CN105808256B - It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection - Google Patents
It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection Download PDFInfo
- Publication number
- CN105808256B CN105808256B CN201610128818.0A CN201610128818A CN105808256B CN 105808256 B CN105808256 B CN 105808256B CN 201610128818 A CN201610128818 A CN 201610128818A CN 105808256 B CN105808256 B CN 105808256B
- Authority
- CN
- China
- Prior art keywords
- storehouse
- function
- address
- createdeviceex
- press
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Executing Machine-Instructions (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of method that legal storehouse return value of construction bypasses function call detection, including:Construction recursive call is toward the address of any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of multiple press-in process in storehouse, wherein the number of times of press-in address is more than or equal to the number of plies that storehouse detection is called;In toward storehouse repeatedly after press-in address above mentioned, the parameter that construction system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to system function CreateDeviceEx.By constructing a recursive call toward any continuous two assembly instructions sequence pop ebp in the code segment of the d3d9.dll modules of multiple press-in process in storehouse, the address of retn, so as to the legal address of the number of plies is called in press-in more than storehouse detection in storehouse, so that can be by legitimate verification, so as to ensure live being normally carried out when game developer is checked the caller for calling CreateDeviceEx functions.
Description
Technical field
The invention belongs to computer development technical field, bypassed more particularly, to one kind legal storehouse return value of construction
The method and system of function call detection.
Background technology
At present, live software when live can preview to live content, it is all logical to obtain live display content
One dynamic link library of injection is crossed in game process, the d3d9.dll's that the dynamic link library of injection can be in hook processes
Present functions obtain the display content of video card, in order to get the address of Present functions, then need first to get
The pointer of IDirect3DDevice9Ex, obtains function address from the pointer, and the pointer then can be by calling
CreateDeviceEx functions are obtained.But because current a lot " plug-in " can call the function to realize some " plug-in " work(
Can, so cause the development of games chamber of commerce to be exchanged checked with the caller of the function, if not calling then for game itself
Can judge that " plug-in " is calling, so as to be punished.For how to detect that who have invoked certain function, then can utilize
The function call mechanism of intel x86, extension base pointer register (extended base can be used in function call
Pointer, EBP) and storehouse stack top register (Extended Stack Pointer, ESP) preserve the stack bottom of current stack
Address and stack top address.And the return address for calling this function is deposited in stack bottom address.Thus, posted by continuous backtracking EBP
Storage obtains the return address of function call, it is possible to the whole call chain for calling this function is got, such that it is able to area
Whether separate is legal call address.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of method for bypassing storehouse detection,
This invention by one section of assembly code of construction meticulously, by constantly being covered really toward legal address is pressed into storehouse
Call.
To achieve the above object, according to one aspect of the present invention, there is provided the legal storehouse return value of one kind construction is bypassed
The method of function call detection, including:Code of the construction recursive call toward the d3d9.dll modules of multiple press-in process in storehouse
The address of any continuous two assembly instructions sequence pop ebp, retn in section, wherein the number of times of press-in address is more than or equal to
The number of plies that storehouse detection is called;After being repeatedly pressed into address above mentioned in toward storehouse, construction system function CreateDeviceEx is needed
The parameter wanted simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to system function CreateDeviceEx.
In one embodiment of the invention, the acquisition modes toward the address of press-in in storehouse are:In process
It is 0x5D that continuous value is searched in the code segment of d3d9.dll modules, and the address of the instruction of 0xC3, wherein 0x5D, 0xC3 are compilations
16 systems corresponding to command sequence pop ebp, retn.
In one embodiment of the invention, the method that the legal storehouse return value of construction bypasses function call detection,
Specially:
Initialization i=n;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process
Address press-in storehouse;
The value of i is subtracted one;
If:i>=0
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse
Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the legal storehouse return value of construction bypasses the method tool of function call detection
Body is:
Initialization i=0;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process
Address press-in storehouse;
The value of i is subtracted one;
If:i<=n
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse
Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the recursive call is more than or equal to 5 toward the number of times of press-in address in storehouse.
It is another aspect of this invention to provide that additionally providing a kind of legal storehouse return value of construction bypasses function call detection
System, including recurrence module, recurrence jump out module, wherein:
The recurrence module, for constructing recursive call toward the code of the d3d9.dll modules of multiple press-in process in storehouse
The address of any continuous two assembly instructions sequence pop ebp, retn in section, wherein the number of times of press-in address is more than or equal to
The number of plies that storehouse detection is called;
The recurrence jumps out module, in the recurrence module toward in storehouse repeatedly after press-in address above mentioned, construction system
The parameter that system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to
System function CreateDeviceEx.
In one embodiment of the invention, the acquisition modes toward the address of press-in in storehouse are:In process
It is 0x5D that continuous value is searched in the code segment of d3d9.dll modules, and the address of the instruction of 0xC3, wherein 0x5D, 0xC3 are compilations
16 systems corresponding to command sequence pop ebp, retn.
In one embodiment of the invention, the specific implementation of the system is:
Initialization i=n;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process
Address press-in storehouse;
The value of i is subtracted one;
If:i>=0
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse
Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the specific implementation of the system is:
Initialization i=0;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process
Address press-in storehouse;
The value of i is subtracted one;
If:i<=n
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse
Behind location, system function CreateDeviceEx is jumped to;
}
Wherein, n is the number of plies that storehouse detection is called.
In one embodiment of the invention, the recursive call is more than or equal to 5 toward the number of times of press-in address in storehouse.
In general, by the contemplated above technical scheme of the present invention compared with prior art, passed by constructing one
Return any continuous two assembly instruction sequences called and be repeatedly pressed into toward storehouse in the code segment of the d3d9.dll modules of process
The address of pop ebp, retn, so as to the legal address of the number of plies is called in press-in more than storehouse detection in storehouse, so as in game
Developer can be by legitimate verification, so as to ensure straight when checking the caller for calling CreateDeviceEx functions
That broadcasts is normally carried out.
Brief description of the drawings
Fig. 1 is the method schematic diagram that the present invention legal storehouse return value of construction bypasses function call detection;
Fig. 2 is the system construction drawing that the present invention legal storehouse return value of construction bypasses function call detection.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.As long as additionally, technical characteristic involved in invention described below each implementation method
Not constituting conflict each other can just be mutually combined.
As shown in figure 1, constructing the method that legal storehouse return value bypasses function call detection, bag the invention provides a kind of
Include:Construction recursive call is collected toward any continuous two in the code segment of the d3d9.dll modules of multiple press-in process in storehouse
The address of command sequence pop ebp, retn, wherein the number of times of press-in address is more than or equal to the number of plies that storehouse detection is called;
After being repeatedly pressed into address above mentioned toward storehouse, the parameter that construction system function CreateDeviceEx needs simultaneously is pressed into storehouse, and
After being pressed again by address above mentioned toward storehouse, system function CreateDeviceEx is jumped to.
In embodiments of the present invention, the specific implementation of technical solution of the present invention is:
Step one:Any continuous two assembly instruction sequences pop in the code segment of the d3d9.dll modules of lookup process
The address of ebp, retn.
Assembly instruction sequence pop ebp, retn corresponding 16 is searched in the code segment of the d3d9.dll modules of process to enter
System is exactly 0x5D, 0xC3 so it is 0x5D, the finger of 0xC3 to only need to search continuous value in the code segment of d3d9.dll modules
The address of order.
For above-mentioned two assembly instructions sequence pop ebp, retn, wherein pop ebp are for by the value bullet in storehouse
Go out in register EBP;Retn is return instruction, for ejecting return address from storehouse.2 assembly instructions just can be real
Now returned at next IA of the instruction for calling the code from one section of code.If 2 assembly codes are directly write
Developer design function in then in Stack Backtraces when just can backtracking to this point of invocation, will be so judged as by system
Illegally call.If 2 addresses of assembly code get from the legal modules of d3d9.dll, serve and hide true
The effect of real call address, so as to will not be judged as illegally calling.And in d3d9.dll modules, this 2 instructions are easy to
Can just be got from the ending of function, so the present invention is exactly to be found from the code segment of d3d9.dll dynamic link libraries and have
Continuous 2 instructions are (pop ebp;Retn) (finding method is compared by contrasting 16 hex values of assembly instruction)
Address.Performing this paragraph assembly code can just return to upper strata function call, therefore can just bypass heap by using this address
Stack have detected.
Due to the address of assembly instruction sequence pop ebp, retn in the code segment of the d3d9.dll modules of lookup process
Certain hour is needed, so the address was first generally found before calling system CreateDeviceEx functions, so that
The address directly subsequently can be pressed into storehouse.Can certainly again be done when needs are pressed into the address in storehouse every time
Search, but running efficiency of system can be reduced because the lookup time is increased.
Step 2:The function of construction calling system CreateDeviceEx
The function is used to construct the parameter of system CreateDeviceEx functions, is then looked for toward press-in step one in storehouse
The memory address for arriving, and jump to system function CreateDeviceEx.
False code is as follows:
{
The parameter press-in storehouse that construction system function CreateDeviceEx needs
The memory address press-in storehouse that step one is found
Jump to system function CreateDeviceEx
}
A Compilation function nakedCallCreateDeviceEx can be for example constructed, its function that can be realized is:Structure
The parameter of system CreateDeviceEx functions is made, the memory address for then being found toward press-in step one in storehouse, and redirect
To system function CreateDeviceEx.
Step 3:Construct recursive call toward stack structure legal address and the function of invocation step two
Function effect is to construct be pressed into the address that obtains in step one in recursive call dealing storehouse, and recursive outlet is then
It is the function of invocation step two.Thus toward constructing many legal call address in storehouse.Recurrence number of times needs to find game
The detection number of plies, such as be n-layer, then as long as the legal call address of construction then be more than or equal to n+1 layers.
False code is realized as follows using assembly code:
Initialization i=n
Void func(void)
{
The memory address press-in storehouse that step one is found
The value of i is subtracted one
If:i>=0
Jump to func () (realizing recursive call)
Otherwise
Jump to the function of step 2
}
Can certainly be another implementation, be:
The specific implementation of the system is:
Initialization i=0;
Void func(void)
{
By any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of process
Address press-in storehouse;
The value of i is subtracted one;
If:i<=n
Jump to func ();
Otherwise
The parameter press-in storehouse that construction system function CreateDeviceEx needs, and it is above-mentioned toward being pressed again by storehouse
Behind location, system function CreateDeviceEx is jumped to;
}
A paragraph assembly code function nakedCallCreateDeviceExPrev, the function of the function can for example be constructed
It is that a circulation is set, constantly calls this function, can so produce call chain very long, the outlet of circulation is then invocation step
The function mentioned in two.All only can detect that 5 layers are called because storehouse detection is general, and the above method can be produced by a circulation
The call chain of raw random layer, and every layer of the return address called all is legal address.
As shown in Fig. 2 the system that legal storehouse return value bypasses function call detection is constructed present invention also offers a kind of,
Module is jumped out including recurrence module, recurrence, wherein:
The recurrence module, for constructing recursive call toward the code of the d3d9.dll modules of multiple press-in process in storehouse
The address of any continuous two assembly instructions sequence pop ebp, retn in section, wherein the number of times of press-in address is more than or equal to
The number of plies that storehouse detection is called;
The recurrence jumps out module, in the recurrence module toward in storehouse repeatedly after press-in address above mentioned, construction system
The parameter that system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward after being pressed again by address above mentioned in storehouse, jumps to
System function CreateDeviceEx.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, it is not used to
The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should include
Within protection scope of the present invention.
Claims (4)
1. it is a kind of to construct the method that legal storehouse return value bypasses function call detection, it is characterised in that including:Construction recurrence is adjusted
With toward any continuous two assembly instruction sequences pop in storehouse repeatedly in the code segment of the d3d9.dll modules of press-in process
The address of ebp, retn, wherein the number of times of press-in address is more than or equal to the number of plies that storehouse detection is called;In toward storehouse repeatedly
After press-in address above mentioned, the parameter that construction system function CreateDeviceEx needs simultaneously is pressed into storehouse, and toward in storehouse again
After press-in address above mentioned, system function CreateDeviceEx is jumped to;It implements step:
(1) any continuous two assembly instructions sequence pop ebp, retn in the code segment of the d3d9.dll modules of lookup process
Address, wherein, assembly instruction sequence pop ebp, retn is searched in the code segment of the d3d9.dll modules of process corresponding
16 systems are exactly that continuous value is searched in 0x5D, 0xC3, the i.e. code segment of d3d9.dll modules is 0x5D, the ground of the instruction of 0xC3
Location, pop ebp are for the value in storehouse to be ejected into register EBP;Retn is return instruction, for being ejected from storehouse
Return address;
(2) function of construction calling system function CreateDeviceEx, the function is used to construct system function
The parameter of CreateDeviceEx, the memory address for then being found toward press-in step (1) in storehouse, and jump to system function
CreateDeviceEx;
(3) recursive call function is constructed, the recursive call function is used to construct in recursive call dealing storehouse and is pressed into step (1)
The address for obtaining, recursive outlet is then the function of invocation step (2), wherein, the function of the step (2) is calling system letter
The function of number CreateDeviceEx.
2. the method that legal storehouse return value bypasses function call detection, the recursive call are constructed as claimed in claim 1
The number of times that address is pressed into toward storehouse is more than or equal to 5.
3. it is a kind of to construct the system that legal storehouse return value bypasses function call detection, it is characterised in that including:First module,
Second module and the 3rd module;
First module, for the code segment of the d3d9.dll modules of lookup process in any continuous two assembly instruction sequences
The address of row pop ebp, retn, wherein, assembly instruction sequence pop is searched in the code segment of the d3d9.dll modules of process
Corresponding 16 system of ebp, retn is exactly that continuous value is searched in 0x5D, 0xC3, the i.e. code segment of d3d9.dll modules is 0x5D,
The address of the instruction of 0xC3, popebp is for the value in storehouse to be ejected into register EBP;Retn is return instruction, is used
In ejecting return address from storehouse;
Second module, the function for constructing calling system function CreateDeviceEx, function is used to construct system
The parameter of function CreateDeviceEx, then toward being pressed into the memory address that first module is found in storehouse, and redirects
To system function CreateDeviceEx;
3rd module, for constructing recursive call function, the recursive call function is used to construct recursive call dealing storehouse
The address obtained in middle press-in first module, recursive outlet is then to call the function in second module, wherein, institute
It is the function of calling system function CreateDeviceEx to state the function in the second module.
4. the system that legal storehouse return value bypasses function call detection, the recursive call are constructed as claimed in claim 3
The number of times that address is pressed into toward storehouse is more than or equal to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610128818.0A CN105808256B (en) | 2016-03-08 | 2016-03-08 | It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610128818.0A CN105808256B (en) | 2016-03-08 | 2016-03-08 | It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105808256A CN105808256A (en) | 2016-07-27 |
CN105808256B true CN105808256B (en) | 2017-06-23 |
Family
ID=56466818
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610128818.0A Active CN105808256B (en) | 2016-03-08 | 2016-03-08 | It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105808256B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106295325B (en) * | 2016-08-12 | 2020-02-07 | 武汉斗鱼网络科技有限公司 | Hook method and system for acquiring content of display card |
CN106295326B (en) * | 2016-08-12 | 2020-02-07 | 武汉斗鱼网络科技有限公司 | Inline hook method and system for acquiring content of display card |
CN107545182B (en) * | 2017-09-06 | 2019-11-15 | 武汉斗鱼网络科技有限公司 | Around the method and system of function call chain detection in a kind of IOS application |
CN110245464B (en) * | 2018-10-10 | 2021-08-27 | 爱信诺征信有限公司 | Method and device for protecting file |
CN113010855B (en) * | 2019-12-18 | 2022-05-10 | 武汉斗鱼鱼乐网络科技有限公司 | Method, device and medium for acquiring data and computer equipment |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8984256B2 (en) * | 2006-02-03 | 2015-03-17 | Russell Fish | Thread optimized multiprocessor architecture |
CN101692206A (en) * | 2009-08-28 | 2010-04-07 | 腾讯科技(深圳)有限公司 | Method for adding dynamic parameters to static callback function and related realization |
CN102651060B (en) * | 2012-03-31 | 2015-05-06 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
CN104298534B (en) * | 2014-10-23 | 2017-10-24 | 广州华多网络科技有限公司 | Programmed method and device based on Lua language |
-
2016
- 2016-03-08 CN CN201610128818.0A patent/CN105808256B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN105808256A (en) | 2016-07-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105808256B (en) | It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection | |
CN102722672B (en) | A kind of method and device detecting running environment authenticity | |
CN103679032B (en) | Method and device for preventing malicious software | |
CN105138903B (en) | A kind of ROP attack detection method based on RET instruction and JMP instructions | |
CN110251937A (en) | Game object control method and device | |
CN104834837A (en) | Binary code anti-obfuscation method based on semanteme | |
CN107193942A (en) | The rapid generation of all connected subgraphs in a kind of digraph | |
CN112328732A (en) | Sensitive word detection method and device and sensitive word tree construction method and device | |
CN106060778A (en) | Target location determination method and device | |
CN110209493A (en) | EMS memory management process, device, electronic equipment and storage medium | |
CN110691072A (en) | Distributed port scanning method, device, medium and electronic equipment | |
CN102968275A (en) | Unlocking method and system of mobile terminal | |
CN103530561A (en) | Method and device for preventing attacks of Trojan horse programs based on social engineering | |
CN106815179A (en) | A kind of text similarity determines method and device | |
CN115291859A (en) | Match control method, match method and electronic equipment | |
CN104978488B (en) | The behavior analysis method and device of game role | |
CN109472135A (en) | A kind of method, apparatus and storage medium of detection procedure injection | |
CN103024928A (en) | Terminal wireless connection method and wireless terminal | |
CN112363516A (en) | Virtual wall generation method and device, robot and storage medium | |
CN107450907A (en) | Compatibility method, mobile terminal and the device with store function of fingerprint module | |
CN105760293B (en) | The method and system of muti-language support test | |
CN113127868A (en) | Script identification method, device, equipment and storage medium | |
CN104572482B (en) | The storage method and device of a kind of process variable | |
CN111698256A (en) | Method and device for detecting illegal link | |
US20190213323A1 (en) | Systems and methods for detecting and mitigating code injection attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |