[go: up one dir, main page]

CN111666586A - Shared library file simulation method and device, computer equipment and storage medium - Google Patents

Shared library file simulation method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN111666586A
CN111666586A CN202010367839.4A CN202010367839A CN111666586A CN 111666586 A CN111666586 A CN 111666586A CN 202010367839 A CN202010367839 A CN 202010367839A CN 111666586 A CN111666586 A CN 111666586A
Authority
CN
China
Prior art keywords
function
file
shared library
intercepted
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010367839.4A
Other languages
Chinese (zh)
Other versions
CN111666586B (en
Inventor
彭易博
耿铭
李冠杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202010367839.4A priority Critical patent/CN111666586B/en
Publication of CN111666586A publication Critical patent/CN111666586A/en
Priority to PCT/CN2020/135727 priority patent/WO2021218172A1/en
Application granted granted Critical
Publication of CN111666586B publication Critical patent/CN111666586B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种共享库文件模拟方法、装置、计算机设备及存储介质。所述方法包括:将待模拟共享库文件映射到模拟执行框架的虚拟内存中;将虚拟内存与系统内存隔离;将对虚拟文件的访问映射到系统文件;对待拦截函数的函数地址进行修改;对预设的函数变量名和预设的函数名进行注册,以使得模拟执行框架中的Hook函数能够根据预设的函数变量名和预设的函数名对待拦截函数进行返回;通过Hook函数对待模拟共享库文件中的待拦截函数进行返回,并通过模拟执行框架对待拦截函数返回的值进行输出,以实现对待模拟共享库文件进行分析。本发明的技术方案能够动态的对共享库文件进行模拟和分析,降低了对共享库文件进行分析的难度。

Figure 202010367839

The invention discloses a shared library file simulation method, device, computer equipment and storage medium. The method includes: mapping the shared library file to be simulated into the virtual memory of the simulation execution framework; isolating the virtual memory from the system memory; mapping the access to the virtual file to the system file; modifying the function address of the function to be intercepted; The preset function variable name and the preset function name are registered, so that the Hook function in the simulation execution framework can return the interception function according to the preset function variable name and the preset function name; the simulated shared library file is treated by the Hook function The function to be intercepted in is returned, and the value returned by the function to be intercepted is output through the simulation execution framework, so as to realize the analysis of the shared library file to be simulated. The technical scheme of the present invention can dynamically simulate and analyze the shared library file, thereby reducing the difficulty of analyzing the shared library file.

Figure 202010367839

Description

共享库文件模拟方法、装置、计算机设备及存储介质Shared library file simulation method, device, computer equipment and storage medium

技术领域technical field

本发明涉及计算机技术领域,尤其涉及一种共享库文件模拟方法、装置、计算机设备及存储介质。The present invention relates to the field of computer technology, and in particular, to a shared library file simulation method, device, computer equipment and storage medium.

背景技术Background technique

随着移动平台的发展,目前绝大多数商业Android APP在发布到应用市场前都不同程度的使用了加固技术进行处理。With the development of mobile platforms, the vast majority of commercial Android APPs currently use reinforcement technology to varying degrees before they are released to the application market.

由于Java层程序很容易被完全恢复为源码,因此多数厂商选择将关键算法通过C/C++编写到共享库文件中,移动安全厂商如梆梆、爱加密、腾讯乐固、360等针对此现状不仅将共享库文件加壳,还使用了OLLVM混淆技术来进一步强化。Because the Java layer program can easily be completely restored to the source code, most manufacturers choose to write the key algorithm into the shared library file through C/C++. Mobile security manufacturers such as Bang Bang, Ai Encryption, Tencent Legu, 360, etc. The shared library file is packed, and OLLVM obfuscation technology is used to further strengthen it.

但是,混淆生成的应用被加入了大量的虚假块,不仅程序逻辑变得极为复杂而且反汇编代码和流程图也极难理解。但是容易被恶意应用使用加固阻碍了对应用的分析。However, a large number of fake blocks are added to the obfuscated application, not only the program logic becomes extremely complex, but also the disassembled code and flow chart are extremely difficult to understand. However, it is easy to be hardened by malicious applications, which hinders the analysis of applications.

发明内容SUMMARY OF THE INVENTION

本发明实施例提供一种共享库文件模拟方法、装置、计算机设备及存储介质,以解决难以对共享库文件进行分析的问题。Embodiments of the present invention provide a shared library file simulation method, device, computer equipment, and storage medium, so as to solve the problem of difficulty in analyzing shared library files.

一种共享库文件模拟方法,包括:A shared library file simulation method, including:

通过模拟执行框架,将待模拟共享库文件映射到所述模拟执行框架的虚拟内存中;By simulating the execution framework, the shared library file to be simulated is mapped into the virtual memory of the simulated execution framework;

通过所述模拟执行框架的虚拟内存机制,将所述虚拟内存与系统内存隔离;Through the virtual memory mechanism of the simulation execution framework, the virtual memory is isolated from the system memory;

通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件;By simulating the virtual file system in the execution framework, the access to the virtual file is mapped to the system file;

根据预设的函数地址,对待拦截函数的函数地址进行修改,其中,所述待拦截函数为共享库格式文件中的函数;Modify the function address of the function to be intercepted according to the preset function address, wherein the function to be intercepted is a function in a shared library format file;

对预设的函数变量名和预设的函数名进行注册,以使得所述模拟执行框架中的Hook函数能够根据所述预设的函数变量名和所述预设的函数名对所述待拦截函数进行返回;Register the preset function variable name and the preset function name, so that the Hook function in the simulation execution framework can perform the function to be intercepted according to the preset function variable name and the preset function name. return;

通过Objdump命令获取所述待模拟共享库文件的依赖项,并通过所述Hook函数对所述待模拟共享库文件中的所述待拦截函数进行返回,并通过模拟执行框架对所述待拦截函数返回的值进行输出,以实现对所述待模拟共享库文件进行分析。Obtain the dependencies of the to-be-simulated shared library file through the Objdump command, return the to-be-intercepted function in the to-be-simulated shared library file through the Hook function, and use the simulation execution framework to process the to-be-intercepted function The returned value is output to analyze the shared library file to be simulated.

一种共享库文件模拟装置,包括:A shared library file simulation device, comprising:

文件映射模块,用于通过模拟执行框架,将待模拟共享库文件映射到所述模拟执行框架的虚拟内存中;a file mapping module, used to map the shared library file to be simulated into the virtual memory of the simulated execution framework by simulating the execution framework;

内存隔离模块,用于通过所述模拟执行框架的虚拟内存机制,将所述虚拟内存与系统内存隔离;a memory isolation module, configured to isolate the virtual memory from the system memory through the virtual memory mechanism of the simulated execution framework;

访问映射模块,用于通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件;The access mapping module is used to map the access to the virtual file to the system file by simulating the virtual file system in the execution framework;

地址修改模块,用于根据预设的函数地址,对待拦截函数的函数地址进行修改,其中,所述待拦截函数为共享库格式文件中的函数;The address modification module is used to modify the function address of the function to be intercepted according to the preset function address, wherein the function to be intercepted is a function in a shared library format file;

函数注册模块,用于对预设的函数变量名和预设的函数名进行注册,以使得所述模拟执行框架中的Hook函数能够根据所述预设的函数变量名和所述预设的函数名对所述待拦截函数进行返回;The function registration module is used to register the preset function variable name and the preset function name, so that the Hook function in the simulation execution framework can be paired according to the preset function variable name and the preset function name. the function to be intercepted returns;

数据输出模块,用于通过Objdump命令获取所述待模拟共享库文件的依赖项,并通过所述Hook函数对所述待模拟共享库文件中的所述待拦截函数进行返回,并通过模拟执行框架对所述待拦截函数返回的值进行输出,以实现对所述待模拟共享库文件进行分析。The data output module is used to obtain the dependencies of the shared library file to be simulated through the Objdump command, and returns the function to be intercepted in the shared library file to be simulated through the Hook function, and executes the framework through the simulation The value returned by the function to be intercepted is output to analyze the shared library file to be simulated.

一种计算机设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述共享库文件模拟方法的步骤。A computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the above shared library file simulation method when the processor executes the computer program.

一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述共享库文件模拟方法的步骤。A computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, implements the steps of the above-mentioned method for simulating a shared library file.

