CN105955762A - Method and device for injecting dynamic link library file and electronic equipment - Google Patents
Method and device for injecting dynamic link library file and electronic equipment Download PDFInfo
- Publication number
- CN105955762A CN105955762A CN201610244973.9A CN201610244973A CN105955762A CN 105955762 A CN105955762 A CN 105955762A CN 201610244973 A CN201610244973 A CN 201610244973A CN 105955762 A CN105955762 A CN 105955762A
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- link library
- library file
- module
- universal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 193
- 230000008676 import Effects 0.000 claims abstract description 172
- 230000006870 function Effects 0.000 claims abstract description 158
- 230000008569 process Effects 0.000 claims abstract description 134
- 238000011068 loading method Methods 0.000 claims abstract description 89
- 238000012367 process mapping Methods 0.000 claims description 18
- 238000013507 mapping Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 7
- 230000004048 modification Effects 0.000 claims description 7
- 238000012986 modification Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 4
- 238000002347 injection Methods 0.000 abstract description 15
- 239000007924 injection Substances 0.000 abstract description 15
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention discloses a method and a device for injecting a dynamic link library file and electronic equipment, relates to a file injection technology, and can improve the success rate of dynamic link library file injection. The method comprises the following steps: according to the received dynamic link library file loading request distribution process, calling a loading module to call back a function; analyzing a load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function; reading a general import table corresponding to the general import table address, and extracting dynamic link library files which are not stored in the general import table from dynamic link library files contained in the dynamic link library file loading request; writing the extracted dynamic link library file into the universal import table to generate an updated universal table, and writing the updated universal table into the memory space of the process; and loading the dynamic link library file in the updated general table in the memory space. The method is suitable for injecting the security dynamic link library file which is easy to intercept.
Description
Technical Field
The present invention relates to file injection technologies, and in particular, to a method and an apparatus for injecting a dynamic link library file, and an electronic device.
Background
With the continuous development of computer communication and internet technology, the applications of electronic devices are becoming more and more common, for example, smart mobile phones, personal digital assistants, palm computers, and notebook computers are becoming more and more widely used, and Application programs (APP) installed in electronic devices are becoming more and more, and in Windows operating systems, since a large number of Application programs are not a complete executable (PE) file, they can be divided into one or more relatively independent Dynamic Link Library (DLL) files, which may also be referred to as DLL modules, placed in a Windows operating system in the form of import tables and filled with addresses of export functions of the DLL files in the import tables, when executing one or more Application functions (loads) of an Application program, corresponding processes can enumerate each DLL in the import table by calling the import table, and calling a windows LoadLibrary function or a windows CreateRemoteThread function to finish the self-loading (injection) or remote injection of the DLL file.
However, as the application functions provided by the application programs are increasing, some malicious application programs can perform malicious interception or prevent loading of the application functions of the normal application programs of the user through viruses or trojans bound in the malicious application programs, so that inconvenience and potential hidden dangers are brought to an operating system or the user. For example, since the prior art completes the injection of the DLL file by calling a windows LoadLibrary function or a windows createremotetrathreadable function, when the application program injects a DLL file set by the malicious application program, such as a security DLL file, a file repair DLL file, a virus kill DLL file, etc., into the application program by a self-loading method (calling a windows LoadLibrary function) or a remote injection method (calling a windows createremotetrathreadable function), the application program is processed by a preset hooking function, and the DLL file of the application program cannot be injected by returning rejection, so that the application function of the application program to the DLL file is disabled. The electronic equipment is not only enabled to lose or close the function of defending the virus invasion, which causes the safety of the electronic equipment of the user to be reduced, brings potential safety hazard to the use of the electronic equipment, but also causes the material and wealth loss of the user. At present, an effective DLL file injection method does not exist, and the condition that the DLL file cannot be loaded due to interception of a malicious application program can be effectively avoided. Therefore, a method for injecting a DLL file is needed, which can take corresponding measures to ensure that loading of the DLL file of a normal application program is not intercepted by a malicious application program, so as to enhance the security of an operating system of an electronic device. The technical scheme of the method for injecting the DLL file is as follows:
disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for injecting a dynamic link library file, and an electronic device, which can ensure loading of a dynamic link library file of an application program, and improve a success rate of injecting a dynamic link library file, so as to solve the problem that an existing method for injecting a dynamic link library file is easily intercepted and cannot load a dynamic link library file.
In a first aspect, an embodiment of the present invention provides a method for injecting a dynamic link library file, including:
allocating a process according to a received dynamic link library file loading request, and calling a load module callback function recorded with the process;
analyzing the load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function;
reading a universal import table corresponding to the universal import table address, and extracting dynamic link library files which are not stored in the universal import table from dynamic link library files contained in the dynamic link library file loading request;
writing the extracted dynamic link library file into the universal import table to generate an updated universal table, and writing the updated universal table into the memory space of the process;
and loading the dynamic link library file in the updated general table in the memory space.
With reference to the first aspect, in a first implementation manner of the first aspect, the obtaining a generic import table address according to the second parameter and the third parameter includes:
acquiring a process handle in the parameter of the callback function of the loading module;
acquiring a process mapping address in the parameter of the callback function of the loading module;
extracting a mapping base address of the process in the process mapping address;
and acquiring a universal import table address according to the process handle and the mapping base address of the process.
With reference to the first aspect, in a second implementation manner of the first aspect, after the extracting a dynamic link library file that is not stored in the generic import table, before writing the extracted dynamic link library file into the generic import table, the method further includes:
recording the number of the extracted dynamic link library files;
calculating the product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by one node in the general import table to obtain a space to be applied;
and calling a memory allocation kernel function, and applying for the updated general table on the memory space of the process to obtain an updated general table space containing the space to be applied and the general import table space.
With reference to the second implementation manner of the first aspect, in a third implementation manner of the first aspect, the writing the extracted dynamic link library file into the general import table to generate an updated general table, where the writing into the memory space of the process includes:
in the space to be applied of the updated general table, sequentially filling data corresponding to the extracted dynamic link library file to a formal conversion program node with a structure described as image input;
and in the universal import table space of the updated universal table, sequentially filling data corresponding to the dynamic link library file in the universal import table to a shape-to-reality conversion program node with a structure described as image input to obtain the updated universal table.
With reference to the first aspect, in a fourth implementation manner of the first aspect, before the allocating a process according to the received dynamic link library file loading request, the method further includes:
and calling an image modification setting kernel function to register the load module callback function.
With reference to the first aspect and any one of the first to fourth implementation manners of the first aspect, in a fifth implementation manner of the first aspect, after the dynamic link library file in the updated general table is loaded in the memory space, the method further includes:
replacing the general import table with the updated general table and replacing the general import table address with the updated general table address;
and when the process exits the operation, calling a preset process to create an exit callback function, calling the general import table to replace the updated general table, and replacing the updated general table address with the general import table address.
With reference to the fifth implementation manner of the first aspect, in a sixth implementation manner of the first aspect, the creating process is called to notify the setting kernel function to inject the process to create the exit callback function.
In a second aspect, an embodiment of the present invention provides an apparatus for injecting a dynamic link library file, including: a callback function calling module, a parameter analyzing module, a file extracting module, an updating module and a file loading module, wherein,
the call-back function calling module is used for allocating a process according to the received dynamic link library file loading request and calling the load module call-back function recorded with the process;
the parameter analysis module is used for analyzing the load module callback function and acquiring a universal import table address according to the parameter of the load module callback function;
the file extraction module is used for reading a universal import table corresponding to the universal import table address and extracting dynamic link library files which are not stored in the universal import table from the dynamic link library files contained in the dynamic link library file loading request;
the updating module is used for writing the extracted dynamic link library file into the universal import table, generating an updated universal table and writing the updated universal table into the memory space of the process;
and the file loading module is used for loading the dynamic link library file in the updated general table in the memory space.
With reference to the second aspect, in a first implementation manner of the second aspect, the parameter parsing module includes: a function analysis unit, a process handle acquisition unit, a process mapping address acquisition unit, a base address extraction unit and an import table address acquisition unit, wherein,
the function analysis unit is used for analyzing the callback function of the loading module;
the process handle acquiring unit is used for acquiring the process handle in the parameter of the callback function of the loading module;
the process mapping address acquisition unit is used for acquiring a process mapping address in the parameters of the callback function of the loading module;
a base address extracting unit, configured to extract a mapping base address of the process from the process mapping address;
and the import table address acquisition unit is used for acquiring a universal import table address according to the process handle and the mapping base address of the process.
With reference to the second aspect, in a second implementation manner of the second aspect, the apparatus further includes: a recording module and a memory application module, wherein,
the recording module is used for recording the number of the extracted dynamic link library files;
the memory calculation module is used for calculating the product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by one node in the general import table to obtain a space to be applied;
and the memory application module is used for calling a memory allocation kernel function, and applying for the updated general table space containing the space to be applied and the general import table space in the memory space of the process.
With reference to the second implementation manner of the second aspect, in a third implementation manner of the second aspect, the update module includes: a first filling unit and a second filling unit, wherein,
a first filling unit, configured to sequentially fill data corresponding to the extracted dynamic link library file in the space to be applied of the updated common table to a thunk node having a structure described for image input;
and the second filling unit is used for sequentially filling data corresponding to the dynamic link library file in the universal import table into the universal import table space of the updated universal table to form-to-real conversion program nodes with the structure of image input description to obtain an updated universal table.
With reference to the second aspect, in a fourth embodiment of the second aspect, the apparatus further comprises:
and the registration module is used for calling the image modification setting kernel function to register the callback function of the loading module.
With reference to the second aspect or any one of the first to fourth embodiments of the second aspect, in a fifth embodiment of the second aspect, the apparatus further includes: a replacement module and an exit processing module, wherein,
a replacing module, configured to replace the general import table with the updated general table and replace the general import table address with the updated general table address;
and the exit processing module is used for calling a preset process to create an exit callback function when the process exits the operation, calling the general import table to replace the updated general table, and replacing the address of the updated general table by using the address of the general import table.
With reference to the fifth implementation manner of the second aspect, in a sixth implementation manner of the second aspect, the creating process notification setting kernel function is invoked to inject the process creating exit callback function.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing any one of the methods for injecting the dynamic link library file.
According to the method, the device and the electronic equipment for injecting the dynamic link library file, provided by the embodiment of the invention, the process is distributed according to the received dynamic link library file loading request, and the loading module callback function recorded with the process is called; analyzing the load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function; reading a universal import table corresponding to the universal import table address, and extracting dynamic link library files which are not stored in the universal import table from dynamic link library files contained in the dynamic link library file loading request; writing the extracted dynamic link library file into the universal import table to generate an updated universal table, and writing the updated universal table into the memory space of the process; and loading the dynamic link library file in the updated general table in the memory space. The dynamic link library file loading of the application program can be guaranteed, the injection success rate of the dynamic link library file is improved, and the problems that the existing method for injecting the dynamic link library file is easy to intercept and cannot load the dynamic link library file are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for injecting a dynamic link library file according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a structure of a generic import table;
FIG. 3 is a diagram illustrating an update import table structure;
FIG. 4 is a flowchart illustrating a second method for injecting a dynamic link library file according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for injecting a dynamic link library file according to a third embodiment of the present invention;
FIG. 6 is a flowchart illustrating a fourth method for injecting a dynamic link library file according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of an apparatus for injecting a dynamic link library file according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Fig. 1 is a schematic flow chart of a method for injecting a dynamic link library file according to an embodiment of the present invention, as shown in fig. 1, the method of this embodiment may include:
step 101, allocating a process according to a received dynamic link library file loading request, and calling a load module callback function recorded with the process;
in this embodiment, a new DLL file injection and loading method implemented in the windows kernel layer is provided to solve the problem that an application program hooks a windows LoadLibrary function and a windows createremotetrathreadfunction, aiming at the technical problem that DLL file injection is completed by calling the windows LoadLibrary function or the windows createremotetrathreadlike function to load a DLL file and is easily intercepted by some application programs.
In this embodiment, the operating system receives a dynamic link library file loading request, where the dynamic link library file loading request includes information of one or more DLLs to be loaded, and the operating system allocates a process according to the dynamic link library file loading request.
102, analyzing the load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function;
in this embodiment, in the callback function of the load module, the second parameter (second parameter) is used to record a process handle, the third parameter (third parameter) is used to record a process image address (ImageInfo), and the address of the generic import table is obtained according to the second parameter and the third parameter. Wherein,
the process map address is a structure address, stores a mapping base address (ImageBase) of the process, and obtains arbitrary data in the PE file format using the mapping base address (ImageBase) of the process and the process handle, for example, a general import table address (impotdescr). Information such as the name of the DLL file, an export function, and the number of DLL files is stored in the general import table corresponding to the general import table address (inportdesc) which is the top address to all DLL files in the general import table.
In this embodiment, the DLL file that the application program does not want to intercept or attack is stored in the general import table, so that even after the DLL file is injected and loaded by calling the windows LoadLibrary function or the windows createremotetrathreadread function, the application program can avoid the loading of the important DLL file from being intercepted by hooking the windows LoadLibrary function or the windows createremotetrathreadread function.
As an alternative embodiment, the obtaining the address of the generic import table according to the second parameter and the third parameter includes:
acquiring a process handle in a second parameter of the callback function of the loading module;
acquiring a process mapping address in a third parameter of the load module callback function;
extracting a mapping base address of the process in the process mapping address;
and acquiring a universal import table address according to the process handle and the mapping base address of the process.
103, reading a general import table corresponding to the general import table address, and extracting dynamic link library files which are not stored in the general import table from dynamic link library files contained in the dynamic link library file loading request;
in this embodiment, if the electronic device needs to run a specific DLL file in the application program, for example, a security protection DLL file, a file repair DLL file, a virus killing DLL file, or another DLL file that is vulnerable to the application program, the loading module callback function obtains a dynamic link library file that is not stored in the general import table by comparing the DLL file included in the dynamic link library file loading request with the dynamic link library file in the general import table by including the corresponding DLL file in the initiated dynamic link library file loading request.
In this embodiment, the universal import table includes one or more Thunk nodes, which are nodes of a DLL file, and each Thunk node corresponds to a DLL file.
FIG. 2 is a diagram illustrating a structure of a generic import table. Referring to fig. 2, a plurality of thunks are included, and are respectively marked as follows according to the sequence from the top to the bottom of the generic import table: thunk1, Thunk2, Thunk3, …, Thunkn.
In this embodiment, the size of a chunk node is an IMAGE _ IMPORT _ DESCRIPTOR structure size, and the size of the general IMPORT table in the memory space can be obtained by multiplying the number of chunk nodes included in the general IMPORT table by the size of the chunk node.
Step 104, writing the extracted dynamic link library file into the universal import table, generating an updated universal table, and writing the updated universal table into the memory space of the process;
in this embodiment, as an optional embodiment, writing the extracted dynamic link library file into the general import table to generate an updated general table, where writing into the memory space of the process includes:
a11, in the space to be applied for updating the general table, sequentially filling the data corresponding to the extracted dynamic link library file to Thunk with a structure of IMAGE input description (IMAGE _ IMPORT _ describe);
in this embodiment, the data corresponding to the dynamic link library file includes: the file name of the dynamic link library, the export function, the base address of the file of the dynamic link library and the like. And then filling data of each extracted dynamic link library file into the corresponding empty Thunk node.
A12, in the general IMPORT table space of the updated general table, sequentially filling the data corresponding to the dynamic link library file in the general IMPORT table to the Thunk with the structure of IMAGE _ IMPORT _ describe to obtain the updated general table.
Fig. 3 is a schematic diagram of an update import table structure. Referring to fig. 3, on the basis of fig. 2, Thunk corresponding to the extracted dynamic link library file, for example, MyDLLThunk, is also included.
And 105, loading the dynamic link library file in the updated general table in the memory space.
In the method for injecting a dynamic link library file according to the embodiment, a process is allocated according to a received dynamic link library file loading request, and a loading module callback function recorded with the process is called; analyzing the load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function; reading a universal import table corresponding to the universal import table address, and extracting dynamic link library files which are not stored in the universal import table from dynamic link library files contained in the dynamic link library file loading request; writing the extracted dynamic link library file into the universal import table to generate an updated universal table, and writing the updated universal table into the memory space of the process; and loading the dynamic link library file in the updated general table in the memory space. Therefore, the new dynamic link library injection method is provided, the loading of the DLL file is realized by using the callback function of the loading module in the kernel layer without calling the windows LoadLibrary function or the windows CreateRemoteThread function, the loading of the dynamic link library is favorably not intercepted by the preset application program, the loading of the DLL file of the normal application program is favorably ensured, the safety of the operating system is favorably maintained, the safety of the operating system of the electronic equipment is enhanced, and the technical problem of lower safety of the operating system of the existing electronic equipment can be solved.
Example two
Fig. 4 is a schematic flowchart of a method for injecting a dynamic link library file according to a second embodiment of the present invention, and as shown in fig. 4, the method according to this embodiment may include:
step 401, calling an image modification setting kernel function to register the load module callback function.
In this embodiment, as an optional embodiment, the kernel function set for image modification is a pssetloadimagenotifyroroutine kernel function.
In the embodiment, the call-back function of the loading module is called before the process loads the DLL file, the call-back function of the loading module is used for modifying the general import table of the process, and when the process is started, the information node of the newly added DLL file is written into the general import table, so that the injection and the loading of the specific DLL file are realized.
Step 402, allocating a process according to a received dynamic link library file loading request, and calling a load module callback function recorded with the process;
step 403, analyzing the load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function;
step 404, reading a general import table corresponding to the general import table address, and extracting a dynamic link library file not stored in the general import table from a dynamic link library file included in the dynamic link library file loading request;
step 405, writing the extracted dynamic link library file into the universal import table, generating an updated universal table, and writing the updated universal table into the memory space of the process;
step 406, loading the dynamic link library file in the updated general table in the memory space.
In this embodiment, the processes of step 402 to step 406 are similar to those of step 101 to step 105 of the first embodiment of the method described above, and are not described again here.
In this embodiment, a PsSetLoadImageNotifyRoutine kernel function is called to register the load module callback function, so that a registration process of the load module callback function is defined.
EXAMPLE III
Fig. 5 is a schematic flow chart of a method for injecting a dynamic link library file according to a third embodiment of the present invention, as shown in fig. 5, the method according to the present embodiment may include:
step 501, allocating a process according to a received dynamic link library file loading request, and calling a load module callback function recorded with the process;
step 502, analyzing the load module callback function, and acquiring a general import table address according to the parameters of the load module callback function;
step 503, reading the general import table corresponding to the general import table address, and extracting dynamic link library files not stored in the general import table from the dynamic link library files included in the dynamic link library file loading request;
in this embodiment, the processes of step 501 to step 503 are similar to those of step 101 to step 103 of the first embodiment of the method described above, and are not described again here.
Step 504, recording the number of the extracted dynamic link library files;
step 505, calculating the product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by a Thunk node in the general import table to obtain a space to be applied;
step 506, calling a memory allocation kernel function, and applying for the updated general table space including the space to be applied and the general import table space for the updated general table in the memory space of the process;
in this embodiment, the memory allocation kernel function is a ZwAllocateVirtualMemory kernel function, and the storage space occupied by each Thunk node is the size of an IMAGE _ IMPORT _ DESCRIPTOR structure. The original space occupied by the universal import table is added with the newly-added space to be applied, the size of the memory space required by the updated universal table after the extracted dynamic link library file is injected can be obtained, and the applied updated universal table space is the sum of the space to be applied and the universal import table space.
In this embodiment, as an optional embodiment, the extracted dynamic link library file is written into the top of the general import table, and an updated general table is generated. Of course, in practical applications, the extracted dynamic link library file may also be written into other positions of the general import table.
Step 507, writing the extracted dynamic link library file into the universal import table, generating an updated universal table, and writing the updated universal table into the memory space of the process;
and step 508, loading the dynamic link library file in the updated general table in the memory space.
In this embodiment, the processes of step 507 to step 508 are similar to those of step 104 to step 105 of the first embodiment of the method, and are not described again here.
In the embodiment, the number of the extracted dynamic link library files is recorded; calculating the product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by one node in the general import table to obtain a space to be applied; calling a ZwAllocateVirtualMemory kernel function, wherein the memory space of the process is used for updating the universal table application and containing the updated universal table space of the application space and the universal import table space, and the effect of updating the universal import table can be achieved.
Example four
Fig. 6 is a flowchart illustrating a fourth method for injecting a dynamic link library file according to an embodiment of the present invention, as shown in fig. 6, the method according to the embodiment may include:
601, allocating a process according to a received dynamic link library file loading request, and calling a load module callback function recorded with the process;
step 602, parsing the load module callback function, and acquiring a generic import table address according to the parameters of the load module callback function;
step 603, reading a general import table corresponding to the general import table address, and extracting dynamic link library files which are not stored in the general import table from dynamic link library files contained in the dynamic link library file loading request;
step 604, writing the extracted dynamic link library file into the universal import table, generating an updated universal table, and writing the updated universal table into the memory space of the process;
step 605, loading the dynamic link library file in the updated general table in the memory space;
in this embodiment, the processes of step 601 to step 605 are similar to those of step 101 to step 105 of the first embodiment of the method described above, and are not described again here
Step 606, replacing the general import table with the updated general table and replacing the general import table address with the updated general table address;
in this embodiment, the new ImportDesc for updating the import table is used to replace the old ImportDesc for the common import table, and the total number of the dynamic link library files is increased by 1, so that the injection of adding one MyDLL (dynamic link library file) can be realized.
And 607, when the process exits the operation, calling a preset process to create an exit callback function, calling the general import table to replace the updated general table, and replacing the updated general table address with the general import table address.
In this embodiment, since the dynamic link library file injection is implemented without an existing API function (windows load library function or windows createremotetethreadable function), and is implemented by autonomously loading a module callback function, the operating system does not know that one or more dynamic link library files (modules) are added to a process, and thus the application program is required to unload the dynamic link library file (module) by itself when the process exits.
In this embodiment, as an optional embodiment, the process creates an exit callback function as a CreateProcessCallback function.
In this embodiment, when a process is created or exited, a createprocess callback function is called to delete a newly added dynamic link library file in an update import table, and an ImportDesc address of an update general table is replaced by an ImportDesc address of a general import table, so that the total number of the dynamic link library files is reduced by 1, and thus the unloading of the dynamic link library files is realized.
As an alternative embodiment, the call creation process notifies the setup kernel function to inject the process creation exit callback function. As an optional embodiment, the creating process notification sets the kernel function to be a pssetcreateprocessnotifyroroutine kernel function.
In this embodiment, the general import table is replaced with the updated general table and the general import table address is replaced with the updated general table address; and when the process exits the operation, calling a preset process to create an exit callback function, calling the general import table to replace the updated general table, and replacing the updated general table address with the general import table address. The unloading effect of the dynamic link library file can be realized.
EXAMPLE five
Fig. 7 is a schematic structural diagram of a device for injecting a dynamic link library file according to a fifth embodiment of the present invention, and as shown in fig. 7, the device according to the present embodiment may include: a callback function calling module 71, a parameter parsing module 72, a file extracting module 73, an updating module 74, and a file loading module 75, wherein,
the callback function calling module 71 is used for allocating a process according to the received dynamic link library file loading request and calling a loading module callback function recorded with the process;
in this embodiment, the operating system receives a dynamic link library file loading request, where the dynamic link library file loading request includes information of one or more DLLs to be loaded, and the operating system allocates a process according to the dynamic link library file loading request.
A parameter analyzing module 72, configured to analyze the load module callback function, and obtain a generic import table address according to a parameter of the load module callback function;
in this embodiment, in the load module callback function, the second parameter is used to record a process handle, and the third parameter is used to record a process image address (ImageInfo). Wherein,
the process mapping address is a structure address, the ImageBase of the process is stored, and the ImportDesc can be obtained by using the ImageBase of the process and the process handle. Information such as the name of the DLL file, the export function, and the number of DLL files is stored in the general import table corresponding to inportdesc, which is the head address pointing to all DLL files in the general import table.
In this embodiment, as an optional embodiment, the parameter analyzing module 72 includes: a function parsing unit, a process handle obtaining unit, a process map address obtaining unit, a base address extracting unit, and an import table address obtaining unit (not shown in the figure), wherein,
the function analysis unit is used for analyzing the callback function of the loading module;
the process handle acquiring unit is used for acquiring the process handle in the parameter of the callback function of the loading module;
the process mapping address acquisition unit is used for acquiring a process mapping address in the parameters of the callback function of the loading module;
a base address extracting unit, configured to extract a mapping base address of the process from the process mapping address;
and the import table address acquisition unit is used for acquiring a universal import table address according to the process handle and the mapping base address of the process.
A file extracting module 73, configured to read a general import table corresponding to the address of the general import table, and extract a dynamic link library file that is not stored in the general import table from a dynamic link library file included in the dynamic link library file loading request;
in this embodiment, the load module callback function obtains a dynamic link library file not stored in the general import table by comparing the DLL file included in the dynamic link library file load request with the dynamic link library file in the general import table.
In this embodiment, the general import table includes one or more Thunk nodes, which are nodes of a DLL file, and each Thunk node corresponds to a DLL file.
An updating module 74, configured to write the extracted dynamic link library file into the general import table, generate an updated general table, and write the updated general table into the memory space of the process;
in this embodiment, as an optional embodiment, the updating module 74 includes: a first filling unit and a second filling unit (not shown), wherein,
a first filling unit, configured to sequentially fill data corresponding to the extracted dynamic link library file in the space to be applied of the updated common table to a thunk node having a structure described for image input;
and the second filling unit is used for sequentially filling data corresponding to the dynamic link library file in the universal import table into the universal import table space of the updated universal table to form-to-real conversion program nodes with the structure of image input description to obtain an updated universal table.
In this embodiment, the data corresponding to the dynamic link library file includes: the file name of the dynamic link library, the export function, the base address of the file of the dynamic link library and the like.
And a file loading module 75, configured to load the dynamic link library file in the updated general table in the memory space.
In this embodiment, as an optional embodiment, the apparatus further includes:
and a registering module 76, configured to call the image modification setting kernel function to register the loading module callback function.
In this embodiment, as an optional embodiment, the kernel function set for image modification is a pssetloadimagenotifyroroutine kernel function.
As another alternative embodiment, the apparatus further comprises: a recording module 77, a memory calculation module 78, and a memory application module 79, wherein,
a recording module 77, configured to record the number of extracted dynamic link library files;
the memory calculation module 78 is configured to calculate a product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by one node in the general import table, so as to obtain a space to be applied;
and the memory application module 79 is used for calling a memory allocation kernel function, and applying for the updated general table space containing the space to be applied and the general import table space in the memory space of the process.
In this embodiment, the memory allocation kernel function is a ZwAllocateVirtualMemory kernel function, the storage space occupied by each node is the size of an IMAGE _ IMPORT _ DESCRIPTOR structure, and the applied update general table space is the sum of the space to be applied and the general IMPORT table space.
As a further alternative, the apparatus further comprises: a replacement block 70 and an exit processing block 80, wherein,
a replacing module 70, configured to replace the general import table with the updated general table and replace the general import table address with the updated general table address;
and the exit processing module 80 is configured to, when the process exits from operation, call a preset process to create an exit callback function, call the general import table to replace the updated general table, and replace the updated general table address with the general import table address.
In this embodiment, as an optional embodiment, the creating process is called to notify the setting kernel function to inject the process creating exit callback function. The process creation notification sets the kernel function to be a PsSetCreateProcessNotifyRoute kernel function, and the process creation exit callback function is a CreateProcessCallback function.
The apparatus of this embodiment may be used to implement the technical solutions of the method embodiments shown in fig. 1 to fig. 6, and the implementation principles and technical effects are similar, which are not described herein again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
The embodiment of the invention also provides electronic equipment, and the electronic equipment comprises the device in any one of the embodiments.
Fig. 8 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which can implement the processes of the embodiments shown in fig. 1 to 7 of the present invention, and as shown in fig. 8, the electronic device may include: a housing 81, a processor 82, a memory 83, a circuit board 84 and a power circuit 85, wherein the circuit board 84 is arranged inside a space enclosed by the housing 81, and the processor 82 and the memory 83 are arranged on the circuit board 84; a power supply circuit 85 for supplying power to each circuit or device of the electronic apparatus; the memory 83 is used for storing executable program codes; the processor 82 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 83, and is configured to perform the method for injecting a dynamic link library file according to any of the foregoing embodiments.
For the specific execution process of the above steps by the processor 82 and the steps further executed by the processor 82 by running the executable program code, reference may be made to the description of the embodiments shown in fig. 1 to 6 of the present invention, which is not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
The above description of the embodiments will make clear to those skilled in the art that the present invention can be implemented
The invention can be implemented by means of software plus a necessary general-purpose hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method of injecting a dynamically linked library file, comprising:
allocating a process according to a received dynamic link library file loading request, and calling a load module callback function recorded with the process;
analyzing the load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function;
reading a universal import table corresponding to the universal import table address, and extracting dynamic link library files which are not stored in the universal import table from dynamic link library files contained in the dynamic link library file loading request;
writing the extracted dynamic link library file into the universal import table to generate an updated universal table, and writing the updated universal table into the memory space of the process;
and loading the dynamic link library file in the updated general table in the memory space.
2. The method of claim 1, wherein the obtaining a generic import table address according to the parameters of the load module callback function comprises:
acquiring a process handle in the parameter of the callback function of the loading module;
acquiring a process mapping address in the parameter of the callback function of the loading module;
extracting a mapping base address of the process in the process mapping address;
and acquiring a universal import table address according to the process handle and the mapping base address of the process.
3. The method of injecting a dynamic link library file as claimed in claim 1, wherein after said extracting a dynamic link library file not stored in said generic import table, said method further comprises, before writing the extracted dynamic link library file into said generic import table:
recording the number of the extracted dynamic link library files;
calculating the product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by one node in the general import table to obtain a space to be applied;
and calling a memory allocation kernel function, and applying for the updated general table on the memory space of the process to obtain an updated general table space containing the space to be applied and the general import table space.
4. The method according to claim 3, wherein writing the extracted dynamic link library file into the generic import table to generate an updated generic table, and writing the updated generic table into the memory space of the process comprises:
in the space to be applied of the updated general table, sequentially filling data corresponding to the extracted dynamic link library file to a formal conversion program node with a structure described as image input;
and in the universal import table space of the updated universal table, sequentially filling data corresponding to the dynamic link library file in the universal import table to a shape-to-reality conversion program node with a structure described as image input to obtain the updated universal table.
5. The method of injecting a dynamic link library file as claimed in claim 1, wherein before said allocating a process upon a received dynamic link library file loading request, said method further comprises:
and calling an image modification setting kernel function to register the load module callback function.
6. The method for injecting a dynamic link library file according to any one of claims 1 to 5, wherein after loading the dynamic link library file in the updated general table in the memory space, the method further comprises:
replacing the general import table with the updated general table and replacing the general import table address with the updated general table address;
and when the process exits the operation, calling a preset process to create an exit callback function, calling the general import table to replace the updated general table, and replacing the updated general table address with the general import table address.
7. The method of injecting a dynamic link library file of claim 6, wherein the call creation process notifies the setup kernel function to inject the process creation exit callback function.
8. An apparatus for injecting a dynamically linked library file, comprising: a callback function calling module, a parameter analyzing module, a file extracting module, an updating module and a file loading module, wherein,
the call-back function calling module is used for allocating a process according to the received dynamic link library file loading request and calling the load module call-back function recorded with the process;
the parameter analysis module is used for analyzing the load module callback function and acquiring a universal import table address according to the parameter of the load module callback function;
the file extraction module is used for reading a universal import table corresponding to the universal import table address and extracting dynamic link library files which are not stored in the universal import table from the dynamic link library files contained in the dynamic link library file loading request;
the updating module is used for writing the extracted dynamic link library file into the universal import table, generating an updated universal table and writing the updated universal table into the memory space of the process;
and the file loading module is used for loading the dynamic link library file in the updated general table in the memory space.
9. The apparatus for injecting a dynamically linked library file as claimed in claim 8, wherein said parameter parsing module comprises: a function analysis unit, a process handle acquisition unit, a process mapping address acquisition unit, a base address extraction unit and an import table address acquisition unit, wherein,
the function analysis unit is used for analyzing the callback function of the loading module;
the process handle acquiring unit is used for acquiring the process handle in the parameter of the callback function of the loading module;
the process mapping address acquisition unit is used for acquiring a process mapping address in the parameters of the callback function of the loading module;
a base address extracting unit, configured to extract a mapping base address of the process from the process mapping address;
and the import table address acquisition unit is used for acquiring a universal import table address according to the process handle and the mapping base address of the process.
10. An apparatus for injecting a dynamically linked library file as defined in claim 8, wherein the apparatus further comprises: a recording module and a memory application module, wherein,
the recording module is used for recording the number of the extracted dynamic link library files;
the memory calculation module is used for calculating the product of the number of the extracted dynamic link library files and the storage space according to the storage space occupied by one node in the general import table to obtain a space to be applied;
and the memory application module is used for calling a memory allocation kernel function, and applying for the updated general table space containing the space to be applied and the general import table space in the memory space of the process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610244973.9A CN105955762A (en) | 2016-04-19 | 2016-04-19 | Method and device for injecting dynamic link library file and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610244973.9A CN105955762A (en) | 2016-04-19 | 2016-04-19 | Method and device for injecting dynamic link library file and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105955762A true CN105955762A (en) | 2016-09-21 |
Family
ID=56918071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610244973.9A Pending CN105955762A (en) | 2016-04-19 | 2016-04-19 | Method and device for injecting dynamic link library file and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105955762A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106557424A (en) * | 2016-11-18 | 2017-04-05 | 腾讯科技(深圳)有限公司 | Internal storage testing method, measured terminal, test client and system |
| CN106682494A (en) * | 2016-11-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Information access method, device and equipment |
| CN107688747A (en) * | 2017-09-01 | 2018-02-13 | 武汉倚天剑科技有限公司 | A kind of configurable and integrated Hook system and method under Windows environment |
| CN108279905A (en) * | 2018-01-04 | 2018-07-13 | 武汉斗鱼网络科技有限公司 | The method and device of library file is introduced in a kind of component |
| CN108491237A (en) * | 2018-03-29 | 2018-09-04 | 山东华软金盾软件股份有限公司 | A kind of hidden Dll file method for implanting |
| CN109471671A (en) * | 2017-09-06 | 2019-03-15 | 武汉斗鱼网络科技有限公司 | A kind of program cold start-up method and system |
| CN109597662A (en) * | 2018-11-08 | 2019-04-09 | 百度在线网络技术(北京)有限公司 | The call method, device and electronic equipment in non-public library in mobile terminal |
| CN109710671A (en) * | 2018-12-14 | 2019-05-03 | 国云科技股份有限公司 | Realize the method and its database firewall system of the drainage of database manipulation data |
| CN109766141A (en) * | 2018-12-26 | 2019-05-17 | 北京思源互联科技有限公司 | A kind of data dynamic updating method and its device based on dynamic link library |
| CN110275722A (en) * | 2019-06-21 | 2019-09-24 | 北京百度网讯科技有限公司 | Method, apparatus, equipment and storage medium for upgrade application |
| CN110417931A (en) * | 2019-07-05 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Domain name mapping records acquisition methods, device, computer equipment and storage medium |
| CN110928547A (en) * | 2019-10-16 | 2020-03-27 | 平安普惠企业管理有限公司 | Public file extraction method, device, terminal and storage medium |
| CN111078323A (en) * | 2019-10-12 | 2020-04-28 | 平安科技(深圳)有限公司 | Coroutine-based data processing method and device, computer equipment and storage medium |
| CN111104178A (en) * | 2018-10-26 | 2020-05-05 | 武汉斗鱼网络科技有限公司 | Dynamic library loading method, terminal device and storage medium |
| CN112948024A (en) * | 2021-04-15 | 2021-06-11 | 网易(杭州)网络有限公司 | Loading method and device of dynamic link library, storage medium and electronic equipment |
| CN114070820A (en) * | 2021-11-11 | 2022-02-18 | 南京指掌易信息科技有限公司 | Domain name redirection method, device, medium and electronic equipment |
| CN114610405A (en) * | 2022-03-03 | 2022-06-10 | 深圳盛显科技有限公司 | Multi-application screen capture and network code output method, device, medium and product |
| CN116662270A (en) * | 2022-09-09 | 2023-08-29 | 荣耀终端有限公司 | File analysis method and related device |
| CN117763538A (en) * | 2023-12-22 | 2024-03-26 | 摩尔线程智能科技(北京)有限责任公司 | Injection method, device and computer readable medium for dynamic link library |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103218428A (en) * | 2013-04-09 | 2013-07-24 | 深圳市九洲电器有限公司 | Dynamic link method and system |
| CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN104679561A (en) * | 2015-02-15 | 2015-06-03 | 福建天晴数码有限公司 | Dynamic link library file loading method and dynamic link library file loading system |
-
2016
- 2016-04-19 CN CN201610244973.9A patent/CN105955762A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103218428A (en) * | 2013-04-09 | 2013-07-24 | 深圳市九洲电器有限公司 | Dynamic link method and system |
| CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN104679561A (en) * | 2015-02-15 | 2015-06-03 | 福建天晴数码有限公司 | Dynamic link library file loading method and dynamic link library file loading system |
Non-Patent Citations (1)
| Title |
|---|
| COSMOSLIFE: ""驱动中给进程注入DLL,模拟GlobaHook,不完整,某些情况下报错"", 《HTTPS://BLOG.CSDN.NET/COSMOSLIFE/ARTICLE/DETAILS/50560658》 * |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682494A (en) * | 2016-11-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Information access method, device and equipment |
| CN106557424B (en) * | 2016-11-18 | 2019-12-10 | 腾讯科技(深圳)有限公司 | Memory test method, tested terminal, test client and system |
| CN106557424A (en) * | 2016-11-18 | 2017-04-05 | 腾讯科技(深圳)有限公司 | Internal storage testing method, measured terminal, test client and system |
| CN107688747A (en) * | 2017-09-01 | 2018-02-13 | 武汉倚天剑科技有限公司 | A kind of configurable and integrated Hook system and method under Windows environment |
| CN109471671A (en) * | 2017-09-06 | 2019-03-15 | 武汉斗鱼网络科技有限公司 | A kind of program cold start-up method and system |
| CN108279905A (en) * | 2018-01-04 | 2018-07-13 | 武汉斗鱼网络科技有限公司 | The method and device of library file is introduced in a kind of component |
| CN108491237A (en) * | 2018-03-29 | 2018-09-04 | 山东华软金盾软件股份有限公司 | A kind of hidden Dll file method for implanting |
| CN108491237B (en) * | 2018-03-29 | 2020-11-27 | 山东华软金盾软件股份有限公司 | Hidden Dll file injection method |
| CN111104178A (en) * | 2018-10-26 | 2020-05-05 | 武汉斗鱼网络科技有限公司 | Dynamic library loading method, terminal device and storage medium |
| CN109597662A (en) * | 2018-11-08 | 2019-04-09 | 百度在线网络技术(北京)有限公司 | The call method, device and electronic equipment in non-public library in mobile terminal |
| CN109597662B (en) * | 2018-11-08 | 2021-07-27 | 百度在线网络技术(北京)有限公司 | Method and device for calling non-public library in mobile terminal and electronic equipment |
| CN109710671A (en) * | 2018-12-14 | 2019-05-03 | 国云科技股份有限公司 | Realize the method and its database firewall system of the drainage of database manipulation data |
| CN109766141A (en) * | 2018-12-26 | 2019-05-17 | 北京思源互联科技有限公司 | A kind of data dynamic updating method and its device based on dynamic link library |
| CN110275722A (en) * | 2019-06-21 | 2019-09-24 | 北京百度网讯科技有限公司 | Method, apparatus, equipment and storage medium for upgrade application |
| CN110275722B (en) * | 2019-06-21 | 2023-08-08 | 北京百度网讯科技有限公司 | Method, apparatus, device and storage medium for upgrading application |
| CN110417931A (en) * | 2019-07-05 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Domain name mapping records acquisition methods, device, computer equipment and storage medium |
| CN110417931B (en) * | 2019-07-05 | 2022-05-17 | 腾讯科技(深圳)有限公司 | Domain name resolution record acquisition method and device, computer equipment and storage medium |
| CN111078323A (en) * | 2019-10-12 | 2020-04-28 | 平安科技(深圳)有限公司 | Coroutine-based data processing method and device, computer equipment and storage medium |
| CN110928547A (en) * | 2019-10-16 | 2020-03-27 | 平安普惠企业管理有限公司 | Public file extraction method, device, terminal and storage medium |
| CN112948024A (en) * | 2021-04-15 | 2021-06-11 | 网易(杭州)网络有限公司 | Loading method and device of dynamic link library, storage medium and electronic equipment |
| CN114070820B (en) * | 2021-11-11 | 2023-09-01 | 南京指掌易信息科技有限公司 | Domain name redirection method, device, medium and electronic equipment |
| CN114070820A (en) * | 2021-11-11 | 2022-02-18 | 南京指掌易信息科技有限公司 | Domain name redirection method, device, medium and electronic equipment |
| CN114610405A (en) * | 2022-03-03 | 2022-06-10 | 深圳盛显科技有限公司 | Multi-application screen capture and network code output method, device, medium and product |
| CN114610405B (en) * | 2022-03-03 | 2024-03-29 | 深圳盛显科技有限公司 | Multi-application screen capturing and network code output method, equipment, medium and product |
| CN116662270A (en) * | 2022-09-09 | 2023-08-29 | 荣耀终端有限公司 | File analysis method and related device |
| CN116662270B (en) * | 2022-09-09 | 2024-05-10 | 荣耀终端有限公司 | File analysis method and related device |
| CN117763538A (en) * | 2023-12-22 | 2024-03-26 | 摩尔线程智能科技(北京)有限责任公司 | Injection method, device and computer readable medium for dynamic link library |
| CN117763538B (en) * | 2023-12-22 | 2024-09-27 | 摩尔线程智能科技(北京)有限责任公司 | Injection method, device and computer readable medium for dynamic link library |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105955762A (en) | Method and device for injecting dynamic link library file and electronic equipment | |
| US9652617B1 (en) | Analyzing security of applications | |
| CN109726067B (en) | Process monitoring method and client device | |
| CN107797820B (en) | Method and device for generating patch | |
| CN103970563B (en) | The method of dynamic load Android class | |
| CN108614976A (en) | Authority configuring method, device and storage medium | |
| CN106250244B (en) | Method and device for releasing mutual exclusion lock and electronic equipment | |
| CN105893847B (en) | A kind of method, apparatus and electronic equipment for protecting security protection application file | |
| US20190095181A1 (en) | Easy-To-Use Type Of Compile-Time Dependency Injection Method And Device In The Java Platform | |
| US10102154B2 (en) | Protected memory area | |
| CN109960597B (en) | Dynamic registration method and related device of application layer interface | |
| CN106203092B (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN104731622B (en) | The loading method of a kind of application program, device and mobile terminal | |
| CN111767056B (en) | Source code compiling method, executable file running method and terminal equipment | |
| CN111475162A (en) | Page generation method, device, server and storage medium | |
| CN106127031A (en) | Method and device for protecting process and electronic equipment | |
| CN106940714A (en) | A kind of data processing method, device and electronic equipment | |
| CN104268472A (en) | Method and device for restoring address of function modified by third party dynamic link library | |
| CN110652728A (en) | Game resource management method and device, electronic equipment and storage medium | |
| CN103514004A (en) | Method and device for managing system environment under Windows system | |
| CN106682494B (en) | Information access method, device and equipment | |
| CN106708556B (en) | Data display method and device | |
| CN105956475A (en) | DLL file interception processing method and device and electronic equipment | |
| CN113835748B (en) | Packaging method, system and readable medium for application program based on HTML5 | |
| CN108875372B (en) | Code detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20190104 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160921 |
|
| RJ01 | Rejection of invention patent application after publication |