CN105955762A - Method and device for injecting dynamic link library file and electronic equipment - Google Patents
Method and device for injecting dynamic link library file and electronic equipment Download PDFInfo
- Publication number
- CN105955762A CN105955762A CN201610244973.9A CN201610244973A CN105955762A CN 105955762 A CN105955762 A CN 105955762A CN 201610244973 A CN201610244973 A CN 201610244973A CN 105955762 A CN105955762 A CN 105955762A
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- link library
- library file
- general
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention discloses a method and a device for injecting a dynamic link library file and electronic equipment, relates to a file injection technology, and can improve the success rate of dynamic link library file injection. The method comprises the following steps: according to the received dynamic link library file loading request distribution process, calling a loading module to call back a function; analyzing a load module callback function, and acquiring a universal import table address according to the parameters of the load module callback function; reading a general import table corresponding to the general import table address, and extracting dynamic link library files which are not stored in the general import table from dynamic link library files contained in the dynamic link library file loading request; writing the extracted dynamic link library file into the universal import table to generate an updated universal table, and writing the updated universal table into the memory space of the process; and loading the dynamic link library file in the updated general table in the memory space. The method is suitable for injecting the security dynamic link library file which is easy to intercept.
Description
Technical field
The present invention relates to file injection technique, particularly relate to a kind of inject the method for dynamic link library file, dress
Put and electronic equipment.
Background technology
Along with compunication and the development of Internet technology, the application of electronic equipment is more and more universal,
Such as, intelligent mobile phone, personal digital assistant, palm PC, notebook computer have obtained more and more wider
General application, the application program (APP, Application) installed in electronic equipment also gets more and more,
In Windows operating system, complete perform (PE, Portable owing to extensive application program is not one
Executable) file, can be divided into one or more relatively independent dynamic link library (DLL,
Dynamic Link Library) file, wherein, dll file can be referred to as again DLL module, to import table
Mode be positioned in Windows operating system, and in importing table, fill the derivation function of this dll file
Address, when perform application program one or more application functions (loading) time, corresponding process is permissible
By calling importing table, by enumerating each dll file in importing table, call windows LoadLibrary
Function or windows CreateRemoteThread function complete the bootstrap loading (injection) of dll file or remote
Journey is injected.
But being on the increase of application function provided along with application program, some malicious application are by binding
Virus in malicious application or wooden horse, can the application function of application program normal to user be carried out
Malicious intercepted or stop it to load, thus give operating system or user makes troubles and potential hidden danger.Example
As, owing to prior art is by calling windows LoadLibrary function or windows
CreateRemoteThread function completes the injection of dll file, thus, malicious application is by hooking
(Hook) windows LoadLibrary function or windows CreateRemoteThread function, thus
At application program by self-loading method (calling windows LoadLibrary function) or long-range method for implanting
The such as safety that (calling windows CreateRemoteThread function) injects malicious application setting is anti-
When protecting dll file, the file reparation dll file such as dll file, checking and killing virus dll file, by advance
The function that hooks arranged processes, and is refused by return, thus causes the dll file of application program cannot
Be injected into, dll file to be injected into power relatively low so that application program to should dll file should be diligent
Can lose efficacy.Not only make electronic equipment lose or close the function of defence poisoning intrusion, cause user's electronics to set
Standby safety declines, and brings potential safety hazard to the use of electronic equipment, also can cause material and the wealth of user
Rich loss.At present, also there is no a kind of effective dll file method for implanting, it is possible to be prevented effectively from due to malice
The interception of application program and cause the situation that dll file cannot load.DLL is injected it is then desired to a kind of
The method of file, can take appropriate measures, and ensures that the dll file of normal application loads and is not disliked
Meaning application program intercepts, to strengthen the safety of electronic device system.Inject the method for dll file
Technical scheme is as follows:
Summary of the invention
In view of this, embodiment of the present invention offer is a kind of injects the method for dynamic link library file, device and electricity
Subset, it is possible to ensure that the dynamic link library file of application program loads, promote the note of Dynamic link library library file
Enter success rate, be easily intercepted solving the method for existing injection dynamic link library file, it is impossible to load dynamically
The problem of chained library file.
First aspect, the embodiment of the present invention provides a kind of method injecting dynamic link library file, including:
According to the dynamic link library file load request distribution process received, calling record has adding of described process
Carry module call back function;
Resolving described load-on module call back function, the parameter acquiring according to described load-on module call back function is general
Import table address;
Read the general importing table that described general importing table address is corresponding, load from described dynamic link library file
In the dynamic link library file that request comprises, extract the dynamic link library being not stored in described general importing table
File;
The dynamic link library file extracted being write described general importing table, generates and update general purpose table, write is extremely
The memory headroom of described process;
The dynamic link library file in described renewal general purpose table is loaded in described memory headroom.
In conjunction with first aspect, in the first embodiment of first aspect, described according to described second parameter
And the 3rd parameter acquiring general importing table address includes:
Obtain the process handle in the parameter of described load-on module call back function;
Obtain the process image address in the parameter of described load-on module call back function;
Extract the mapping base address of described process in described process image address;
According to the mapping base address of described process handle and described process, obtain general importing table address.
In conjunction with first aspect, in the second embodiment of first aspect, it is not stored in institute in described extraction
After stating the dynamic link library file in general importing table, by described logical for the dynamic link library file write extracted
Before importing table, described method also includes:
The dynamic link library file number that record extracts;
The memory space taken according to a node in described general importing table, calculates the dynamic link of described extraction
Library text number of packages and the product of described memory space, obtain space to be applied for;
Call Memory Allocation kernel function, the memory headroom of described process is described renewal general purpose table application
The renewal general purpose table space of space to be applied for described in comprising and general importing table space.
In conjunction with the second embodiment of first aspect, in the third embodiment of first aspect, described
The dynamic link library file extracted being write described general importing table, generates and update general purpose table, write is to described
The memory headroom of process includes:
In space to be applied for described in described renewal general purpose table, by the dynamic link library file pair of described extraction
The data answered sequentially are filled to the thunk node that structure is reflection input description;
In the described general importing table space of described renewal general purpose table, by dynamic chain in described general importing table
Connect data corresponding to library file sequentially to fill to the thunk node that structure is reflection input description,
Obtain updating general purpose table.
In conjunction with first aspect, in the 4th kind of embodiment of first aspect, described dynamic according to receive
Before chained library file load request distribution process, described method also includes:
Call image amendment and the kernel function described load-on module call back function of registration is set.
In conjunction with first aspect, first aspect the first to the 4th kind of any embodiment, in first aspect
In 5th kind of embodiment, described memory headroom loads the dynamic link library text in described renewal general purpose table
After part, described method also includes:
Described renewal general purpose table is utilized to replace described general importing table and utilize described renewal general purpose table address to replace
Described general importing table address;
When described process is out of service, calls the process creation pre-set and exit call back function, call institute
State general importing table and replace described renewal general purpose table, utilize described general importing table address to replace described renewal and lead to
Use table address.
In conjunction with the 5th kind of embodiment of first aspect, in the 6th kind of embodiment of first aspect, call
Establishment process notice arranges the kernel function described process creation of injection and exits call back function.
Second aspect, the embodiment of the present invention provides a kind of device injecting dynamic link library file, including: return
Letter of transfer number calling module, Parameter analysis of electrochemical module, file extraction module, more new module and file load module,
Wherein,
Call back function calling module, for distributing process according to the dynamic link library file load request received,
Call record and have the load-on module call back function of described process;
Parameter analysis of electrochemical module, is used for resolving described load-on module call back function, adjusts back according to described load-on module
The parameter acquiring general importing table address of function;
File extraction module, for reading the general importing table that described general importing table address is corresponding, from described
In the dynamic link library file that dynamic link library file load request comprises, extract and be not stored in described general lead
Enter the dynamic link library file in table;
More new module, writes described general importing table for the dynamic link library file that will extract, generates and update
General purpose table, the memory headroom of write to described process;
File load module, for loading the dynamic link in described renewal general purpose table in described memory headroom
Library file.
In conjunction with second aspect, in the first embodiment of second aspect, described Parameter analysis of electrochemical module includes:
Function resolution unit, process handle acquiring unit, process image address acquisition unit, base address extraction unit
And importing table address acquiring unit, wherein,
Function resolution unit, is used for resolving described load-on module call back function;
Process handle acquiring unit, the process handle in the parameter obtaining described load-on module call back function;
Process image address acquisition unit, the process in the parameter obtaining described load-on module call back function
Image address;
Base address extraction unit, for extracting the mapping base address of the described process in described process image address;
Import table address acquiring unit, for the mapping base address according to described process handle and described process,
Obtain general importing table address.
In conjunction with second aspect, in the second embodiment of second aspect, described device also includes: record
Module and internal memory application module, wherein,
Logging modle, for recording the dynamic link library file number of extraction;
Internal memory computing module, for the memory space taken according to a node in described general importing table, calculates
The dynamic link library file number of described extraction and the product of described memory space, obtain space to be applied for;
Internal memory application module, is used for calling Memory Allocation kernel function, on the memory headroom of described process is
Described renewal general purpose table application comprise described in the renewal general purpose table of space to be applied for and general importing table space empty
Between.
In conjunction with the second embodiment of second aspect, in the third embodiment of second aspect, described
More new module includes: the first filling unit and the second filling unit, wherein,
First fills unit, in space to be applied for described in described renewal general purpose table, by described extraction
Data corresponding to dynamic link library file sequentially fill to structure be the thunk that reflection input describes
On node;
Second fills unit, in the described general importing table space of described renewal general purpose table, by described
The data that in general importing table, dynamic link library file is corresponding are sequentially filled to the shape that structure is reflection input description
Real-turn is changed in program node, obtains updating general purpose table.
In conjunction with second aspect, in the 4th kind of embodiment of second aspect, described device also includes:
Registering modules, is used for calling image amendment and arranges the kernel function described load-on module call back function of registration.
In conjunction with second aspect, second aspect the first to the 4th kind of any embodiment, in second aspect
In 5th kind of embodiment, described device also includes: replacement module and exit processing module, wherein,
Replacement module, is used for utilizing described renewal general purpose table replace described general importing table and utilize described renewal
Described general importing table address is replaced in general purpose table address;
Exit processing module, for when described process is out of service, calls the process creation pre-set and move back
Go out call back function, call described general importing table and replace described renewal general purpose table, utilize described general importing table
Described renewal general purpose table address is replaced in address.
In conjunction with the 5th kind of embodiment of second aspect, in the 6th kind of embodiment of second aspect, call
Establishment process notice arranges the kernel function described process creation of injection and exits call back function.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, and described electronic equipment includes: housing,
Processor, memorizer, circuit board and power circuit, wherein, circuit board is placed in the space that housing surrounds
Portion, processor and memorizer are arranged on circuit boards;Power circuit, for for each of above-mentioned electronic equipment
Circuit or device are powered;Memorizer is used for storing executable program code;Processor is by reading in memorizer
The executable program code of storage runs the program corresponding with executable program code, is used for performing aforementioned
The method injecting dynamic link library file described in one.
The a kind of of embodiment of the present invention offer injects the method for dynamic link library file, device and electronic equipment,
By according to the dynamic link library file load request distribution process received, calling record has adding of described process
Carry module call back function;Resolve described load-on module call back function, according to described load-on module call back function
Parameter acquiring general importing table address;Read the general importing table that described general importing table address is corresponding, from institute
Stating in the dynamic link library file that dynamic link library file load request comprises, extraction is not stored in described general
Import the dynamic link library file in table;The dynamic link library file extracted is write described general importing table,
Generate and update general purpose table, the memory headroom of write to described process;Described in described memory headroom loads more
Dynamic link library file in new general purpose table.Can ensure that the dynamic link library file of application program loads, carry
Rise Dynamic link library library file is injected into power, easy to solve the method for existing injection dynamic link library file
Intercepted, it is impossible to the problem loading dynamic link library file.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow schematic diagram that embodiments of the invention one inject dynamic link library file;
Fig. 2 is general importing list structure schematic diagram;
Fig. 3 imports list structure schematic diagram for updating;
Fig. 4 is the method flow schematic diagram that the embodiment of the present invention two injects dynamic link library file;
Fig. 5 is the method flow schematic diagram that the embodiment of the present invention three injects dynamic link library file;
Fig. 6 is the method flow schematic diagram that the embodiment of the present invention four injects dynamic link library file;
Fig. 7 is the apparatus structure schematic diagram that the embodiment of the present invention five injects dynamic link library file;
Fig. 8 is the structural representation of one embodiment of electronic equipment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawings the embodiment of the present invention is described in detail.
It will be appreciated that described embodiment be only the present invention a part of embodiment rather than whole realities
Execute example.Based on the embodiment in the present invention, those of ordinary skill in the art are not before making creative work
Put all other embodiments obtained, broadly fall into the scope of protection of the invention.
Embodiment one
Fig. 1 is the method flow schematic diagram that embodiments of the invention one inject dynamic link library file, such as Fig. 1
Shown in, the method for the present embodiment may include that
Step 101, according to the dynamic link library file load request distribution process received, calling record has described
The load-on module call back function of process;
In the present embodiment, for existing by calling windows LoadLibrary function or windows
CreateRemoteThread function completes dll file injection and realizes dll file loading, easily should by some
By the technical problem of program intercepts, it is provided that a kind of new dll file injection realized at windows inner nuclear layer
And loading method, hook windows LoadLibrary function and windows solving application program
The problem of CreateRemoteThread function.
In the present embodiment, operating system receives dynamic link library file load request, at described dynamic link library
In file load request, including one or more dll file information to be loaded, operating system is according to dynamic
State chained library file load request distribution process.
Step 102, resolves described load-on module call back function, according to the parameter of described load-on module call back function
Obtain general importing table address;
In the present embodiment, in load-on module call back function, second parameter (the second parameter) is used for record
Process handle, the 3rd parameter (the 3rd parameter) is for record the process image address (ImageInfo), foundation
Second parameter and the 3rd parameter acquiring general importing table address.Wherein,
Process image address is a structure address, preserves the mapping base address (ImageBase) of process, profit
With mapping base address (ImageBase) and the process handle of process, so that it may obtain appointing of PE file format
Meaning data, for example, it is possible to obtain general importing table address (ImportDesc).At general importing table address
(ImportDesc) in corresponding general importing table, storage have dll file title, derive function and
The information such as dll file number, general importing table address (ImportDesc) is directed in general importing table all
The first address of dll file.
In the present embodiment, being arranged in general importing table, storage application program is reluctant to carry out to intercept or attack
Dll file, thus, even if by calling windows LoadLibrary function or windows
CreateRemoteThread function completes dll file and injects and after loading, and application program is described by hooking
Windows LoadLibrary function or windows CreateRemoteThread function, it is also possible to avoid weight
The dll file wanted loads intercepted.
As an alternative embodiment, include according to the second parameter and the 3rd parameter acquiring general importing table address:
Obtain the process handle in the second parameter of described load-on module call back function;
Obtain the process image address in the 3rd parameter of described load-on module call back function;
Extract the mapping base address of described process in described process image address;
According to the mapping base address of described process handle and described process, obtain general importing table address.
Step 103, reads the general importing table that described general importing table address is corresponding, from described dynamic link library
In the dynamic link library file that file load request comprises, it is dynamic that extraction is not stored in described general importing table
State chained library file;
In the present embodiment, if electronic equipment needs to run the specific dll file in application program, such as,
Security protection dll file, file are repaired dll file, checking and killing virus dll file etc. and are easily employed program
During the dll file attacked, by comprising corresponding DLL in the dynamic link library file load request initiated
File, load-on module call back function is by the dll file comprised in comparison dynamic link library file load request
And the dynamic link library file in general importing table, obtain being not stored in described general importing table is dynamic
Chained library file.
In the present embodiment, general importing table includes one or more thunk (Thunk) node,
It is the node of a dll file, the corresponding dll file of each Thunk node.
Fig. 2 is general importing list structure schematic diagram.See Fig. 2, including multiple Thunk, according to leading from general
Enter the order of table top to bottom, be designated as respectively: Thunk1, Thunk2, Thunk3 ..., Thunkn.
In the present embodiment, the structure size of a Thunk node is an IMAGE_IMPORT_DESCRIPT
OR structure size, is multiplied by the Thunk nodes that general importing table comprises, and can obtain including general importing table
Deposit the size in space.
Step 104, writes described general importing table by the dynamic link library file extracted, generates and update general purpose table,
The memory headroom of write extremely described process;
In the present embodiment, as an alternative embodiment, by described general for the dynamic link library file write extracted
Importing table, generate and update general purpose table, the memory headroom of write to described process includes:
A11, in the space to be applied for of described renewal general purpose table, by the dynamic link library file pair of described extraction
It is that reflection input describes (IMAGE_IMPORT_DESCRIPTOR) that the data answered sequentially are filled to structure
Thunk on;
In the present embodiment, the data that dynamic link library file is corresponding include: dynamic link library file title, lead
Go out the information such as function and dynamic link library file base address.I.e. at general importing table top, build corresponding institute
State the empty Thunk node of the dynamic link library file number of extraction, then, by the dynamic link library of each extraction
In the empty Thunk node that the filling data of file are the most corresponding.
A12, in the general importing table space of described renewal general purpose table, by dynamic chain in described general importing table
Connect data corresponding to library file sequentially fill to structure be IMAGE_IMPORT_DESCRIPTOR's
On Thunk, obtain updating general purpose table.
Fig. 3 imports list structure schematic diagram for updating.See Fig. 3, on the basis of Fig. 2, also include extraction
Thunk corresponding to dynamic link library file, such as, MyDLLThunk.
Step 105, loads the dynamic link library file in described renewal general purpose table in described memory headroom.
The present embodiment injects the method for dynamic link library file, by adding according to the dynamic link library file received
Carrying request distribution process, calling record has the load-on module call back function of described process;Resolve described loading mould
Block call back function, according to the parameter acquiring general importing table address of described load-on module call back function;Read institute
State the general importing table that general importing table address is corresponding, comprise from described dynamic link library file load request
In dynamic link library file, extract the dynamic link library file being not stored in described general importing table;To carry
The dynamic link library file taken writes described general importing table, generates and updates general purpose table, write to described process
Memory headroom;The dynamic link library file in described renewal general purpose table is loaded in described memory headroom.This
Sample, proposes new dynamic link library method for implanting, it is not necessary to call windows LoadLibrary function or
Windows CreateRemoteThread function completes dll file injection and realizes dll file loading, but
Load-on module call back function is utilized to realize the injection of dynamic link library file, beneficially dynamic link at inner nuclear layer
The application program that the loading in storehouse is not pre-arranged intercepts, and helps and ensures that the dll file of normal application adds
Carry, beneficially attended operation security of system, strengthen the safety of electronic device system such that it is able to/solve
The technical problem that certainly safety of existing electronic device system is relatively low.
Embodiment two
Fig. 4 is the method flow schematic diagram that the embodiment of the present invention two injects dynamic link library file, such as Fig. 4 institute
Showing, the method for the present embodiment may include that
Step 401, calls image amendment and arranges the kernel function described load-on module call back function of registration.
In the present embodiment, as an alternative embodiment, image amendment arranges kernel function and is
PsSetLoadImageNotifyRoutine kernel function.
In the present embodiment, calling load-on module call back function before process loads dll file, load-on module returns
Letter of transfer number is for revising the general importing table of process, when process initiation, the information of newly-increased dll file is saved
Point writes general importing table, thus realizes injection and the loading of specific dll file.
Step 402, according to the dynamic link library file load request distribution process received, calling record has described
The load-on module call back function of process;
Step 403, resolves described load-on module call back function, according to the parameter of described load-on module call back function
Obtain general importing table address;
Step 404, reads the general importing table that described general importing table address is corresponding, from described dynamic link library
In the dynamic link library file that file load request comprises, it is dynamic that extraction is not stored in described general importing table
State chained library file;
Step 405, writes described general importing table by the dynamic link library file extracted, generates and update general purpose table,
The memory headroom of write extremely described process;
Step 406, loads the dynamic link library file in described renewal general purpose table in described memory headroom.
In the present embodiment, the process of step 402 to step 406 respectively with the step of said method embodiment one
101 to step 105 is similar to, and here is omitted.
In the present embodiment, call PsSetLoadImageNotifyRoutine kernel function and register described loading mould
Block call back function, specify that the registration process of load-on module call back function.
Embodiment three
Fig. 5 is the method flow schematic diagram that the embodiment of the present invention three injects dynamic link library file, such as Fig. 5 institute
Showing, the method for the present embodiment may include that
Step 501, according to the dynamic link library file load request distribution process received, calling record has described
The load-on module call back function of process;
Step 502, resolves described load-on module call back function, according to the parameter of described load-on module call back function
Obtain general importing table address;
Step 503, reads the general importing table that described general importing table address is corresponding, from described dynamic link library
In the dynamic link library file that file load request comprises, it is dynamic that extraction is not stored in described general importing table
State chained library file;
In the present embodiment, the process of step 501 to step 503 respectively with the step of said method embodiment one
101 to step 103 is similar to, and here is omitted.
Step 504, the dynamic link library file number that record extracts;
Step 505, the memory space taken according to a Thunk node in described general importing table, calculate described
The dynamic link library file number extracted and the product of described memory space, obtain space to be applied for;
Step 506, calls Memory Allocation kernel function, is that described renewal is led on the memory headroom of described process
With table application comprise described in space to be applied for and the renewal general purpose table space of general importing table space;
In the present embodiment, Memory Allocation kernel function is ZwAllocateVirtualMemory kernel function, often
The memory space that one Thunk node takies is IMAGE_IMPORT_DESCRIPTOR structure size.Will
Original space that general importing table takies, plus the space to be applied for newly increased, can obtain updating general purpose table and exist
Memory headroom size required after injecting the dynamic link library file extracted, the renewal general purpose table space of application is
Space to be applied for and the sum of general importing table space.
In the present embodiment, as an alternative embodiment, by described general for the dynamic link library file write extracted
Import the top of table, generate and update general purpose table.Certainly, in actual application, it is also possible to the dynamic chain that will extract
Connect library file and write other positions of described general importing table.
Step 507, writes described general importing table by the dynamic link library file extracted, generates and update general purpose table,
The memory headroom of write extremely described process;
Step 508, loads the dynamic link library file in described renewal general purpose table in described memory headroom.
In the present embodiment, the process of step 507 to step 508 respectively with the step of said method embodiment one
104 to step 105 is similar to, and here is omitted.
The present embodiment, the dynamic link library file number extracted by record;According in described general importing table one
The memory space that node takies, calculates the dynamic link library file number of described extraction and taking advantage of of described memory space
Long-pending, obtain space to be applied for;Call ZwAllocateVirtualMemory kernel function, in described process
On memory headroom for described renewal general purpose table application comprise described in space to be applied for and general importing table space
Update general purpose table space, can reach to update the effect of general importing table.
Embodiment four
Fig. 6 is the schematic flow sheet that the embodiment of the present invention four injects the method for dynamic link library file, such as Fig. 6
Shown in, the method for the present embodiment may include that
Step 601, according to the dynamic link library file load request distribution process received, calling record has described
The load-on module call back function of process;
Step 602, resolves described load-on module call back function, according to the parameter of described load-on module call back function
Obtain general importing table address;
Step 603, reads the general importing table that described general importing table address is corresponding, from described dynamic link library
In the dynamic link library file that file load request comprises, it is dynamic that extraction is not stored in described general importing table
State chained library file;
Step 604, writes described general importing table by the dynamic link library file extracted, generates and update general purpose table,
The memory headroom of write extremely described process;
Step 605, loads the dynamic link library file in described renewal general purpose table in described memory headroom;
In the present embodiment, the process of step 601 to step 605 respectively with the step of said method embodiment one
101 to step 105 is similar to, and here is omitted
Step 606, utilizes described renewal general purpose table replace described general importing table and utilize described renewal general purpose table
Described general importing table address is replaced in address;
In the present embodiment, the new ImportDesc updating importing table is utilized to replace old general importing table
ImportDesc, can realize increasing by a MyDLL (dynamic link by dynamic link library file sum increase by 1
Library file) injection.
Step 607, when described process is out of service, calls the process creation pre-set and exits call back function,
Call described general importing table and replace described renewal general purpose table, utilize described general importing table address to replace described
Update general purpose table address.
In the present embodiment, it is without existing api function (windows owing to dynamic link library file injects
LoadLibrary function or windows CreateRemoteThread function) realize, it is autonomous by adding
Carry module call back function and realize the injection of dynamic link library file, thus, operating system to be unaware of process many
One or more dynamic link library files (modules), therefore when process exits, in addition it is also necessary to application program is voluntarily
Unload this dynamic link library file (module).
In the present embodiment, as an alternative embodiment, process creation exits call back function and is
CreateProcessCallback function.
In the present embodiment, at process creation or when exiting, by calling CreateProcessCallback function,
Delete and update the dynamic link library file newly increased in importing table, and utilize the ImportDesc of general importing table
The ImportDesc address updating general purpose table is replaced in address, by dynamic link library file sum minimizing 1, thus
Realize the unloading of dynamic link library file.
As an alternative embodiment, call establishment process and notify that arranging the kernel function described process creation of injection moves back
Go out call back function.Wherein, as an alternative embodiment, establishment process notice arranges kernel function and is
PsSetCreateProcessNotifyRoutine kernel function.
The present embodiment, by utilizing described renewal general purpose table replace described general importing table and utilize described renewal
Described general importing table address is replaced in general purpose table address;When described process is out of service, calls and pre-set
Process creation exit call back function, call described general importing table replace described renewal general purpose table, utilize institute
State general importing table address and replace described renewal general purpose table address.The unloading of dynamic link library file can be realized
Effect.
Embodiment five
Fig. 7 is the apparatus structure schematic diagram that embodiments of the invention five inject dynamic link library file, such as Fig. 7
Shown in, the device of the present embodiment may include that call back function calling module 71, Parameter analysis of electrochemical module 72, literary composition
Part extraction module 73, more new module 74 and file load module 75, wherein,
Call back function calling module 71, for distributing process according to the dynamic link library file load request received,
Call record and have the load-on module call back function of described process;
In the present embodiment, operating system receives dynamic link library file load request, at described dynamic link library
In file load request, including one or more dll file information to be loaded, operating system is according to dynamic
State chained library file load request distribution process.
Parameter analysis of electrochemical module 72, is used for resolving described load-on module call back function, returns according to described load-on module
The parameter acquiring general importing table address of letter of transfer number;
In the present embodiment, in load-on module call back function, the second parameter be used for record the process handle, the 3rd
Parameter is used for record the process image address (ImageInfo).Wherein,
Process image address is a structure address, preserves the ImageBase of process, utilizes process
ImageBase and process handle, can obtain ImportDesc.In the general importing that ImportDesc is corresponding
In table, storage has the title of dll file, derives the information such as function and dll file number, ImportDesc
It is directed to the first address of all dll files in general importing table.
In the present embodiment, as an alternative embodiment, Parameter analysis of electrochemical module 72 includes: function resolution unit,
Process handle acquiring unit, process image address acquisition unit, base address extraction unit and importing table address
Acquiring unit (not shown), wherein,
Function resolution unit, is used for resolving described load-on module call back function;
Process handle acquiring unit, the process handle in the parameter obtaining described load-on module call back function;
Process image address acquisition unit, the process in the parameter obtaining described load-on module call back function
Image address;
Base address extraction unit, for extracting the mapping base address of the described process in described process image address;
Import table address acquiring unit, for the mapping base address according to described process handle and described process,
Obtain general importing table address.
File extraction module 73, for reading the general importing table that described general importing table address is corresponding, from institute
Stating in the dynamic link library file that dynamic link library file load request comprises, extraction is not stored in described general
Import the dynamic link library file in table;
In the present embodiment, load-on module call back function comprises by comparison dynamic link library file load request
Dll file and general importing table in dynamic link library file, obtain being not stored in described general importing
Dynamic link library file in table.
In the present embodiment, general importing table includes one or more Thunk node, is a dll file
Node, the corresponding dll file of each Thunk node.
More new module 74, writes described general importing table for the dynamic link library file that will extract, generates more
New general purpose table, the memory headroom of write to described process;
In the present embodiment, as an alternative embodiment, more new module 74 includes: first fills unit and the
Two filling unit (not shown)s, wherein,
First fills unit, in space to be applied for described in described renewal general purpose table, by described extraction
Data corresponding to dynamic link library file sequentially fill to structure be the thunk that reflection input describes
On node;
Second fills unit, in the described general importing table space of described renewal general purpose table, by described
The data that in general importing table, dynamic link library file is corresponding are sequentially filled to the shape that structure is reflection input description
Real-turn is changed in program node, obtains updating general purpose table.
In the present embodiment, the data that dynamic link library file is corresponding include: dynamic link library file title, lead
Go out the information such as function and dynamic link library file base address.
File load module 75, for loading the dynamic chain in described renewal general purpose table in described memory headroom
Connect library file.
In the present embodiment, as an alternative embodiment, this device also includes:
Registering modules 76, is used for calling image amendment and arranges the kernel function described load-on module call back function of registration.
In the present embodiment, as an alternative embodiment, image amendment arranges kernel function and is
PsSetLoadImageNotifyRoutine kernel function.
As another alternative embodiment, this device also includes: logging modle 77, internal memory computing module 78 and
Internal memory application module 79, wherein,
Logging modle 77, for recording the dynamic link library file number of extraction;
Internal memory computing module 78, for the memory space taken according to a node in described general importing table, meter
Calculate the dynamic link library file number of described extraction and the product of described memory space, obtain space to be applied for;
Internal memory application module 79, is used for calling Memory Allocation kernel function, on the memory headroom of described process
For described renewal general purpose table application comprise described in space to be applied for and the renewal general purpose table of general importing table space
Space.
In the present embodiment, Memory Allocation kernel function is ZwAllocateVirtualMemory kernel function, often
The memory space that one node takies is IMAGE_IMPORT_DESCRIPTOR structure size, and application is more
New general purpose table space is space to be applied for and the sum of general importing table space.
As yet another alternative embodiment, this device also includes: replacement module 70 and exit processing module 80,
Wherein,
Replacement module 70, is used for utilizing described renewal general purpose table to replace described in described general importing table utilization more
Described general importing table address is replaced in new general purpose table address;
Exit processing module 80, for when described process is out of service, call the process creation pre-set
Exit call back function, call described general importing table and replace described renewal general purpose table, utilize described general importing
Table address replaces described renewal general purpose table address.
In the present embodiment, as an alternative embodiment, call establishment process and notify that arranging kernel function injects institute
State process creation and exit call back function.Wherein, establishment process notice arranges kernel function and is
PsSetCreateProcessNotifyRoutine kernel function, process creation exits call back function and is
CreateProcessCallback function.
The device of the present embodiment, may be used for performing the technical scheme of embodiment of the method shown in Fig. 1 to Fig. 6,
It is similar with technique effect that it realizes principle, and here is omitted.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or its any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also include being not expressly set out
Other key elements, or also include the key element intrinsic for this process, method, article or equipment.?
In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that at bag
Include and the process of described key element, method, article or equipment there is also other identical element.
Each embodiment in this specification all uses relevant mode to describe, phase homophase between each embodiment
As part see mutually, what each embodiment stressed is the difference with other embodiments.
For device embodiment, owing to it is substantially similar to embodiment of the method, so describe
Fairly simple, relevant part sees the part of embodiment of the method and illustrates.
Represent in flow charts or the logic described otherwise above at this and/or step, for example, it is possible to recognized
For being the sequencing list of executable instruction for realizing logic function, may be embodied in any computer
In computer-readable recording medium, (such as computer based system, include place for instruction execution system, device or equipment
The reason system of device or other can be from instruction execution system, device or equipment instruction fetch the system performing instruction)
Use, or combine these instruction execution systems, device or equipment and use.For the purpose of this specification, " calculate
Machine computer-readable recording medium " can be any can to comprise, store, communicate, propagate or transmission procedure performs for instruction
System, device or equipment or combine these instruction execution systems, device or equipment and the device that uses.Calculate
The more specifically example (non-exhaustive list) of machine computer-readable recording medium includes following: have one or more wiring
Electrical connection section (electronic installation), portable computer diskette box (magnetic device), random access memory (RAM),
Read only memory (ROM), erasable edits read only memory (EPROM or flash memory), light
Fine device, and portable optic disk read only memory (CDROM).It addition, computer-readable medium is even
Can be paper or other the suitable media that can print described program thereon, because can be such as by paper
Or other media carry out optical scanning, then carry out editing, interpret or carrying out with other suitable methods if desired
Process and electronically obtain described program, be then stored in computer storage.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.
In the above-described embodiment, multiple steps or method can be with storing in memory and by suitably referring to
Software that execution system performs or firmware is made to realize.Such as, if realized with hardware and real at another
As executing in mode, can realize by any one in following technology well known in the art or their combination:
There is the discrete logic of logic gates for data signal realizes logic function, have suitably
The special IC of combination logic gate circuit, programmable gate array (PGA), field programmable gate array
(FPGA) etc..
The embodiment of the present invention also provides for a kind of electronic equipment, and described electronic equipment comprises aforementioned any embodiment institute
The device stated.
Fig. 8 is the structural representation of one embodiment of electronic equipment of the present invention, it is possible to achieve Fig. 1-7 of the present invention
The flow process of illustrated embodiment, as shown in Figure 8, above-mentioned electronic equipment may include that housing 81, processor 82,
Memorizer 83, circuit board 84 and power circuit 85, wherein, circuit board 84 is placed in what housing 81 surrounded
Interior volume, processor 82 and memorizer 83 are arranged on circuit board 84;Power circuit 85, for for
Each circuit or the device of stating electronic equipment are powered;Memorizer 83 is used for storing executable program code;Process
Device 82 runs and executable program code pair by reading the executable program code of storage in memorizer 83
The program answered, for performing the method injecting dynamic link library file described in aforementioned any embodiment.
Processor 82 to concrete process and the processor 82 of performing of above-mentioned steps by running executable program
The step that code performs further, may refer to the description of Fig. 1-6 illustrated embodiment of the present invention, at this no longer
Repeat.
This electronic equipment exists in a variety of forms, includes but not limited to:
(1) mobile communication equipment: the feature of this kind equipment is to possess mobile communication function, and with provide speech,
Data communication is main target.This Terminal Type includes: smart mobile phone (such as iPhone), multimedia handset,
Functional mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment: this kind equipment belongs to the category of personal computer, has calculating and place
Reason function, the most also possesses mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC set
Standby etc., such as iPad.
(3) portable entertainment device: this kind equipment can show and play content of multimedia.This kind equipment includes:
Audio frequency, video player (such as iPod), handheld device, e-book, and intelligent toy and portable
In-vehicle navigation apparatus.
(4) server: provide calculate service equipment, the composition of server include processor, hard disk, internal memory,
System bus etc., server is similar with general computer architecture, but owing to needing to provide highly reliable clothes
Business, therefore at aspects such as disposal ability, stability, reliability, safety, extensibility, manageabilitys
Require higher.
(5) other have the electronic equipment of data interaction function.
Those skilled in the art are appreciated that and realize the whole or portion that above-described embodiment method is carried
The program that can be by step by step completes to instruct relevant hardware, and described program can be stored in a kind of meter
In calculation machine readable storage medium storing program for executing, this program upon execution, including one or a combination set of the step of embodiment of the method.
For convenience of description, describing apparatus above is to be divided into various units/modules to be respectively described with function.When
So, can be the function of each unit/module in same or multiple softwares and/or hardware when implementing the present invention
Realize.
As seen through the above description of the embodiments, those skilled in the art is it can be understood that arrive this
Invention can add the mode of required general hardware platform by software and realize.Based on such understanding,
The part that prior art is contributed by technical scheme the most in other words can be with software product
Form embodies, and this computer software product can be stored in storage medium, such as ROM/RAM, magnetic
Dish, CD etc., including some instructions with so that a computer equipment (can be personal computer, take
Business device, or the network equipment etc.) perform described in some part of each embodiment of the present invention or embodiment
Method.
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to
This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in
Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention
Should be as the criterion with scope of the claims.
Claims (10)
1. the method injecting dynamic link library file, it is characterised in that including:
According to the dynamic link library file load request distribution process received, calling record has adding of described process
Carry module call back function;
Resolving described load-on module call back function, the parameter acquiring according to described load-on module call back function is general
Import table address;
Read the general importing table that described general importing table address is corresponding, load from described dynamic link library file
In the dynamic link library file that request comprises, extract the dynamic link library being not stored in described general importing table
File;
The dynamic link library file extracted being write described general importing table, generates and update general purpose table, write is extremely
The memory headroom of described process;
The dynamic link library file in described renewal general purpose table is loaded in described memory headroom.
The method of injection dynamic link library file the most according to claim 1, it is characterised in that described
Include according to the parameter acquiring general importing table address of described load-on module call back function:
Obtain the process handle in the parameter of described load-on module call back function;
Obtain the process image address in the parameter of described load-on module call back function;
Extract the mapping base address of described process in described process image address;
According to the mapping base address of described process handle and described process, obtain general importing table address.
The method of injection dynamic link library file the most according to claim 1, it is characterised in that in institute
State after extracting the dynamic link library file being not stored in described general importing table, the dynamic link that will extract
Before library file writes described general importing table, described method also includes:
The dynamic link library file number that record extracts;
The memory space taken according to a node in described general importing table, calculates the dynamic link of described extraction
Library text number of packages and the product of described memory space, obtain space to be applied for;
Call Memory Allocation kernel function, the memory headroom of described process is described renewal general purpose table application
The renewal general purpose table space of space to be applied for described in comprising and general importing table space.
The method of injection dynamic link library file the most according to claim 3, it is characterised in that described
The dynamic link library file extracted being write described general importing table, generates and update general purpose table, write is to described
The memory headroom of process includes:
In space to be applied for described in described renewal general purpose table, by the dynamic link library file pair of described extraction
The data answered sequentially are filled to the thunk node that structure is reflection input description;
In the described general importing table space of described renewal general purpose table, by dynamic chain in described general importing table
Connect data corresponding to library file sequentially to fill to the thunk node that structure is reflection input description,
Obtain updating general purpose table.
The method of injection dynamic link library file the most according to claim 1, it is characterised in that in institute
Before stating according to the dynamic link library file load request distribution process received, described method also includes:
Call image amendment and the kernel function described load-on module call back function of registration is set.
6. according to the method injecting dynamic link library file described in any one of claim 1 to 5, its feature
It is, after described memory headroom loads the dynamic link library file in described renewal general purpose table, described
Method also includes:
Described renewal general purpose table is utilized to replace described general importing table and utilize described renewal general purpose table address to replace
Described general importing table address;
When described process is out of service, calls the process creation pre-set and exit call back function, call institute
State general importing table and replace described renewal general purpose table, utilize described general importing table address to replace described renewal and lead to
Use table address.
The method of injection dynamic link library file the most according to claim 6, it is characterised in that call
Establishment process notice arranges the kernel function described process creation of injection and exits call back function.
8. the device injecting dynamic link library file, it is characterised in that including: call back function calls mould
Block, Parameter analysis of electrochemical module, file extraction module, more new module and file load module, wherein,
Call back function calling module, for distributing process according to the dynamic link library file load request received,
Call record and have the load-on module call back function of described process;
Parameter analysis of electrochemical module, is used for resolving described load-on module call back function, adjusts back according to described load-on module
The parameter acquiring general importing table address of function;
File extraction module, for reading the general importing table that described general importing table address is corresponding, from described
In the dynamic link library file that dynamic link library file load request comprises, extract and be not stored in described general lead
Enter the dynamic link library file in table;
More new module, writes described general importing table for the dynamic link library file that will extract, generates and update
General purpose table, the memory headroom of write to described process;
File load module, for loading the dynamic link in described renewal general purpose table in described memory headroom
Library file.
The device of injection dynamic link library file the most according to claim 8, it is characterised in that described
Parameter analysis of electrochemical module includes: function resolution unit, process handle acquiring unit, process image address acquisition list
Unit, base address extraction unit and importing table address acquiring unit, wherein,
Function resolution unit, is used for resolving described load-on module call back function;
Process handle acquiring unit, the process handle in the parameter obtaining described load-on module call back function;
Process image address acquisition unit, the process in the parameter obtaining described load-on module call back function
Image address;
Base address extraction unit, for extracting the mapping base address of the described process in described process image address;
Import table address acquiring unit, for the mapping base address according to described process handle and described process,
Obtain general importing table address.
The device of injection dynamic link library file the most according to claim 8, it is characterised in that institute
State device also to include: logging modle and internal memory application module, wherein,
Logging modle, for recording the dynamic link library file number of extraction;
Internal memory computing module, for the memory space taken according to a node in described general importing table, calculates
The dynamic link library file number of described extraction and the product of described memory space, obtain space to be applied for;
Internal memory application module, is used for calling Memory Allocation kernel function, on the memory headroom of described process is
Described renewal general purpose table application comprise described in the renewal general purpose table of space to be applied for and general importing table space empty
Between.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610244973.9A CN105955762A (en) | 2016-04-19 | 2016-04-19 | Method and device for injecting dynamic link library file and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610244973.9A CN105955762A (en) | 2016-04-19 | 2016-04-19 | Method and device for injecting dynamic link library file and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105955762A true CN105955762A (en) | 2016-09-21 |
Family
ID=56918071
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610244973.9A Pending CN105955762A (en) | 2016-04-19 | 2016-04-19 | Method and device for injecting dynamic link library file and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105955762A (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106557424A (en) * | 2016-11-18 | 2017-04-05 | 腾讯科技(深圳)有限公司 | Internal storage testing method, measured terminal, test client and system |
CN106682494A (en) * | 2016-11-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Information access method, device and equipment |
CN107688747A (en) * | 2017-09-01 | 2018-02-13 | 武汉倚天剑科技有限公司 | A kind of configurable and integrated Hook system and method under Windows environment |
CN108279905A (en) * | 2018-01-04 | 2018-07-13 | 武汉斗鱼网络科技有限公司 | The method and device of library file is introduced in a kind of component |
CN108491237A (en) * | 2018-03-29 | 2018-09-04 | 山东华软金盾软件股份有限公司 | A kind of hidden Dll file method for implanting |
CN109471671A (en) * | 2017-09-06 | 2019-03-15 | 武汉斗鱼网络科技有限公司 | A kind of program cold start-up method and system |
CN109597662A (en) * | 2018-11-08 | 2019-04-09 | 百度在线网络技术(北京)有限公司 | The call method, device and electronic equipment in non-public library in mobile terminal |
CN109710671A (en) * | 2018-12-14 | 2019-05-03 | 国云科技股份有限公司 | Realize the method and its database firewall system of the drainage of database manipulation data |
CN109766141A (en) * | 2018-12-26 | 2019-05-17 | 北京思源互联科技有限公司 | A kind of data dynamic updating method and its device based on dynamic link library |
CN110275722A (en) * | 2019-06-21 | 2019-09-24 | 北京百度网讯科技有限公司 | Method, apparatus, equipment and storage medium for upgrade application |
CN110417931A (en) * | 2019-07-05 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Domain name mapping records acquisition methods, device, computer equipment and storage medium |
CN110928547A (en) * | 2019-10-16 | 2020-03-27 | 平安普惠企业管理有限公司 | Public file extraction method, device, terminal and storage medium |
CN111078323A (en) * | 2019-10-12 | 2020-04-28 | 平安科技(深圳)有限公司 | Coroutine-based data processing method and device, computer equipment and storage medium |
CN111104178A (en) * | 2018-10-26 | 2020-05-05 | 武汉斗鱼网络科技有限公司 | Dynamic library loading method, terminal device and storage medium |
CN112948024A (en) * | 2021-04-15 | 2021-06-11 | 网易(杭州)网络有限公司 | Loading method and device of dynamic link library, storage medium and electronic equipment |
CN114070820A (en) * | 2021-11-11 | 2022-02-18 | 南京指掌易信息科技有限公司 | Domain name redirection method, device, medium and electronic equipment |
CN114610405A (en) * | 2022-03-03 | 2022-06-10 | 深圳盛显科技有限公司 | Multi-application screen capture and network code output method, device, medium and product |
CN116662270A (en) * | 2022-09-09 | 2023-08-29 | 荣耀终端有限公司 | File analysis method and related device |
CN117763538A (en) * | 2023-12-22 | 2024-03-26 | 摩尔线程智能科技(北京)有限责任公司 | Injection method, device and computer readable medium for dynamic link library |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103218428A (en) * | 2013-04-09 | 2013-07-24 | 深圳市九洲电器有限公司 | Dynamic link method and system |
CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
CN104679561A (en) * | 2015-02-15 | 2015-06-03 | 福建天晴数码有限公司 | Dynamic link library file loading method and dynamic link library file loading system |
-
2016
- 2016-04-19 CN CN201610244973.9A patent/CN105955762A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103218428A (en) * | 2013-04-09 | 2013-07-24 | 深圳市九洲电器有限公司 | Dynamic link method and system |
CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
CN104679561A (en) * | 2015-02-15 | 2015-06-03 | 福建天晴数码有限公司 | Dynamic link library file loading method and dynamic link library file loading system |
Non-Patent Citations (1)
Title |
---|
COSMOSLIFE: ""驱动中给进程注入DLL,模拟GlobaHook,不完整,某些情况下报错"", 《HTTPS://BLOG.CSDN.NET/COSMOSLIFE/ARTICLE/DETAILS/50560658》 * |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106682494A (en) * | 2016-11-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Information access method, device and equipment |
CN106557424B (en) * | 2016-11-18 | 2019-12-10 | 腾讯科技(深圳)有限公司 | Memory test method, tested terminal, test client and system |
CN106557424A (en) * | 2016-11-18 | 2017-04-05 | 腾讯科技(深圳)有限公司 | Internal storage testing method, measured terminal, test client and system |
CN107688747A (en) * | 2017-09-01 | 2018-02-13 | 武汉倚天剑科技有限公司 | A kind of configurable and integrated Hook system and method under Windows environment |
CN109471671A (en) * | 2017-09-06 | 2019-03-15 | 武汉斗鱼网络科技有限公司 | A kind of program cold start-up method and system |
CN108279905A (en) * | 2018-01-04 | 2018-07-13 | 武汉斗鱼网络科技有限公司 | The method and device of library file is introduced in a kind of component |
CN108491237A (en) * | 2018-03-29 | 2018-09-04 | 山东华软金盾软件股份有限公司 | A kind of hidden Dll file method for implanting |
CN108491237B (en) * | 2018-03-29 | 2020-11-27 | 山东华软金盾软件股份有限公司 | Hidden Dll file injection method |
CN111104178A (en) * | 2018-10-26 | 2020-05-05 | 武汉斗鱼网络科技有限公司 | Dynamic library loading method, terminal device and storage medium |
CN109597662A (en) * | 2018-11-08 | 2019-04-09 | 百度在线网络技术(北京)有限公司 | The call method, device and electronic equipment in non-public library in mobile terminal |
CN109597662B (en) * | 2018-11-08 | 2021-07-27 | 百度在线网络技术(北京)有限公司 | Method and device for calling non-public library in mobile terminal and electronic equipment |
CN109710671A (en) * | 2018-12-14 | 2019-05-03 | 国云科技股份有限公司 | Realize the method and its database firewall system of the drainage of database manipulation data |
CN109766141A (en) * | 2018-12-26 | 2019-05-17 | 北京思源互联科技有限公司 | A kind of data dynamic updating method and its device based on dynamic link library |
CN110275722A (en) * | 2019-06-21 | 2019-09-24 | 北京百度网讯科技有限公司 | Method, apparatus, equipment and storage medium for upgrade application |
CN110275722B (en) * | 2019-06-21 | 2023-08-08 | 北京百度网讯科技有限公司 | Method, apparatus, device and storage medium for upgrading application |
CN110417931A (en) * | 2019-07-05 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Domain name mapping records acquisition methods, device, computer equipment and storage medium |
CN110417931B (en) * | 2019-07-05 | 2022-05-17 | 腾讯科技(深圳)有限公司 | Domain name resolution record acquisition method and device, computer equipment and storage medium |
CN111078323A (en) * | 2019-10-12 | 2020-04-28 | 平安科技(深圳)有限公司 | Coroutine-based data processing method and device, computer equipment and storage medium |
CN110928547A (en) * | 2019-10-16 | 2020-03-27 | 平安普惠企业管理有限公司 | Public file extraction method, device, terminal and storage medium |
CN112948024A (en) * | 2021-04-15 | 2021-06-11 | 网易(杭州)网络有限公司 | Loading method and device of dynamic link library, storage medium and electronic equipment |
CN114070820A (en) * | 2021-11-11 | 2022-02-18 | 南京指掌易信息科技有限公司 | Domain name redirection method, device, medium and electronic equipment |
CN114070820B (en) * | 2021-11-11 | 2023-09-01 | 南京指掌易信息科技有限公司 | Domain name redirection method, device, medium and electronic equipment |
CN114610405A (en) * | 2022-03-03 | 2022-06-10 | 深圳盛显科技有限公司 | Multi-application screen capture and network code output method, device, medium and product |
CN114610405B (en) * | 2022-03-03 | 2024-03-29 | 深圳盛显科技有限公司 | Multi-application screen capturing and network code output method, equipment, medium and product |
CN116662270A (en) * | 2022-09-09 | 2023-08-29 | 荣耀终端有限公司 | File analysis method and related device |
CN116662270B (en) * | 2022-09-09 | 2024-05-10 | 荣耀终端有限公司 | File analysis method and related device |
CN117763538A (en) * | 2023-12-22 | 2024-03-26 | 摩尔线程智能科技(北京)有限责任公司 | Injection method, device and computer readable medium for dynamic link library |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105955762A (en) | Method and device for injecting dynamic link library file and electronic equipment | |
CN107643940A (en) | Container creation method, relevant device and computer-readable storage medium | |
CN105912362A (en) | Method and device for loading plug-in and electronic equipment | |
CN104809390A (en) | Safe operation method and device of system | |
CN109376078A (en) | Test method, terminal device and the medium of mobile application | |
CN108614976A (en) | Authority configuring method, device and storage medium | |
CN106201468A (en) | Screen capture processing method and device and electronic equipment | |
CN106886568B (en) | One kind divides table method, apparatus and electronic equipment | |
CN104268472B (en) | Reduction is by the method and apparatus of third party's dynamic base Modification growth function address | |
CN103975336A (en) | Encoding labels in values to capture information flows | |
CN105893847A (en) | Method and device for protecting safety protection application program file and electronic equipment | |
CN110704833A (en) | Data permission configuration method, device, electronic device and storage medium | |
CN106326735A (en) | Anti-injection method and apparatus | |
CN109446754A (en) | The guard method of algorithm, device, equipment and storage medium in intelligent contract | |
Bandara et al. | Patterns for blockchain migration | |
CN107506494A (en) | Document handling method, mobile terminal and computer-readable recording medium | |
CN103514004A (en) | Method and device for managing system environment under Windows system | |
CN106682504B (en) | A kind of method, apparatus for preventing file from maliciously being edited and electronic equipment | |
CN104408178A (en) | Device and method for WEB control loading | |
CN106022120A (en) | File monitoring processing method and device and electronic equipment | |
CN105893846A (en) | Method and device for protecting target application program and electronic equipment | |
CN108038378A (en) | High in the clouds detection function is by the method for malicious modification, terminal device and storage medium | |
CN107861751A (en) | The amending method and device of configuration file | |
CN107133163A (en) | A kind of method and apparatus for verifying description class API | |
CN111385661B (en) | Method, device, terminal and storage medium for voice control of full screen playing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190104 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160921 |
|
RJ01 | Rejection of invention patent application after publication |