上述共享库文件模拟方法、装置、计算机设备及存储介质中,通过模拟执行框架,将待模拟共享库文件映射到模拟执行框架的虚拟内存中;通过模拟执行框架的虚拟内存机制,将虚拟内存与系统内存隔离;通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件;根据预设的函数地址,对待拦截函数的函数地址进行修改;对预设的函数变量名和预设的函数名进行注册,以使得模拟执行框架中的Hook函数能够根据预设的函数变量名和预设的函数名对待拦截函数进行返回;通过预设的命令获取待模拟共享库文件的依赖项,并通过Hook函数对待模拟共享库文件中的待拦截函数进行返回,并通过模拟执行框架对待拦截函数返回的值进行输出,以实现对待模拟共享库文件进行分析。以使得能够动态的对共享库文件进行模拟和分析,降低了对共享库文件进行分析的难度。In the above-mentioned shared library file simulation method, device, computer equipment and storage medium, the shared library file to be simulated is mapped to the virtual memory of the simulated execution framework by simulating the execution framework; System memory isolation; by simulating the virtual file system in the execution framework, the access to the virtual file is mapped to the system file; according to the preset function address, the function address of the function to be intercepted is modified; the preset function variable name and preset The Hook function in the simulation execution framework can return the intercepted function according to the preset function variable name and the preset function name; obtain the dependencies of the shared library file to be simulated through the preset command, and The Hook function is used to return the function to be intercepted in the simulated shared library file, and the value returned by the to-be-intercepted function is output through the simulation execution framework, so as to analyze the shared library file to be simulated. In order to make it possible to simulate and analyze the shared library file dynamically, the difficulty of analyzing the shared library file is reduced.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例的描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the drawings that are used in the description of the embodiments of the present invention. Obviously, the drawings in the following description are only some embodiments of the present invention. , for those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative labor.

图1是本发明一实施例中共享库文件模拟方法的一应用环境示意图;1 is a schematic diagram of an application environment of a method for simulating a shared library file in an embodiment of the present invention;

图2是本发明一实施例中共享库文件模拟方法的一流程图;2 is a flowchart of a method for simulating a shared library file in an embodiment of the present invention;

图3是本发明一实施例中共享库文件模拟方法的一流程图;3 is a flowchart of a method for simulating a shared library file in an embodiment of the present invention;

图4是本发明一实施例中共享库文件模拟方法的步骤S10的一流程图;4 is a flowchart of step S10 of the shared library file simulation method in an embodiment of the present invention;

图5是本发明一实施例中共享库文件模拟方法的步骤S30的一流程图;5 is a flowchart of step S30 of the shared library file simulation method in an embodiment of the present invention;

图6是本发明一实施例中共享库文件模拟方法的步骤S40的一流程图;6 is a flowchart of step S40 of the shared library file simulation method in an embodiment of the present invention;

图7是本发明一实施例中共享库文件模拟装置的一示意图;7 is a schematic diagram of a shared library file simulation device according to an embodiment of the present invention;

图8是本发明一实施例中计算机设备的一示意图。FIG. 8 is a schematic diagram of a computer device in an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

本申请提供的共享库文件模拟方法,可应用在如图1所示的应用环境中,该应用环境包括服务端和客户端,其中,服务端和客户端之间通过网络进行连接,该网络可以是有线网络或者无线网络,客户端具体包括但不限于各种个人计算机、笔记本电脑、智能手机和平板电脑和便携式可穿戴设备,服务端具体可以用独立的服务器或者多个服务器组成的服务器集群实现。服务端通过模拟执行框架,将待模拟共享库文件映射到模拟执行框架的虚拟内存中;通过模拟执行框架的虚拟内存机制,将虚拟内存与系统内存隔离;通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件;根据预设的函数地址,对待拦截函数的函数地址进行修改;对预设的函数变量名和预设的函数名进行注册,以使得模拟执行框架中的Hook函数能够根据预设的函数变量名和预设的函数名对待拦截函数进行返回;通过预设的命令获取待模拟共享库文件的依赖项,并通过Hook函数对待模拟共享库文件中的待拦截函数进行返回,并通过模拟执行框架对待拦截函数返回的值进行输出,以实现对待模拟共享库文件进行分析。以使得能够动态的对共享库文件进行模拟和分析,降低了对共享库文件进行分析的难度。The shared library file simulation method provided by the present application can be applied in the application environment shown in FIG. 1 , the application environment includes a server and a client, wherein the server and the client are connected through a network, and the network can It is a wired network or a wireless network. The client includes but is not limited to various personal computers, notebook computers, smart phones, tablet computers and portable wearable devices. The server can be implemented by an independent server or a server cluster composed of multiple servers. . The server maps the shared library files to be simulated into the virtual memory of the simulated execution framework by simulating the execution framework; isolates the virtual memory from the system memory by simulating the virtual memory mechanism of the execution framework; and simulates the virtual file system in the execution framework, Map the access to the virtual file to the system file; modify the function address of the function to be intercepted according to the preset function address; register the preset function variable name and preset function name, so that the Hook in the simulation execution framework The function can return the function to be intercepted according to the preset function variable name and the preset function name; obtain the dependencies of the shared library file to be simulated through the preset command, and use the Hook function to treat the function to be intercepted in the simulated shared library file. Return, and output the value returned by the function to be intercepted through the simulation execution framework to analyze the shared library file to be simulated. In order to make it possible to simulate and analyze the shared library file dynamically, the difficulty of analyzing the shared library file is reduced.

在一实施例中,如图2所示,提供一种共享库文件模拟方法,以该方法应用在图1中的服务端为例进行说明,具体包括步骤S10至步骤S60,详述如下:In one embodiment, as shown in FIG. 2 , a method for simulating a shared library file is provided, and the method is applied to the server in FIG. 1 as an example for description, which specifically includes steps S10 to S60, which are described in detail as follows:

S10:通过模拟执行框架,将待模拟共享库文件映射到模拟执行框架的虚拟内存中。S10: Map the shared library file to be simulated into the virtual memory of the simulated execution framework by simulating the execution framework.

其中,共享库文件指elf文件。模拟执行框架指能够跨平台执行Arm、Arm64、M68K、Mips、Sparc、X86等指令集的原生程序的跨平台模拟执行框架Unicorn。待模拟elf文件指模拟执行框架模拟执行的对象。elf文件指用于二进制文件、可执行文件、目标代码、共享库和核心转储格式文件。Among them, the shared library file refers to the elf file. The simulation execution framework refers to the cross-platform simulation execution framework Unicorn that can execute native programs of Arm, Arm64, M68K, Mips, Sparc, X86 and other instruction sets across platforms. The elf file to be simulated refers to the object to be simulated and executed by the simulation execution framework. elf files are used for binary files, executable files, object code, shared libraries and core dump format files.

通过模拟执行框架,将待模拟elf文件映射到模拟执行框架的虚拟内存中。具体地,对待模拟elf文件的映射包括对待模拟elf文件进行解析、重定位、符号解析等。其中,对待模拟elf文件进行解析指通过Pyelftools库将待模拟elf文件转换成二进制格式共享库格式的so文件。Pyelftools库指用于解析和分析待模拟elf文件的python库。对待模拟elf文件进行重定位指将在模拟执行框架执行待模拟elf文件前,实现链接地址与运行地址一致。其中,链接地址指待模拟elf文件中代码链接对应函数时的指定地址,运行地址指待模拟elf文件加载到内存时的加载地址。对待模拟elf文件进行符号解析指对待模拟elf文件中的初始化函数和变量进行解析。具体地,对待模拟elf文件进行映射时,通过Pyelftools库自动对待模拟elf文件进行解析、重定位。By simulating the execution framework, the to-be-simulated elf file is mapped to the virtual memory of the simulated execution framework. Specifically, the mapping of the to-be-simulated elf file includes parsing, relocation, symbol analysis, and the like of the to-be-simulated elf file. The parsing of the elf file to be simulated refers to converting the elf file to be simulated into a so file in a binary format shared library format through the Pyelftools library. The Pyelftools library refers to a python library for parsing and analyzing elf files to be simulated. Relocating the to-be-simulated elf file means that before the simulation execution framework executes the to-be-simulated elf file, the link address is consistent with the running address. Wherein, the link address refers to the specified address when the code in the elf file to be simulated is linked to the corresponding function, and the running address refers to the load address when the elf file to be simulated is loaded into the memory. The symbol analysis of the to-be-simulated elf file refers to the analysis of the initialization functions and variables in the to-be-simulated elf file. Specifically, when the to-be-simulated elf file is mapped, the to-be-simulated elf file is automatically parsed and relocated through the Pyelftools library.

需要说明的是,对待模拟elf文件进行符号解析时,通过Pyelftools库,对待模拟elf文件进行解析,得到待模拟elf文件中初始化数组的基地址和结构体指针地址,根据基地址和结构体指针地址,确定初始化数组的地址。需要说明的是,对待模拟elf文件进行模拟时,需要调用初始化数组中的函数,当检测初始化数组中的内容为0时,对初始化数组地址进行重定位。It should be noted that when the symbol analysis of the simulated elf file is performed, the simulated elf file is parsed through the Pyelftools library, and the base address and structure pointer address of the initialized array in the to-be-simulated elf file are obtained. According to the base address and structure pointer address , which determines the address of the initialized array. It should be noted that when simulating the elf file to be simulated, the function in the initialization array needs to be called, and when it is detected that the content in the initialization array is 0, the address of the initialization array is relocated.

S20:通过模拟执行框架的虚拟内存机制,将虚拟内存与系统内存隔离。S20: The virtual memory is isolated from the system memory by simulating the virtual memory mechanism of the execution framework.

其中,虚拟内存机制指通过模拟执行框架中的API对系统的内存进行映射的机制。模拟执行框架中的API包括uc_mem_map、uc_mem_read、uc_mem_write。通过模拟执行框架的虚拟内存机制,将虚拟内存与系统内存隔离。具体地,通过模拟执行框架中的API,将系统内存映射到模拟执行框架的虚拟内存中。需要说明的是,通过uc_mem_map对系统内存进行映射之前,获取系统内存的基地址,根据系统内存的基地址,将虚拟内存的基地址变更成与系统内存的基地址一致,进一步地,将虚拟内存中的内存块大小变更成系统内存基地址的整数倍。通过模拟执行框架中的地址对齐函数,将虚拟内存的基地址与系统内存的基地址进行对齐,并对虚拟内存中的内存块大小进行计算,得到虚拟对齐地址和虚拟内存大小,并将虚拟对齐地址和虚拟内存大小返回至模拟执行框架中。The virtual memory mechanism refers to a mechanism for mapping the memory of the system through the API in the simulation execution framework. The APIs in the simulation execution framework include uc_mem_map, uc_mem_read, and uc_mem_write. Isolate virtual memory from system memory by emulating the virtual memory mechanism of the execution framework. Specifically, the system memory is mapped to the virtual memory of the simulated execution framework through the API in the simulated execution framework. It should be noted that, before the system memory is mapped by uc_mem_map, the base address of the system memory is obtained, and the base address of the virtual memory is changed to be consistent with the base address of the system memory according to the base address of the system memory. The size of the memory block in is changed to an integer multiple of the system memory base address. By simulating the address alignment function in the execution framework, the base address of the virtual memory is aligned with the base address of the system memory, and the size of the memory block in the virtual memory is calculated to obtain the virtual alignment address and virtual memory size, and the virtual alignment The address and virtual memory size are returned to the emulated execution frame.

S30:通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件。S30: By simulating the virtual file system in the execution framework, the access to the virtual file is mapped to the system file.

其中,虚拟文件系统指对系统文件进行模拟的系统。系统文件指由用户创建的文件系统。将对虚拟文件的访问映射到系统文件指通过访问模拟执行框架中的虚拟文件,就能对系统文件进行访问。通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件。具体地,通过虚拟文件系统中的虚拟系统文件接口对系统文件进行映射,进一步地,通过模拟执行框架中的Hook函数对预设接口调用函数进行拦截或控制,具体地,当检测到对虚拟文件系统中的虚拟文件的预设接口调用函数时,通过模拟执行框架中的Hook函数对预设接口调用函数进行拦截,以使得预设接口调用函数从系统文件中调用文件。其中,模拟执行框架中的Hook函数指能够对函数进行回调或拦截的预设函数。优选地,模拟执行框架中的Hook函数可以是syscall_handler.set_handler函数。预设的接口调用函数指根据用户自定义设置的函数,能够通过接口访问系统文件的函数。预设的接口调用函数包括但不限于read、open、close、writev、fstat64、openat、fstatat64函数。The virtual file system refers to a system that simulates system files. System files refer to file systems created by users. Mapping the access to the virtual file to the system file means that the system file can be accessed by accessing the virtual file in the simulation execution framework. Access to virtual files is mapped to system files by simulating a virtual file system in the execution framework. Specifically, the system file is mapped through the virtual system file interface in the virtual file system, and further, the preset interface calling function is intercepted or controlled through the Hook function in the simulation execution framework. When the preset interface of the virtual file in the system calls the function, the preset interface calling function is intercepted by the Hook function in the simulation execution framework, so that the preset interface calling function calls the file from the system file. The Hook function in the simulation execution framework refers to a preset function that can call back or intercept the function. Preferably, the Hook function in the simulation execution framework may be the syscall_handler.set_handler function. The preset interface calling function refers to the function set according to the user-defined setting, and can access the system file through the interface. The preset interface calling functions include but are not limited to read, open, close, writev, fstat64, openat, and fstatat64 functions.

需要说明的是,当对虚拟文件进行访问时,首先,获取系统文件信息,其中,系统文件信息包括系统内存中文件的目录层级信息,以及文件的目录层级信息对应的数据信息。根据目录层级信息,将目录层级信息对应的数据信息存放到预设的虚拟文件目录中。其中,预设的虚拟文件目录指根据用户自定义创建的,用于存放系统文件信息的文件目录。进一步地,通过模拟执行框架中的Hook函数对预设接口调用函数进行解析,对预设接口函数的调用路径变更成从预设的虚拟文件目录进行调用,从而获取预设的虚拟文件目录中的系统文件信息,以实现对虚拟文件的访问映射到系统内存。It should be noted that when accessing a virtual file, first, system file information is obtained, wherein the system file information includes directory level information of files in the system memory and data information corresponding to the file directory level information. According to the directory level information, data information corresponding to the directory level information is stored in a preset virtual file directory. The preset virtual file directory refers to a file directory created according to user definition and used for storing system file information. Further, the preset interface calling function is parsed by the Hook function in the simulation execution framework, and the calling path of the preset interface function is changed to be called from the preset virtual file directory, so as to obtain the preset interface function in the virtual file directory. System file information is mapped to system memory to enable access to virtual files.

S40:根据预设的函数地址,对待拦截函数的地址进行修改,其中,待拦截函数为共享库格式文件中的函数。S40: Modify the address of the function to be intercepted according to the preset function address, where the function to be intercepted is a function in a shared library format file.

其中,预设的函数地址指根据用户自定义设置的函数地址。待拦截函数指模拟执行框架中的Hook函数执行的对象。需要说明的是,待拦截函数可以是预设接口调用函数,映射待模拟elf文件时的初始化函数。根据预设的函数地址,对待拦截函数的地址进行修改。具体地,获取待拦截函数的地址,根据预设的函数地址对待拦截函数的地址进行变更。The preset function address refers to the function address set according to the user-defined definition. The function to be intercepted refers to the object executed by the Hook function in the simulation execution framework. It should be noted that the function to be intercepted may be a preset interface calling function, and the initialization function when mapping the elf file to be simulated. Modify the address of the function to be intercepted according to the preset function address. Specifically, the address of the function to be intercepted is obtained, and the address of the function to be intercepted is changed according to the preset function address.

S50:对预设的函数变量名和预设的函数名进行注册,以使得模拟执行框架中的Hook函数能够根据预设的函数变量名和预设的函数名对待拦截函数进行返回。S50: Register the preset function variable name and the preset function name, so that the Hook function in the simulation execution framework can return the function to be intercepted according to the preset function variable name and the preset function name.

其中,预设的函数变量名指由用户自定义的函数语句中的变量名称。预设的函数名指由用户自定义的函数名称。预设的函数变量名和预设的函数名通过Python中的元类进行设置。具体地,将预设的函数变量名和预设的函数名存放至数据库中,当模拟执行框架中的Hook函数检测到的变量名或函数名为数据库中的预设的函数变量名或预设的函数名,则对检测到的变量名或函数名所对应的函数的值进行返回。The preset function variable name refers to the variable name in the user-defined function statement. The preset function name refers to the function name defined by the user. Preset function variable names and preset function names are set via metaclasses in Python. Specifically, the preset function variable name and the preset function name are stored in the database, and when the variable name or function name detected by the Hook function in the simulation execution framework is the preset function variable name or preset function variable name in the database function name, the value of the function corresponding to the detected variable name or function name is returned.

示例性地,通过JavaClassDef定义预设的函数变量名为jvm_name、jvm_method和jvm_fields;预设的函数名为find_method、find_method_by_id、find_field函数。当模拟执行框架中的Hook函数检测到的变量名为jvm_method,函数名为ind_method,则通过模拟执行框架中的Hook函数对ind_method中的方法进行返回。Exemplarily, the preset function variables defined by JavaClassDef are named jvm_name, jvm_method and jvm_fields; the preset function names are find_method, find_method_by_id, and find_field functions. When the variable name detected by the Hook function in the simulation execution framework is jvm_method and the function name is ind_method, the method in ind_method is returned through the Hook function in the simulation execution framework.

S60:通过Objdump命令获取待模拟共享库文件的依赖项,并通过Hook函数对待模拟共享库文件中的待拦截函数进行返回,并通过模拟执行框架对待拦截函数返回的值进行输出,以实现对待模拟共享库文件进行分析。S60: Obtain the dependencies of the shared library file to be simulated through the Objdump command, return the function to be intercepted in the simulated shared library file through the Hook function, and output the value returned by the function to be intercepted through the simulation execution framework to realize the simulation Shared library files are analyzed.

其中,Objdump指Linux中的目标分析工具,用于分析elf格式的二进制文件。待模拟elf文件的依赖项指elf格式的二进制文件在Linux中的运行时所依赖的二进制共享库格式文件。例如,待模拟elf文件的so格式的依赖项为libc.so具体地,首先,通过Objdump中的arm-linux-gnueabi-Objdump命令,对待模拟elf文件进行解析,进一步地,通过-X指令,获取待模拟elf文件中所有的头部,并通过grep指令对待模拟elf文件中所有的头部进行过滤,得到待模拟elf文件的so格式的依赖项。最后,对依赖项进行加载得到待模拟elf文件的so格式文件。进一步地,通过Hook函数对待模拟elf文件中的待拦截函数进行返回,得到待拦截函数获取的数据,并将待拦截函数获取的数据输出。其中,对待拦截函数获取的数据输出可以是Logger格式化输出。其中,Logger格式化输出指通过模拟执行框架中的Hook函数对待拦截函数获取的数据以日志的形式进行输出,以实现对待模拟elf文件的共享库格式文件进行分析。Among them, Objdump refers to the target analysis tool in Linux, which is used to analyze binary files in elf format. The dependency of the elf file to be simulated refers to the binary shared library format file that the binary file in elf format depends on when running in Linux. For example, the dependency of the so format of the elf file to be simulated is libc.so. Specifically, first, through the arm-linux-gnueabi-Objdump command in Objdump, the elf file to be simulated is parsed, and further, through the -X command, get All headers in the elf file to be simulated are filtered through the grep command to obtain the dependencies in the so format of the elf file to be simulated. Finally, load the dependencies to obtain the so format file of the elf file to be simulated. Further, the Hook function is used to return the function to be intercepted in the simulated elf file to obtain the data obtained by the function to be intercepted, and output the data obtained by the function to be intercepted. Among them, the data output to be obtained by the interception function can be a Logger formatted output. Among them, the Logger formatted output refers to outputting the data obtained by the interception function through the Hook function in the simulation execution framework in the form of a log, so as to realize the analysis of the shared library format file of the elf file to be simulated.

本实施例中,通过模拟执行框架,将待模拟elf文件映射到模拟执行框架的虚拟内存中;通过模拟执行框架的虚拟内存机制,将虚拟内存与系统内存隔离;通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件;根据预设的函数地址,对待拦截函数的函数地址进行修改;对预设的函数变量名和预设的函数名进行注册;通过Objdump命令获取待模拟elf文件的依赖项,并通过Hook函数对待模拟elf文件中的待拦截函数进行返回,并通过模拟执行框架进行logger格式化输出,以实现对待模拟elf文件进行分析。能够提高对elf文件分析的效率和准确率,简化对混淆elf文件的分析。In this embodiment, the elf file to be simulated is mapped to the virtual memory of the simulated execution framework by simulating the execution framework; the virtual memory is isolated from the system memory by the virtual memory mechanism of the simulated execution framework; the virtual file in the simulated execution framework is isolated system, map the access to the virtual file to the system file; modify the function address of the function to be intercepted according to the preset function address; register the preset function variable name and the preset function name; obtain the to-be-simulated through the Objdump command The dependencies of the elf file are returned by the hook function to the function to be intercepted in the simulated elf file, and the logger formatted output is performed through the simulated execution framework to realize the analysis of the simulated elf file. The efficiency and accuracy of analyzing elf files can be improved, and the analysis of confusing elf files can be simplified.

在一实施例中,如图3所示,在步骤S60之前,在通过预设的命令获取待模拟共享库文件的依赖项,并通过Hook函数对待模拟共享库文件中的待拦截函数进行返回之前,包括:In one embodiment, as shown in FIG. 3 , before step S60, the dependencies of the shared library file to be simulated are obtained through a preset command, and the function to be intercepted in the simulated shared library file is returned by the Hook function. ,include:

S601:对模拟执行框架的寄存器进行访问,并检测是否存在无条件执行指令,其中,寄存器中包括待拦截函数编号。S601: Access a register of the simulation execution framework, and detect whether there is an unconditional execution instruction, wherein the register includes the number of the function to be intercepted.

其中,无条件执行指令指ARM指令集中的指令。待拦截函数编号指用户在模拟执行框架的寄存器中自定义的常量,用于记录待拦截函数。具体地,对模拟执行框架中的寄存器进行访问,当Hook函数对访问寄存器的待拦截函数进行拦截时,对寄存器中的字节数据进行检测,当检测到的字节数为\xE8\xBf时,则存在无条件执行指令。其中,无条件执行指令为IT AL指令。Among them, the unconditional execution instruction refers to the instruction in the ARM instruction set. The number of the function to be intercepted refers to a user-defined constant in the register of the simulation execution framework, which is used to record the function to be intercepted. Specifically, access the registers in the simulation execution framework. When the Hook function intercepts the function to be intercepted that accesses the register, the byte data in the register is detected. When the detected number of bytes is \xE8\xBf , there is an unconditional execution instruction. Among them, the unconditional execution instruction is the IT AL instruction.

进一步地,当对寄存器中的字节数进行检测后,未检测到字节数为\xE8\xBf时,则不存在无条件执行指令,则确定Hook函数对待拦截函数的拦截失败,并重新对待拦截函数进行拦截。Further, when the number of bytes in the register is detected and the number of bytes is not detected as \xE8\xBf, there is no unconditional execution instruction, then it is determined that the Hook function fails to intercept the interception function, and the interception is treated again. function to intercept.

S602:若存在无条件执行指令,则读取寄存器中的数值。S602: If there is an unconditional execution instruction, read the value in the register.

其中,当检测到存在无条件执行指令时,对寄存器中的数据进行读取,若读取的数值为空,则确定Hook函数对待拦截函数的拦截失败,并重新对待拦截函数进行拦截;若读取的数值不为空,则确定Hook函数对待拦截函数的拦截成功。根据寄存器中的数值,确定待拦截函数编号,根据待拦截函数编号,确定对应的待拦截函数。Among them, when it is detected that there is an unconditional execution instruction, the data in the register is read. If the read value is empty, it is determined that the Hook function fails to intercept the interception function, and the interception function is intercepted again; if read The value of is not empty, it is determined that the interception of the interception function by the Hook function is successful. The number of the function to be intercepted is determined according to the value in the register, and the corresponding function to be intercepted is determined according to the number of the function to be intercepted.

S603:根据寄存器中的数值从待拦截函数编号提取对应的目标待拦截函数编号。S603: Extract the corresponding target function number to be intercepted from the function number to be intercepted according to the value in the register.

其中,待拦截函数编号指与寄存器中的数值对应的常量。目标待拦截函数编号指与待拦截函数对应的常量。具体地,当检测到存在无条件执行指令时,对寄存器中的数据进行读取,当读取的数值不为空时,根据从寄存器读取的数值,确定待拦截函数编号,进一步地,从待拦截函数编号提取对应的目标待拦截函数编号。The number of the function to be intercepted refers to a constant corresponding to the value in the register. The target function number to be intercepted refers to the constant corresponding to the function to be intercepted. Specifically, when it is detected that there is an unconditional execution instruction, the data in the register is read, and when the read value is not empty, the function number to be intercepted is determined according to the value read from the register, and further, the function number to be intercepted is determined from the value read from the register. The interception function number extracts the corresponding target function number to be intercepted.

S604:根据目标待拦截函数编号确定待拦截函数。S604: Determine the function to be intercepted according to the number of the target function to be intercepted.

具体地,当从寄存器读取数据不为空,根据读取的数值确定待拦截函数编号后,从待拦截函数编号提取对应的目标待拦截函数编号,进一步地,根据目标待拦截函数编号确定对应的待拦截函数。Specifically, when the data read from the register is not empty, after the function number to be intercepted is determined according to the read value, the corresponding target function number to be intercepted is extracted from the function number to be intercepted, and further, the corresponding target function number to be intercepted is determined according to the target function number to be intercepted. The function to be intercepted.

本实施例中,通过对模拟执行框架的寄存器进行访问,并检测是否存在无条件执行指令,其中,寄存器中存在待拦截函数编号;当存在无条件执行指令时,则读取寄存器中的数值;根据寄存器中的数值从待拦截函数编号提取对应的目标待拦截函数编号;根据目标待拦截函数编号确定待拦截函数。通过判断Hook函数对待拦截函数的拦截结果,能进一步提高对待模拟elf文件进行分析时的效率。In this embodiment, the register of the simulation execution framework is accessed, and whether there is an unconditional execution instruction is detected, wherein, there is a function number to be intercepted in the register; when there is an unconditional execution instruction, the value in the register is read; according to the register The value in is to extract the corresponding target function number to be intercepted from the function number to be intercepted; the function to be intercepted is determined according to the number of the target function to be intercepted. By judging the interception result of the Hook function to be intercepted, the efficiency of analyzing the simulated elf file can be further improved.

在一实施例中,如图4所示,在步骤S10中,所述通过模拟执行框架,将待模拟共享库文件映射到模拟执行框架的虚拟内存中,包括:In one embodiment, as shown in FIG. 4 , in step S10, by simulating the execution framework, the shared library file to be simulated is mapped to the virtual memory of the simulation execution framework, including:

S11:通过Pyelftools库,对待模拟共享库文件进行解析,得到待模拟共享库文件中初始化数组的基地址和结构体指针地址。S11: Through the Pyelftools library, analyze the shared library file to be simulated, and obtain the base address and structure pointer address of the initialized array in the shared library file to be simulated.

其中,初始化数组为模拟执行框架中,加载待模拟elf文件时的数组,初始化数组包括初始化函数。在模拟执行框架中,初始化数组为init_array。通过Pyelftools库,对待模拟elf文件进行解析,得到待模拟elf文件中初始化数组的基地址和结构体指针地址。具体地,通过Pyelftools库对待模拟elf文件的so格式进行解析,得到so文件,并对so文件进一步解析,得到so文件中段部分,通过函数iter_segments遍历so文件的段部分,并从DT_INIT_ARRAYSZ和DT_INIT_ARRAY标签中获取到初始化数组的大小和偏移,确定初始化数组的基地址。进一步地,通过对初始化数组的偏移、so文件中段的头部虚地址以及so文件中段的头部虚地址的偏移进行计算,得到结构体指针地址。Wherein, the initialization array is an array in the simulation execution framework when the elf file to be simulated is loaded, and the initialization array includes an initialization function. In the simulation execution framework, the initialization array is init_array. Through the Pyelftools library, the elf file to be simulated is parsed, and the base address and structure pointer address of the initialized array in the elf file to be simulated are obtained. Specifically, the so format of the simulated elf file is parsed through the Pyelftools library to obtain the so file, and the so file is further parsed to obtain the segment part of the so file, and the function iter_segments is used to traverse the segment part of the so file, and from the DT_INIT_ARRAYSZ and DT_INIT_ARRAY tags Get the size and offset of the initialized array, and determine the base address of the initialized array. Further, by calculating the offset of the initialization array, the virtual address of the header of the segment in the so file, and the offset of the virtual address of the header of the segment in the so file, the structure pointer address is obtained.

S12:根据基地址和结构体指针地址,确定初始化数组地址。S12: Determine the initialized array address according to the base address and the structure pointer address.

其中,将得到的初始化数组的基地址和结构体指针地址进行计算,得到初始化数组的地址。其中,基地址和结构体指针地址的计算为相加计算。The base address of the initialized array and the address of the structure pointer are calculated to obtain the address of the initialized array. Among them, the calculation of the base address and the structure pointer address is an addition calculation.

S13:根据初始化数组地址,将初始化数组中的初始化函数映射到模拟执行框架的虚拟内存中。S13: Map the initialization function in the initialization array to the virtual memory of the simulation execution framework according to the address of the initialization array.

其中,初始化函数指待模拟共享库文件运行时加载的必要函数。具体地,根据基地址和结构体指针地址的相加计算,确定初始化数组地址后,进一步地,根据初始化数组地址指针,找到初始化数组所在位置,并从初始化数组中获取初始化函数,进一步地,将初始化函数映射到模拟执行框架的虚拟内存中,以实现将待模拟共享库文件映射到模拟执行框架的虚拟内存中。Wherein, the initialization function refers to a necessary function loaded when the shared library file to be simulated is running. Specifically, after determining the address of the initialization array according to the addition calculation of the base address and the address of the structure pointer, further, according to the address pointer of the initialization array, find the location of the initialization array, and obtain the initialization function from the initialization array, and further, set the The initialization function is mapped into the virtual memory of the simulation execution framework, so as to realize the mapping of the shared library file to be simulated into the virtual memory of the simulation execution framework.

本实施例中,通过Pyelftools库,对待模拟elf文件进行解析,得到待模拟elf文件中初始化数组的基地址和结构体指针地址;根据基地址和结构体指针地址,确定初始化数组的地址;根据初始化数组地址,将初始化数组中的初始化函数映射到模拟执行框架的虚拟内存中。能够获得待模拟elf文件的so格式中的初始化数组init_array,以获得init_array中的初始化函数,进一步在模拟待模拟elf文件时,能够通过初始化函数完成对待模拟elf文件的模拟。In this embodiment, the elf file to be simulated is parsed through the Pyelftools library to obtain the base address and structure pointer address of the initialized array in the elf file to be simulated; the address of the initialization array is determined according to the base address and the structure pointer address; according to the initialization The address of the array, which maps the initialization function in the initialization array to the virtual memory of the simulation execution framework. The initialization array init_array in the so format of the elf file to be simulated can be obtained to obtain the initialization function in the init_array. Further, when simulating the elf file to be simulated, the simulation of the elf file to be simulated can be completed through the initialization function.

在一实施例中,如图5所示,在步骤S30中,所述通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件,包括:In one embodiment, as shown in FIG. 5 , in step S30, by simulating the virtual file system in the execution framework, the access to the virtual file is mapped to the system file, including:

S31:根据预设的分配方式,对接口调用函数进行分配,得到预设的接口调用函数。S31: Allocate the interface calling function according to the preset allocation method to obtain the preset interface calling function.

其中,预设的分配方式指对不同功能的接口调用函数进行分配。例如,根据接口调用函数的功能,对接口调用函数分配为read、open、close、writev、fstat64、openat、fstatat64函数。The preset allocation method refers to the allocation of interface calling functions of different functions. For example, according to the function of the interface calling function, the interface calling functions are allocated as read, open, close, writev, fstat64, openat, and fstatat64 functions.

S32:根据预设的虚拟文件目录,通过Hook函数将预设的接口调用函数的调用路径替换成预设的虚拟文件目录路径。S32: According to the preset virtual file directory, use the hook function to replace the calling path of the preset interface calling function with the preset virtual file directory path.

具体地,当对虚拟文件进行访问时,首先,获取系统文件信息,其中,系统文件信息包括系统内存中文件的目录层级信息,以及文件的目录层级信息对应的数据信息。根据目录层级信息,将目录层级信息对应的数据信息存放到预设的虚拟文件目录中。其中,预设的虚拟文件目录指根据用户自定义创建的,用于存放系统文件信息的文件目录。进一步地,通过模拟执行框架中的Hook函数对预设接口调用函数进行解析,将预设接口函数的调用路径变更成从预设的虚拟文件目录进行调用。Specifically, when accessing the virtual file, first, system file information is obtained, wherein the system file information includes directory level information of the file in the system memory and data information corresponding to the directory level information of the file. According to the directory level information, data information corresponding to the directory level information is stored in a preset virtual file directory. The preset virtual file directory refers to a file directory created according to user definition and used for storing system file information. Further, the preset interface calling function is parsed by the Hook function in the simulation execution framework, and the calling path of the preset interface function is changed to be called from the preset virtual file directory.

需要说明的是,通过将预设接口函数的调用路径变更成从预设的虚拟文件目录进行调用,当检测到预设的接口函数对虚拟文件进行访问时,根据调用路径的变更,直接将对虚拟文件的访问映射到对预设的虚拟文件目录中进行访问,以实现将对虚拟文件的访问映射到系统文件。It should be noted that by changing the calling path of the preset interface function to call from the preset virtual file directory, when it is detected that the preset interface function accesses the virtual file, according to the change of the calling path, directly The access to the virtual file is mapped to the access to the preset virtual file directory, so as to realize the mapping of the access to the virtual file to the system file.

本实施例中,通过预设的分配方式,对接口调用函数进行分配,得到预设的接口调用函数;根据预设的虚拟文件目录,通过Hook函数将预设的接口调用函数的调用路径替换成预设的虚拟文件目录路径。能够从系统中获取真实的数据信息,防止因为数据错误的时候,跳出对待模拟elf文件的模拟,提高对待模拟elf模拟的可靠性。In this embodiment, the interface calling function is allocated through a preset allocation method, and the preset interface calling function is obtained; according to the preset virtual file directory, the calling path of the preset interface calling function is replaced by the Hook function. The default virtual file directory path. It can obtain real data information from the system, prevent jumping out of the simulation of the elf file to be simulated due to data errors, and improve the reliability of the elf simulation to be simulated.

在一实施例中,如图6所示,在步骤S40中,所述根据预设的函数地址,对待拦截函数的函数地址进行修改,包括:In one embodiment, as shown in FIG. 6 , in step S40, according to the preset function address, modifying the function address of the function to be intercepted includes:

S41:从预设的函数地址表中,获取待拦截函数地址。S41: Obtain the address of the function to be intercepted from the preset function address table.

其中,预设的函数地址表指通过用户地址表创建函数自定义创建的地址表。示例性地,通过write_function_table函数创建Jni Function Table地址表。进一步地,从预设的函数地址表中获取待拦截函数地址。待拦截函数可以是预设接口调用函数,待拦截函数地址可以是预设接口调用函数地址。Wherein, the preset function address table refers to an address table custom-created by a user address table creation function. Exemplarily, the Jni Function Table address table is created through the write_function_table function. Further, the function address to be intercepted is obtained from the preset function address table. The function to be intercepted may be a preset interface calling function, and the address of the function to be intercepted may be an address of a preset interface calling function.

S42:根据预设的函数地址,对待拦截函数地址进行修改。S42: Modify the address of the function to be intercepted according to the preset function address.

具体地,根据预设的函数地址,对待拦截函数地址进行修改,以使得待拦截函数根据预设的函数地址执行对应的模块。Specifically, according to the preset function address, the address of the function to be intercepted is modified, so that the function to be intercepted executes the corresponding module according to the preset function address.

需要说明的是,对待拦截函数的地址进行修改后,当通过模拟执行框架中的Hook函数对待拦截函数进行拦截或控制后,根据预设的函数地址,通过待拦截函数执行预设的函数地址对应的模块。It should be noted that, after the address of the function to be intercepted is modified, when the function to be intercepted is intercepted or controlled by the Hook function in the simulation execution framework, the function to be intercepted is executed according to the preset function address. module.

示例性地,通过write_function_table函数创建Jni Function Table地址表。JniFunction Table地址表中包括函数A。函数A对应模块C,预设的函数地址为D,将函数A对应模块C进行变更,得到函数A对应模块D,函数A被模拟执行框架中的Hook函数控制后,函数A优先执行模块D。Exemplarily, the Jni Function Table address table is created through the write_function_table function. Function A is included in the JniFunction Table address table. Function A corresponds to module C, and the preset function address is D. Change function A to module C to obtain function A corresponding to module D. After function A is controlled by the Hook function in the simulation execution framework, function A executes module D first.

本实施例中,通过从预设的函数地址表中,获取待拦截函数地址,根据预设的函数地址,对待拦截函数地址进行修改。能够在模拟elf文件时根据用户的需求对用户自定义的函数地址,找到对应的模块数据,提高共享库文件模拟方法的实用性。In this embodiment, the address of the function to be intercepted is obtained from a preset function address table, and the address of the function to be intercepted is modified according to the preset function address. When simulating the elf file, it can find the corresponding module data according to the user-defined function address according to the user's needs, and improve the practicability of the shared library file simulation method.

应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the steps in the above embodiments does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

在一实施例中,提供一种共享库文件模拟装置,该共享库文件模拟装置与上述实施例中共享库文件模拟方法一一对应。如图7所示,该共享库文件模拟装置包括:文件映射模块10、内存隔离模块20、访问映射模块30、地址修改模块40、函数注册模块50、数据输出模块60。各功能模块详细说明如下:In one embodiment, an apparatus for simulating a shared library file is provided, and the apparatus for simulating a shared library file is in one-to-one correspondence with the method for simulating a shared library file in the above-mentioned embodiment. As shown in FIG. 7 , the shared library file simulation apparatus includes: a file mapping module 10 , a memory isolation module 20 , an access mapping module 30 , an address modification module 40 , a function registration module 50 , and a data output module 60 . The detailed description of each functional module is as follows:

文件映射模块10,用于通过模拟执行框架,将待模拟共享库文件映射到所述模拟执行框架的虚拟内存中;The file mapping module 10 is used to map the shared library file to be simulated into the virtual memory of the simulated execution framework by simulating the execution framework;

内存隔离模块20,用于通过模拟执行框架的虚拟内存机制,将虚拟内存与系统内存隔离;The memory isolation module 20 is used to isolate the virtual memory from the system memory by simulating the virtual memory mechanism of the execution framework;

访问映射模块30,用于通过模拟执行框架中的虚拟文件系统,将对虚拟文件的访问映射到系统文件;The access mapping module 30 is used to map the access to the virtual file to the system file by simulating the virtual file system in the execution framework;

地址修改模块40,用于根据预设的函数地址,对待拦截函数的函数地址进行修改,其中,待拦截函数为共享库格式文件中的函数;The address modification module 40 is configured to modify the function address of the function to be intercepted according to the preset function address, wherein the function to be intercepted is a function in a shared library format file;

函数注册模块50,用于对预设的函数变量名和预设的函数名进行注册,以使得模拟执行框架中的Hook函数能够根据预设的函数变量名和预设的函数名对待拦截函数进行返回;The function registration module 50 is used for registering the preset function variable name and the preset function name, so that the Hook function in the simulation execution framework can return the intercepted function according to the preset function variable name and the preset function name;

数据输出模块60,用于通过Objdump命令获取待模拟共享库文件的依赖项,并通过Hook函数对待模拟共享库文件中的待拦截函数进行返回,并通过模拟执行框架对待拦截函数返回的值进行输出,以实现对待模拟共享库文件进行分析。The data output module 60 is used to obtain the dependencies of the shared library file to be simulated through the Objdump command, return the function to be intercepted in the simulated shared library file through the Hook function, and output the value returned by the function to be intercepted through the simulation execution framework , to analyze the shared library files to be simulated.

进一步地,共享库文件模拟装置还包括:Further, the shared library file simulation device also includes:

指令检测模块601,用于对模拟执行框架的寄存器进行访问,并检测是否存在无条件执行指令,其中,寄存器中包括待拦截函数编号;The instruction detection module 601 is used to access the registers of the simulation execution framework, and detect whether there is an unconditional execution instruction, wherein the register includes the function number to be intercepted;

数值读取模块602,用于当存在无条件执行指令时,则读取寄存器中的数值;The value reading module 602 is used to read the value in the register when there is an unconditional execution instruction;

函数编号模块603,用于根据寄存器中的数值从待拦截函数编号提取对应的目标待拦截函数编号;The function numbering module 603 is used to extract the corresponding target function number to be intercepted from the function number to be intercepted according to the value in the register;

函数确定模块604,用于根据目标待拦截函数编号确定待拦截函数。The function determination module 604 is configured to determine the function to be intercepted according to the number of the target function to be intercepted.

进一步地,文件映射模块10包括:Further, the file mapping module 10 includes:

文件解析子模块11,用于通过Pyelftools库,对待模拟共享库文件进行解析,得到待模拟共享库文件中初始化数组的基地址和结构体指针地址;The file parsing submodule 11 is used for parsing the shared library file to be simulated through the Pyelftools library to obtain the base address and structure pointer address of the initialized array in the shared library file to be simulated;

地址确定子模块12,用于根据基地址和所述结构体指针地址,确定初始化数组地址;The address determination submodule 12 is used for determining the address of the initialization array according to the base address and the address of the structure pointer;

函数映射子模块13,用于根据初始化数组地址,将初始化数组中的初始化函数映射到模拟执行框架的虚拟内存中。The function mapping submodule 13 is used to map the initialization function in the initialization array to the virtual memory of the simulation execution framework according to the address of the initialization array.

进一步地,访问映射模块30包括:Further, the access mapping module 30 includes:

函数分配子模块31,用于根据预设的分配方式,对接口调用函数进行分配,得到预设的接口调用函数;The function allocation sub-module 31 is used for allocating the interface calling function according to the preset allocation method, so as to obtain the preset interface calling function;

路径替换子模块32,用于根据预设的虚拟文件目录,通过Hook函数将预设的接口调用函数的调用路径替换成预设的虚拟文件目录路径。The path replacement submodule 32 is configured to replace the calling path of the preset interface calling function with the preset virtual file directory path through the hook function according to the preset virtual file directory.

进一步地,地址修改模块40包括:Further, the address modification module 40 includes:

地址获取子模块41,用于从预设的函数地址表中,获取待拦截函数地址;The address obtaining submodule 41 is used to obtain the address of the function to be intercepted from the preset function address table;

地址修改子模块42,用于根据预设的函数地址,对待拦截函数地址进行修改。The address modification sub-module 42 is configured to modify the address of the function to be intercepted according to the preset function address.

关于共享库文件模拟装置的具体限定可以参见上文中对于共享库文件模拟方法的限定,在此不再赘述。上述共享库文件模拟装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific limitation of the shared library file simulation apparatus, please refer to the above limitation on the shared library file simulation method, which will not be repeated here. Each module in the above-mentioned shared library file simulation apparatus may be implemented in whole or in part by software, hardware and combinations thereof. The above modules can be embedded in or independent of the processor in the computer device in the form of hardware, or stored in the memory in the computer device in the form of software, so that the processor can call and execute the operations corresponding to the above modules.

在一实施例中,提供了一种计算机设备,该计算机设备可以是服务器,其内部结构图可以如图8所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口和数据库。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机程序和数据库。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种共享库文件模拟方法。In one embodiment, a computer device is provided, the computer device may be a server, and the internal structure diagram thereof may be as shown in FIG. 8 . The computer device includes a processor, memory, a network interface, and a database connected by a system bus. Among them, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The nonvolatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the execution of the operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used to communicate with an external terminal through a network connection. The computer program implements a shared library file simulation method when executed by the processor.

在一实施例中,提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行计算机程序时实现上述实施例中共享库文件模拟方法的步骤,例如步骤S10至步骤S60。或者,处理器执行计算机程序时实现上述实施例中共享库文件模拟装置的各模块/单元的功能,例如模块10至模块60的功能。为避免重复,此处不再赘述。In one embodiment, a computer device is provided, including a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the computer program, the shared library file simulation method in the above embodiment is implemented. steps, such as step S10 to step S60. Alternatively, when the processor executes the computer program, the functions of the modules/units of the shared library file simulation apparatus in the above-mentioned embodiments, such as the functions of the modules 10 to 60 , are implemented. To avoid repetition, details are not repeated here.

在一实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现上述方法实施例中共享库文件模拟方法,或者,该计算机程序被处理器执行时实现上述装置实施例中共享库文件模拟装置中各模块/单元的功能。为避免重复,此处不再赘述。In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by the processor, the shared library file simulation method in the above method embodiment is implemented, or the computer program is executed by the processor. When executed, the functions of each module/unit in the shared library file simulation device in the above device embodiments are implemented. To avoid repetition, details are not repeated here.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage In the medium, when the computer program is executed, it may include the processes of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other medium used in the various embodiments provided in this application may include non-volatile and/or volatile memory. Nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Road (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元、模块完成,即将所述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。Those skilled in the art can clearly understand that, for the convenience and simplicity of description, only the division of the above-mentioned functional units and modules is used as an example. Module completion, that is, dividing the internal structure of the device into different functional units or modules to complete all or part of the functions described above.

以上所述实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围,均应包含在本发明的保护范围之内。The above-mentioned embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it is still possible to implement the foregoing implementations. The technical solutions described in the examples are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be included in the within the protection scope of the present invention.

Claims (10)

1. A shared library file simulation method is characterized by comprising the following steps:
mapping a shared library file to be simulated to a virtual memory of a simulation execution frame through the simulation execution frame;
isolating the virtual memory from a system memory through a virtual memory mechanism of the simulation execution framework;
mapping access to the virtual file to a system file by simulating a virtual file system in the execution framework;
modifying the function address of a function to be intercepted according to a preset function address, wherein the function to be intercepted is a function in a shared library format file;
registering a preset function variable name and a preset function name so that a Hook function in the simulation execution frame can return the function to be intercepted according to the preset function variable name and the preset function name;
acquiring a dependent item of the shared library file to be simulated through an Objdump command, returning the function to be intercepted in the shared library file to be simulated through the Hook function, and outputting a value returned by the function to be intercepted through a simulation execution frame so as to realize analysis of the shared library file to be simulated.
2. The method for simulating a shared library file according to claim 1, wherein before the obtaining the dependent item of the shared library file to be simulated through the preset command and returning the function to be intercepted in the shared library file to be simulated through the Hook function, the method comprises:
accessing a register of the simulation execution frame, and detecting whether an unconditional execution instruction exists or not, wherein the register comprises a function number to be intercepted;
if the unconditional execution instruction exists, reading a numerical value in the register;
extracting a corresponding target function number to be intercepted from the function number to be intercepted according to the numerical value in the register;
and determining the function to be intercepted according to the serial number of the target function to be intercepted.
3. The method for simulating a shared library file according to claim 1, wherein the mapping the shared library file to be simulated to the virtual memory of the simulation execution framework by the simulation execution framework comprises:
analyzing the shared library file to be simulated through a Pyelfools library to obtain a base address and a structure pointer address of an initialized array in the shared library file to be simulated;
determining the initialized array address according to the base address and the structure pointer address;
and mapping the initialization function in the initialization array to the virtual memory of the simulation execution frame according to the initialization array address.
4. The shared library file emulation method of claim 1, wherein mapping access to the virtual file to the system file by emulating a virtual file system in the execution framework comprises:
distributing the interface calling function according to a preset distribution mode to obtain a preset interface calling function;
and replacing the call path of the preset interface call function with the preset virtual file directory path through the Hook function according to the preset virtual file directory.
5. The method for simulating a shared library file according to claim 1, wherein the modifying the function address of the function to be intercepted according to the preset function address comprises:
acquiring the function address to be intercepted from a preset function address table;
and modifying the function address to be intercepted according to a preset function address.
6. A shared library file simulation apparatus, comprising:
the file mapping module is used for mapping the shared library file to be simulated into a virtual memory of the simulation execution frame through the simulation execution frame;
the memory isolation module is used for isolating the virtual memory from the system memory through a virtual memory mechanism of the simulation execution frame;
the access mapping module is used for mapping the access to the virtual file to the system file by simulating the virtual file system in the execution frame;
the address modification module is used for modifying the function address of the function to be intercepted according to a preset function address, wherein the function to be intercepted is a function in the shared library format file;
the function registration module is used for registering a preset function variable name and a preset function name so that the Hook function in the simulation execution frame can return the function to be intercepted according to the preset function variable name and the preset function name;
and the data output module is used for acquiring the dependent items of the shared library file to be simulated through an Objdump command, returning the function to be intercepted in the shared library file to be simulated through the Hook function, and outputting the value returned by the function to be intercepted through a simulation execution frame so as to realize the analysis of the shared library file to be simulated.
7. The shared library file simulation apparatus of claim 6, further comprising:
the instruction detection module is used for accessing a register of the simulation execution framework and detecting whether an unconditional execution instruction exists or not, wherein the register comprises a function number to be intercepted;
the numerical value reading module is used for reading the numerical value in the register when the unconditional execution instruction exists;
the function numbering module is used for extracting a corresponding target function number to be intercepted from the function number to be intercepted according to the numerical value in the register;
and the function determining module is used for determining the function to be intercepted according to the target function to be intercepted number.
8. The shared library file emulation apparatus of claim 6, wherein the file mapping module comprises:
the file analysis submodule is used for analyzing the shared library file to be simulated through a Pyelftools library to obtain a base address and a structure pointer address of an initialized array in the shared library file to be simulated;
the address determination submodule is used for determining the initialized array address according to the base address and the structure pointer address;
and the function mapping submodule is used for mapping the initialization function in the initialization array to the virtual memory of the simulation execution frame according to the initialization array address.
9. A computer device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the shared library file simulation method of any of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the shared library file simulation method of any of claims 1 to 5.
CN202010367839.4A 2020-04-30 2020-04-30 Shared library file simulation method, device, computer equipment and storage medium Active CN111666586B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010367839.4A CN111666586B (en) 2020-04-30 2020-04-30 Shared library file simulation method, device, computer equipment and storage medium
PCT/CN2020/135727 WO2021218172A1 (en) 2020-04-30 2020-12-11 Shared library file simulation method and apparatus, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010367839.4A CN111666586B (en) 2020-04-30 2020-04-30 Shared library file simulation method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111666586A true CN111666586A (en) 2020-09-15
CN111666586B CN111666586B (en) 2024-12-27

Family

ID=72383141

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010367839.4A Active CN111666586B (en) 2020-04-30 2020-04-30 Shared library file simulation method, device, computer equipment and storage medium

Country Status (2)

Country Link
CN (1) CN111666586B (en)
WO (1) WO2021218172A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113254342A (en) * 2021-06-04 2021-08-13 北京理工大学 Traceable simulation method and system based on dynamic binary instrumentation
WO2021218172A1 (en) * 2020-04-30 2021-11-04 平安科技(深圳)有限公司 Shared library file simulation method and apparatus, computer device and storage medium
CN114707450A (en) * 2022-04-22 2022-07-05 山东云海国创云计算装备产业创新中心有限公司 SystemC-based virtual model generation method, system, medium, and device
CN114780503A (en) * 2022-03-30 2022-07-22 苏州浪潮智能科技有限公司 Information sharing processing method, device, equipment and storage medium
CN115471971A (en) * 2021-06-10 2022-12-13 中国石油化工股份有限公司 Basin simulation phase data processing method and device and computer readable storage medium
CN115686656A (en) * 2021-07-29 2023-02-03 武汉斗鱼网络科技有限公司 So file hook method, device and medium based on loading program library
CN116089516A (en) * 2023-02-17 2023-05-09 杭州安恒信息技术股份有限公司 Application environment simulation method, device, equipment and storage medium
CN116089019A (en) * 2023-03-07 2023-05-09 苏州宏存芯捷科技有限公司 Hexagon architecture-oriented fine-grained CPU simulator

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115499402B (en) * 2022-08-23 2024-11-08 北京天空卫士网络安全技术有限公司 Instant messaging information processing method, terminal and system
CN115858012B (en) * 2022-12-30 2023-10-20 广州市易鸿智能装备有限公司 Program variable configuration method, device, electronic equipment and storage medium
CN117112137B (en) * 2023-08-28 2025-07-25 浪潮卓数大数据产业发展有限公司 Method, equipment and medium for initializing unidbg simulation execution environment
CN118550735B (en) * 2024-07-30 2024-11-26 天翼云科技有限公司 A method and device for improving high performance computing
CN120560955B (en) * 2025-08-01 2025-10-21 中孚安全技术有限公司 Method, system and medium for positioning internal function interface by module memory characteristics

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050010911A1 (en) * 2003-07-12 2005-01-13 Samsung Electronics Co., Ltd. Shared library system and method of building the system
US7971255B1 (en) * 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
CN109753322A (en) * 2017-08-29 2019-05-14 武汉斗鱼网络科技有限公司 To the acceleration method and device of application program on a kind of ios platform

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0011020D0 (en) * 2000-05-09 2000-06-28 Ibm Intercepting system API calls
CN106325927B (en) * 2016-08-19 2019-12-17 北京金山安全管理系统技术有限公司 interception method and device applied to dynamic library API in linux system
CN109426496B (en) * 2017-08-31 2021-11-26 武汉斗鱼网络科技有限公司 Method for writing program log into file, storage medium, electronic device and system
CN111666586B (en) * 2020-04-30 2024-12-27 平安科技(深圳)有限公司 Shared library file simulation method, device, computer equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050010911A1 (en) * 2003-07-12 2005-01-13 Samsung Electronics Co., Ltd. Shared library system and method of building the system
US7971255B1 (en) * 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
CN109753322A (en) * 2017-08-29 2019-05-14 武汉斗鱼网络科技有限公司 To the acceleration method and device of application program on a kind of ios platform

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021218172A1 (en) * 2020-04-30 2021-11-04 平安科技(深圳)有限公司 Shared library file simulation method and apparatus, computer device and storage medium
CN113254342A (en) * 2021-06-04 2021-08-13 北京理工大学 Traceable simulation method and system based on dynamic binary instrumentation
CN115471971A (en) * 2021-06-10 2022-12-13 中国石油化工股份有限公司 Basin simulation phase data processing method and device and computer readable storage medium
CN115471971B (en) * 2021-06-10 2024-05-07 中国石油化工股份有限公司 Basin simulation stage data processing method and device and computer readable storage medium
CN115686656A (en) * 2021-07-29 2023-02-03 武汉斗鱼网络科技有限公司 So file hook method, device and medium based on loading program library
CN114780503A (en) * 2022-03-30 2022-07-22 苏州浪潮智能科技有限公司 Information sharing processing method, device, equipment and storage medium
CN114707450A (en) * 2022-04-22 2022-07-05 山东云海国创云计算装备产业创新中心有限公司 SystemC-based virtual model generation method, system, medium, and device
CN116089516A (en) * 2023-02-17 2023-05-09 杭州安恒信息技术股份有限公司 Application environment simulation method, device, equipment and storage medium
CN116089019A (en) * 2023-03-07 2023-05-09 苏州宏存芯捷科技有限公司 Hexagon architecture-oriented fine-grained CPU simulator
CN116089019B (en) * 2023-03-07 2023-06-06 苏州宏存芯捷科技有限公司 Hexagon architecture-oriented fine-grained CPU simulator

Also Published As

Publication number Publication date
CN111666586B (en) 2024-12-27
WO2021218172A1 (en) 2021-11-04

Similar Documents

Publication Publication Date Title
CN111666586A (en) Shared library file simulation method and device, computer equipment and storage medium
CN111353146B (en) Method, device, equipment and storage medium for detecting sensitive permission of application program
CN105009139B (en) Generic unpacking of apps for malware detection
US20090007081A1 (en) System and Method of Generating Applications for Mobile Devices
CN113569246B (en) Vulnerability detection method, vulnerability detection device, computer equipment and storage medium
WO2005022388A1 (en) Techniques for cross-platform core dumping during dynamic binary translation
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium
Yuhala et al. Montsalvat: Intel SGX shielding for GraalVM native images
US11989291B2 (en) System, method, and apparatus for software verification
CN113918950A (en) Sandbox construction method based on simulation execution
CN118051421A (en) IO delay fault injection method, device, electronic device and storage medium
US11886589B2 (en) Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method
CN114860202A (en) Project operation method, device, server and storage medium
CN104992112A (en) Method and device used for detecting sensitive information leakage of Android
CN111737090A (en) Log simulation method, apparatus, computer equipment and storage medium
CN113792299B (en) Method for protecting Linux system based on ftrace technology
CN117251187A (en) Kernel updates, task processing methods, computing devices and computer storage media
WO2023065861A1 (en) Application migration assessment
CN113900893B (en) Log acquisition method and related equipment thereof
CN110633210B (en) File execution method and device, storage medium and electronic equipment
CN112560035B (en) Application detection method, device, equipment and storage medium
Lim et al. Protecting Android Applications with Multiple DEX Files Against Static Reverse Engineering Attacks.
CN113204477B (en) Application testing method and device, electronic equipment and storage medium
CN115048082A (en) Micro front-end system construction method and device, server and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant