recurrence jump out module, wherein:
The recurrence module, for constructing recursive call toward the code of the d3d9.dll modules of multiple press-in process in storehouse The address of any continuous two assembly instructions sequence pop ebp, retn in section, wherein the number of times of press-in address is more than or equal to The number of plies that storehouse detection is called;
The recurrence jumps out module, in the recurrence module toward in storehouse repeatedly after press-in address above mentioned, construction system The parameter that system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to System function CreateDeviceEx.
In one embodiment of the invention, the acquisition modes toward the address of press-in in storehouse are:In process It is 0x5D that continuous value is searched in the code segment of d3d9.dll modules, and the address of the instruction of 0xC3, wherein 0x5D, 0xC3 are compilations 16 systems corresponding to command sequence pop ebp, retn.
In one embodiment of the invention, the specific implementation of the system is:
Initialization i=n;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process Address press-in storehouse;
The value of i is subtracted one;
If:i>=0
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the specific implementation of the system is:
Initialization i=0;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process Address press-in storehouse;
The value of i is subtracted one;
If:i<=n
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the recursive call is more than or equal to 5 toward the number of times of press-in address in storehouse.
In general, by the contemplated above technical scheme of the present invention compared with prior art, passed by constructing one Return any continuous two assembly instruction sequences called and be repeatedly pressed into toward storehouse in the code segment of the d3d9.dll modules of process The address of pop ebp, retn, so as to the legal address of the number of plies is called in press-in more than storehouse detection in storehouse, so as in game Developer can be by legitimate verification, so as to ensure straight when checking the caller for calling CreateDeviceEx functions That broadcasts is normally carried out.
Brief description of the drawings
Fig. 1 is the method schematic diagram that the present invention legal storehouse return value of construction bypasses function call detection;
Fig. 2 is the system construction drawing that the present invention legal storehouse return value of construction bypasses function call detection.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as additionally, technical characteristic involved in invention described below each implementation method Not constituting conflict each other can just be mutually combined.
As shown in figure 1, constructing the method that legal storehouse return value bypasses function call detection, bag the invention provides a kind of Include:Construction recursive call is collected toward any continuous two in the code segment of the d3d9.dll modules of multiple press-in process in storehouse The address of command sequence pop ebp, retn, wherein the number of times of press-in address is more than or equal to the number of plies that storehouse detection is called; After being repeatedly pressed into address above mentioned toward storehouse, the parameter that construction system function CreateDeviceEx needs simultaneously is pressed into storehouse, and After being pressed again by address above mentioned toward storehouse, system function CreateDeviceEx is jumped to.
In embodiments of the present invention, the specific implementation of technical solution of the present invention is:
Step one:Any continuous two assembly instruction sequences pop in the code segment of the d3d9.dll modules of lookup process The address of ebp, retn.
Assembly instruction sequence pop ebp, retn corresponding 16 is searched in the code segment of the d3d9.dll modules of process to enter System is exactly 0x5D, 0xC3 so it is 0x5D, the finger of 0xC3 to only need to search continuous value in the code segment of d3d9.dll modules The address of order.
For above-mentioned two assembly instructions sequence pop ebp, retn, wherein pop ebp are for by the value bullet in storehouse Go out in register EBP;Retn is return instruction, for ejecting return address from storehouse.2 assembly instructions just can be real Now returned at next IA of the instruction for calling the code from one section of code.If 2 assembly codes are directly write Developer design function in then in Stack Backtraces when just can backtracking to this point of invocation, will be so judged as by system Illegally call.If 2 addresses of assembly code get from the legal modules of d3d9.dll, serve and hide true The effect of real call address, so as to will not be judged as illegally calling.And in d3d9.dll modules, this 2 instructions are easy to Can just be got from the ending of function, so the present invention is exactly to be found from the code segment of d3d9.dll dynamic link libraries and have Continuous 2 instructions are (pop ebp;Retn) (finding method is compared by contrasting 16 hex values of assembly instruction) Address.Performing this paragraph assembly code can just return to upper strata function call, therefore can just bypass heap by using this address Stack have detected.
Due to the address of assembly instruction sequence pop ebp, retn in the code segment of the d3d9.dll modules of lookup process Certain hour is needed, so the address was first generally found before calling system CreateDeviceEx functions, so that The address directly subsequently can be pressed into storehouse.Can certainly again be done when needs are pressed into the address in storehouse every time Search, but running efficiency of system can be reduced because the lookup time is increased.
Step 2:The function of construction calling system CreateDeviceEx
The function is used to construct the parameter of system CreateDeviceEx functions, is then looked for toward press-in step one in storehouse The memory address for arriving, and jump to system function CreateDeviceEx.
False code is as follows:
{
The parameter press-in storehouse that construction system function CreateDeviceEx needs
The memory address press-in storehouse that step one is found
Jump to system function CreateDeviceEx
}
A Compilation function nakedCallCreateDeviceEx can be for example constructed, its function that can be realized is:Structure The parameter of system CreateDeviceEx functions is made, the memory address for then being found toward press-in step one in storehouse, and redirect To system function CreateDeviceEx.
Step 3:Construct recursive call toward stack structure legal address and the function of invocation step two
Function effect is to construct be pressed into the address that obtains in step one in recursive call dealing storehouse, and recursive outlet is then It is the function of invocation step two.Thus toward constructing many legal call address in storehouse.Recurrence number of times needs to find game The detection number of plies, such as be n-layer, then as long as the legal call address of construction then be more than or equal to n+1 layers.
False code is realized as follows using assembly code:
Initialization i=n
Void func(void)
{
The memory address press-in storehouse that step one is found
The value of i is subtracted one
If:i>=0
Jump to func () (realizing recursive call)
Otherwise
Jump to the function of step 2
}
Can certainly be another implementation, be:
The specific implementation of the system is:
Initialization i=0;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process Address press-in storehouse;
The value of i is subtracted one;
If:i<=n
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse Behind location, system function CreateDeviceEx is jumped to;
}
A paragraph assembly code function nakedCallCreateDeviceExPrev, the function of the function can for example be constructed It is that a circulation is set, constantly calls this function, can so produce call chain very long, the outlet of circulation is then invocation step The function mentioned in two.All only can detect that 5 layers are called because storehouse detection is general, and the above method can be produced by a circulation The call chain of raw random layer, and every layer of the return address called all is legal address.
As shown in Fig. 2 the system that legal storehouse return value bypasses function call detection is constructed present invention also offers a kind of, Module is jumped out including recurrence module, recurrence, wherein:
The recurrence module, for constructing recursive call toward the code of the d3d9.dll modules of multiple press-in process in storehouse The address of any continuous two assembly instructions sequence pop ebp, retn in section, wherein the number of times of press-in address is more than or equal to The number of plies that storehouse detection is called;
The recurrence jumps out module, in the recurrence module toward in storehouse repeatedly after press-in address above mentioned, construction system The parameter that system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to System function CreateDeviceEx.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, it is not used to The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should include Within protection scope of the present invention.

Claims (4)

1. it is a kind of to construct the method that legal storehouse return value bypasses function call detection, it is characterised in that including:Construction recurrence is adjusted With toward any continuous two assembly instruction sequences pop in storehouse repeatedly in the code segment of the d3d9.dll modules of press-in process The address of ebp, retn, wherein the number of times of press-in address is more than or equal to the number of plies that storehouse detection is called;In toward storehouse repeatedly After press-in address above mentioned, the parameter that construction system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward in storehouse again After press-in address above mentioned, system function CreateDeviceEx is jumped to;It implements step:
(1) any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of lookup process Address, wherein, assembly instruction sequence pop ebp, retn is searched in the code segment of the d3d9.dll modules of process corresponding 16 systems are exactly that continuous value is searched in 0x5D, 0xC3, the i.e. code segment of d3d9.dll modules is 0x5D, the ground of the instruction of 0xC3 Location, pop ebp are for the value in storehouse to be ejected into register EBP;Retn is return instruction, for being ejected from storehouse Return address;
(2) function of construction calling system function CreateDeviceEx, the function is used to construct system function The parameter of CreateDeviceEx, the memory address for then being found toward press-in step (1) in storehouse, and jump to system function CreateDeviceEx;
(3) recursive call function is constructed, the recursive call function is used to construct in recursive call dealing storehouse and is pressed into step (1) The address for obtaining, recursive outlet is then the function of invocation step (2), wherein, the function of the step (2) is calling system letter The function of number CreateDeviceEx.
2. the method that legal storehouse return value bypasses function call detection, the recursive call are constructed as claimed in claim 1 The number of times that address is pressed into toward storehouse is more than or equal to 5.
3. it is a kind of to construct the system that legal storehouse return value bypasses function call detection, it is characterised in that including:First module, Second module and the 3rd module;
First module, for the code segment of the d3d9.dll modules of lookup process in any continuous two assembly instruction sequences The address of row pop ebp, retn, wherein, assembly instruction sequence pop is searched in the code segment of the d3d9.dll modules of process Corresponding 16 system of ebp, retn is exactly that continuous value is searched in 0x5D, 0xC3, the i.e. code segment of d3d9.dll modules is 0x5D, The address of the instruction of 0xC3, popebp is for the value in storehouse to be ejected into register EBP;Retn is return instruction, is used In ejecting return address from storehouse;
Second module, the function for constructing calling system function CreateDeviceEx, function is used to construct system The parameter of function CreateDeviceEx, then toward being pressed into the memory address that first module is found in storehouse, and redirects To system function CreateDeviceEx;
3rd module, for constructing recursive call function, the recursive call function is used to construct recursive call dealing storehouse The address obtained in middle press-in first module, recursive outlet is then to call the function in second module, wherein, institute It is the function of calling system function CreateDeviceEx to state the function in the second module.
4. the system that legal storehouse return value bypasses function call detection, the recursive call are constructed as claimed in claim 3 The number of times that address is pressed into toward storehouse is more than or equal to 5.
CN201610128818.0A 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection Active CN105808256B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610128818.0A CN105808256B (en) 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610128818.0A CN105808256B (en) 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection

Publications (2)

Publication Number Publication Date
CN105808256A CN105808256A (en) 2016-07-27
CN105808256B true CN105808256B (en) 2017-06-23

Family

ID=56466818

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610128818.0A Active CN105808256B (en) 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection

Country Status (1)

Country Link
CN (1) CN105808256B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106295325B (en) * 2016-08-12 2020-02-07 武汉斗鱼网络科技有限公司 Hook method and system for acquiring content of display card
CN106295326B (en) * 2016-08-12 2020-02-07 武汉斗鱼网络科技有限公司 Inline hook method and system for acquiring content of display card
CN107545182B (en) * 2017-09-06 2019-11-15 武汉斗鱼网络科技有限公司 Around the method and system of function call chain detection in a kind of IOS application
CN110245464B (en) * 2018-10-10 2021-08-27 爱信诺征信有限公司 Method and device for protecting file
CN113010855B (en) * 2019-12-18 2022-05-10 武汉斗鱼鱼乐网络科技有限公司 Method, device and medium for acquiring data and computer equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8984256B2 (en) * 2006-02-03 2015-03-17 Russell Fish Thread optimized multiprocessor architecture
CN101692206A (en) * 2009-08-28 2010-04-07 腾讯科技(深圳)有限公司 Method for adding dynamic parameters to static callback function and related realization
CN102651060B (en) * 2012-03-31 2015-05-06 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN104298534B (en) * 2014-10-23 2017-10-24 广州华多网络科技有限公司 Programmed method and device based on Lua language

Also Published As

Publication number Publication date
CN105808256A (en) 2016-07-27

Similar Documents

Publication Publication Date Title
CN105808256B (en) It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection
CN102722672B (en) A kind of method and device detecting running environment authenticity
CN103679032B (en) Method and device for preventing malicious software
CN105138903B (en) A kind of ROP attack detection method based on RET instruction and JMP instructions
CN110251937A (en) Game object control method and device
CN104834837A (en) Binary code anti-obfuscation method based on semanteme
CN107193942A (en) The rapid generation of all connected subgraphs in a kind of digraph
CN112328732A (en) Sensitive word detection method and device and sensitive word tree construction method and device
CN106060778A (en) Target location determination method and device
CN110209493A (en) EMS memory management process, device, electronic equipment and storage medium
CN110691072A (en) Distributed port scanning method, device, medium and electronic equipment
CN102968275A (en) Unlocking method and system of mobile terminal
CN103530561A (en) Method and device for preventing attacks of Trojan horse programs based on social engineering
CN106815179A (en) A kind of text similarity determines method and device
CN115291859A (en) Match control method, match method and electronic equipment
CN104978488B (en) The behavior analysis method and device of game role
CN109472135A (en) A kind of method, apparatus and storage medium of detection procedure injection
CN103024928A (en) Terminal wireless connection method and wireless terminal
CN112363516A (en) Virtual wall generation method and device, robot and storage medium
CN107450907A (en) Compatibility method, mobile terminal and the device with store function of fingerprint module
CN105760293B (en) The method and system of muti-language support test
CN113127868A (en) Script identification method, device, equipment and storage medium
CN104572482B (en) The storage method and device of a kind of process variable
CN111698256A (en) Method and device for detecting illegal link
US20190213323A1 (en) Systems and methods for detecting and mitigating code injection attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant