CN104679561A - Dynamic link library file loading method and dynamic link library file loading system - Google Patents
Dynamic link library file loading method and dynamic link library file loading system Download PDFInfo
- Publication number
- CN104679561A CN104679561A CN201510081941.7A CN201510081941A CN104679561A CN 104679561 A CN104679561 A CN 104679561A CN 201510081941 A CN201510081941 A CN 201510081941A CN 104679561 A CN104679561 A CN 104679561A
- Authority
- CN
- China
- Prior art keywords
- dynamic link
- link library
- library file
- file
- loading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention relates to the field of a dynamic link library, and particularly relates to a dynamic link library file loading method and a dynamic link library file loading system. The method comprises the steps: S100, reading a dynamic link library file, and loading the dynamic link library file to a preset first memory; S200, checking whether the dynamic link library file conforms to a PE format or not; executing the step S300 if the dynamic link library file conforms to the PE format; otherwise, ending the step, and feeding back the error of the dynamic link library file; S300, extracting a PE head in the dynamic link library file according to the PE format, and loading the PE head to a preset second memory. According to the method, the dynamic link library file conforming to the PE format is loaded to the first memory, and the PE head of the dynamic link library file is loaded to the second memory, so that the PE loading is realized.
Description
Technical field
The present invention relates to dynamic link library field, particularly relate to the method and system that a kind of dynamic link library file loads.
Background technology
Hidden method about dynamic link library file is a lot, as smeared the method for chain, dynamic link library file can be allowed to disappear from module chained list, but is driving the trace that still can find dynamic link library file in layer at instruments such as XT, and concealment effect is bad.Described XT is XueTr, is a operating system management instrument be well received by the public, has process, thread, scheduler module, Process Window, proceeding internal memory information inspection, hot key information inspection, enter journey, kills the function such as thread, Unload module.
(1) Remote thread injecting method mainly contains two kinds, a kind of be directly copy pre-implant in parent code to target process address space, then the code of injection is started, this remote thread is once successfully realize, and so it only appears in the internal memory of target process, not corresponding disk file, disguise looks nice, shortcoming is exactly, and must revise in injecting codes to the instruction of all directly address, but adopts compilation manual modification too loaded down with trivial details;
(2) another kind of more conventional method is that injection dll file is to target process, the realization of this method can be for by injecting with a message Hook, or still use code, the advantage of this method is that dll file carries relocation table, that is you need not again for revising direct addressing instruction and worry, and dll can do by myself reorientation! .But its shortcoming is exactly can see with management of process instrument the dll filename, the file path that are loaded.It is so just not too perfect, as long as because user looks at that module list is very easy to find suspicious module, obtain the complete trails of dll, dll file exposes like this.
Summary of the invention
Technical matters to be solved by this invention is: provide the method and system that a kind of dynamic link library file of seamless loading loads.
In order to solve the problems of the technologies described above, the technical solution used in the present invention is:
The method that dynamic link library file loads, comprises the following steps:
S100, read a dynamic link library file, described dynamic link library file is loaded on the first default internal memory;
S200, check whether described dynamic link library file meets PE form; If described dynamic link library file meets PE form, then perform step S300; Otherwise end step, feeds back described dynamic link library file and makes mistakes;
S300, the PE head extracted according to PE form in described dynamic link library file, be loaded on the second default internal memory by described PE head.
Another technical scheme that the present invention adopts is:
The system that dynamic link library file loads, comprises reading unit, the first loading unit, inspection unit, extraction unit and the second loading unit;
Described reading unit, for reading a dynamic link library file;
Described first loading unit, for being loaded on the first default internal memory by described dynamic link library file;
Described inspection unit, for checking whether described dynamic link library file meets PE form;
Described extraction unit, for extracting the PE head in described dynamic link library file according to PE form;
Described second loading unit, for being loaded on the second default internal memory by described PE head.
Beneficial effect of the present invention is:
1, by loading method provided by the invention, dynamic link library file is loaded more hidden; Because it is not that (PEB is process context block by distorting PEB, a structure saving the relevant information of process) in the information of LDR chain, extract from LDR chained list needing the module hidden, reach hiding order ground, but directly dynamic link library file is loaded into internal memory, do not leave any trace, all can not check trace by OD and XT instrument;
2, on 32 and 64 systems, dynamic link library file is loaded by this loading method more stable;
3, sometimes game need in R3 application layer, (privilege level is divided into 4 ranks by the CPU of Intel: RING0, RING1, RING2 and RING3; Windows only uses RING0 and RING3, RING0 only uses to operating system, RING3 can give operating system and application layer can be with) dynamic link library file is hidden, prevent the handle being found dynamic link library file by people's utilization, illegal operation is carried out to dynamic link library file; This loading method can realize not allowing plug-in Dynamic Acquisition arrive when allowing dynamic link library file load base address.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of the method that the dynamic link library file of the specific embodiment of the invention loads;
Fig. 2 is the structural representation that the dynamic link library file of the specific embodiment of the invention loads;
Fig. 3 is the PE file structure figure of the specific embodiment of the invention;
Fig. 4 is the PE file structure comparison diagram in the disk of the specific embodiment of the invention and internal memory;
Label declaration:
10, reading unit; 20, the first loading unit; 30, inspection unit; 40, extraction unit; 50, the second loading unit.
Embodiment
By describing technology contents of the present invention in detail, realized object and effect, accompanying drawing is coordinated to be explained below in conjunction with embodiment.
The design of most critical of the present invention is: by the dynamic link library file meeting PE form is loaded on the first internal memory, then the PE head of described dynamic link library is loaded on the second internal memory, realizes PE and loads.
Please refer to Fig. 1, the process flow diagram of the method that the dynamic link library file for the specific embodiment of the invention loads, specific as follows:
The method that dynamic link library file loads, comprises the following steps:
S100, read a dynamic link library file, described dynamic link library file is loaded on the first default internal memory;
S200, check whether described dynamic link library file meets PE form; If described dynamic link library file meets PE form, then perform step S300; Otherwise end step, feeds back described dynamic link library file and makes mistakes;
S300, the PE head extracted according to PE form in described dynamic link library file, be loaded on the second default internal memory by described PE head.
From foregoing description, beneficial effect of the present invention is:
1, by loading method provided by the invention, dynamic link library file is loaded more hidden; Because it is not that (PEB is process context block by distorting PEB, a structure saving the relevant information of process) in the information of LDR chain, extract from LDR chained list needing the module hidden, reach hiding order ground, but directly dynamic link library file is loaded into internal memory, do not leave any trace, all can not check trace by OD and XT instrument;
2, on 32 and 64 systems, dynamic link library file is loaded by this loading method more stable;
3, sometimes game need in R3 application layer, (privilege level is divided into 4 ranks by the CPU of Intel: RING0, RING1, RING2 and RING3; Windows only uses RING0 and RING3, RING0 only uses to operating system, RING3 can give operating system and application layer can be with) dynamic link library file is hidden, prevent the handle being found dynamic link library file by people's utilization, illegal operation is carried out to dynamic link library file; This loading method can realize not allowing plug-in Dynamic Acquisition arrive when allowing dynamic link library file load base address.
Further, also comprise step S400, according to new plot information on described PE first watch, the joint information of described dynamic link library file be loaded on the second default internal memory; Adjustment relocation table, plot information and the adjustment of the dynamic link library file required for loading import table; According to section header mark page, joint is marked as discardable.
Further, described step S300 is specially: (by PE file graftabl, it is alignment that each PE saves district with 1000 to PE loading bin to the mode of aliging according to PE, changes the offset address in each joint district.Usually, basically identical with in internal memory of PE file reflection on disk, but be not copy completely.Windows loader can determine which part needs to load, and which part does not need to load, and due to disk alignment align with internal memory inconsistent, the distribution being loaded into the PE file various piece on the PE file of internal memory and disk all can be variant.) described PE head is loaded on the second default internal memory.Loading by the mode of PE alignment is a normal treatment scheme, needs to allow code load correct and can perform like this.
Further, the method specifically comprises:
Step 1, read a target dll file to internal memory;
Step 2, internal memory loaded targets dll file, specifically comprise:
Whether step 21, detection target dll file are normal PE forms;
Step 22, target dll file are the file of PE form, and PE head is arranged in certain position of the skew of PE file, and the PE head for DLL divides the memory block being equipped with MEM_COMMIT mark;
Step 23, PE head is copied to the memory block of distribution;
Step 24, PE first watch new imagebase information;
Step 25, from target dll file copy joint information to newly assigned internal memory;
Step 26, adjustment relocation table;
Step 27, load required for dll plot and adjustment import table;
Step 28, according to section header mark page, joint is marked as discardable, discharges.
Refer to Fig. 2, the structural representation that the dynamic link library file for the specific embodiment of the invention loads, specific as follows:
The system that dynamic link library file loads, comprises reading unit 10, first loading unit 20, inspection unit 30, extraction unit 40 and the second loading unit 50;
Described reading unit 10, for reading a dynamic link library file;
Described first loading unit 20, for being loaded on the first default internal memory by described dynamic link library file;
Described inspection unit 30, for checking whether described dynamic link library file meets PE form;
Described extraction unit 40, for extracting the PE head in described dynamic link library file according to PE form;
Described second loading unit 50, for being loaded on the second default internal memory by described PE head.
From foregoing description, beneficial effect of the present invention is:
1, by loading method provided by the invention, dynamic link library file is loaded more hidden; Because it is not that (PEB is process context block by distorting PEB, a structure saving the relevant information of process) in the information of LDR chain, extract from LDR chained list needing the module hidden, reach hiding order ground, but directly dynamic link library file is loaded into internal memory, do not leave any trace, all can not check trace by OD and XT instrument;
2, on 32 and 64 systems, dynamic link library file is loaded by this loading method more stable;
3, sometimes game need in R3 application layer, (privilege level is divided into 4 ranks by the CPU of Intel: RING0, RING1, RING2 and RING3; Windows only uses RING0 and RING3, RING0 only uses to operating system, RING3 can give operating system and application layer can be with) dynamic link library file is hidden, prevent the handle being found dynamic link library file by people's utilization, illegal operation is carried out to dynamic link library file; This loading method can realize not allowing plug-in Dynamic Acquisition arrive when allowing dynamic link library file load base address.
As Fig. 3, shown in 4, embodiments of the invention one are:
1, a target dll file is read to internal memory: LPVOIDlpMem=ReadFileToMem (szDllFile);
2, internal memory directly loads DLL:MemoryLoadLibrary (lpMem);
(1) check whether target DLL is normal PE form;
(2) DLL is the file of PE form, and PE head is arranged in certain position of the skew of PE file, and the PE head for DLL divides the memory block being equipped with MEM_COMMIT mark;
(3) PE head is copied to the memory block of distribution;
Be specially: the PE head reading in PE file, comprise DOS head, PE head and Section head, to newly assigned memory block;
(4) PE first watch new imageBase information;
Be specially: whether the load address that windows loader defines according to PE ImageBase in front can be used, if taken by other modules, then redistributes a block space; If the address that file is loaded is not the address of ImageBase definition, then again revise ImageBase.
(5) from dll file copy joint information to newly assigned internal memory;
Be specially: according to the information in section header portion, each joint of file be mapped to the space of distribution, and revise the attribute of mapped page according to the data of each joint definition.
(6) relocation table is adjusted;
Be specially: the instruction for directly address needs to repair relocation table, otherwise addressing can failure.The reorientation work that program loader is done, will need the place of reorientation exactly, all adds the load address of program in program.
(7) the dll plot required for loading and adjustment import table;
Be specially: the DLL required for loading according to the input table of PE file is to the process space, and the data then in substitute I AT table are the address of actual call function.
(8) according to section header mark page, joint is marked as discardable will dischargeing.
In sum, the method and system of a kind of dynamic link library file loading provided by the invention; By loading method provided by the invention, load dynamic link library file more hidden; Because it is not that (PEB is process context block by distorting PEB, a structure saving the relevant information of process) in the information of LDR chain, extract from LDR chained list needing the module hidden, reach hiding order ground, but directly dynamic link library file is loaded into internal memory, do not leave any trace, all can not check trace by OD and XT instrument; 32 and 64 systems load dynamic link library file by this loading method more stable; Sometimes in R3 application layer, (privilege level is divided into 4 ranks to game needs by the CPU of Intel: RING0, RING1, RING2 and RING3; Windows only uses RING0 and RING3, RING0 only uses to operating system, RING3 can give operating system and application layer can be with) dynamic link library file is hidden, prevent the handle being found dynamic link library file by people's utilization, illegal operation is carried out to dynamic link library file; This loading method can realize not allowing plug-in Dynamic Acquisition arrive when allowing dynamic link library file load base address.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every equivalents utilizing instructions of the present invention and accompanying drawing content to do, or be directly or indirectly used in relevant technical field, be all in like manner included in scope of patent protection of the present invention.
Claims (4)
1. a method for dynamic link library file loading, is characterized in that, comprise the following steps:
S100, read a dynamic link library file, described dynamic link library file is loaded on the first default internal memory;
S200, check whether described dynamic link library file meets PE form; If described dynamic link library file meets PE form, then perform step S300; Otherwise end step, feeds back described dynamic link library file and makes mistakes;
S300, the PE head extracted according to PE form in described dynamic link library file, be loaded on the second default internal memory by described PE head.
2. the method for dynamic link library file loading according to claim 1, is characterized in that, also comprise step S400, according to new plot information on described PE first watch, the joint information of described dynamic link library file be loaded on the second default internal memory; Adjustment relocation table, plot information and the adjustment of the dynamic link library file required for loading import table; According to section header mark page, joint is marked as discardable.
3. the method for dynamic link library file loading according to claim 1, it is characterized in that, the method specifically comprises:
Step 1, read a target dll file to internal memory;
Step 2, internal memory loaded targets dll file, specifically comprise:
Whether step 21, detection target dll file are normal PE forms;
Step 22, target dll file are the file of PE form, and PE head is arranged in certain position of the skew of PE file, and the PE head for DLL divides the memory block being equipped with MEM_COMMIT mark;
Step 23, PE head is copied to the memory block of distribution;
Step 24, PE first watch new imagebase information;
Step 25, from target dll file copy joint information to newly assigned internal memory;
Step 26, adjustment relocation table;
Step 27, load required for dll plot and adjustment import table;
Step 28, according to section header mark page, joint is marked as discardable, discharges.
4. a system for dynamic link library file loading, is characterized in that, comprise reading unit, the first loading unit, inspection unit, extraction unit and the second loading unit;
Described reading unit, for reading a dynamic link library file;
Described first loading unit, for being loaded on the first default internal memory by described dynamic link library file;
Described inspection unit, for checking whether described dynamic link library file meets PE form;
Described extraction unit, for extracting the PE head in described dynamic link library file according to PE form;
Described second loading unit, for being loaded on the second default internal memory by described PE head.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510081941.7A CN104679561B (en) | 2015-02-15 | 2015-02-15 | A kind of method and system of dynamic link library file loading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510081941.7A CN104679561B (en) | 2015-02-15 | 2015-02-15 | A kind of method and system of dynamic link library file loading |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104679561A true CN104679561A (en) | 2015-06-03 |
| CN104679561B CN104679561B (en) | 2018-07-06 |
Family
ID=53314658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510081941.7A Active CN104679561B (en) | 2015-02-15 | 2015-02-15 | A kind of method and system of dynamic link library file loading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104679561B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105843640A (en) * | 2016-03-21 | 2016-08-10 | 武汉斗鱼网络科技有限公司 | Dynamic link library injection method and apparatus |
| CN105955762A (en) * | 2016-04-19 | 2016-09-21 | 北京金山安全软件有限公司 | Method and device for injecting dynamic link library file and electronic equipment |
| CN106339247A (en) * | 2016-09-13 | 2017-01-18 | 武汉斗鱼网络科技有限公司 | Loading system and loading method for DLL (Dynamic Link Library) file |
| CN106599730A (en) * | 2016-12-20 | 2017-04-26 | 武汉斗鱼网络科技有限公司 | File detection method, apparatus and system |
| CN109656571A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Loading method, device, terminal and computer readable storage medium |
| CN115543586A (en) * | 2022-11-28 | 2022-12-30 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1762957A1 (en) * | 2005-09-13 | 2007-03-14 | Cloudmark, Inc | Signature for executable code |
| CN1945589A (en) * | 2006-10-16 | 2007-04-11 | 珠海金山软件股份有限公司 | Method for protecting dynamic chanining bank interface under windows platform |
| US7210141B1 (en) * | 1998-07-21 | 2007-04-24 | Touchtunes Music Corporation | System for remote loading of objects or files in order to update software |
| CN101309149A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Address processing method and apparatus |
| US20090133126A1 (en) * | 2007-11-20 | 2009-05-21 | Jang Moon Su | Apparatus and method for detecting dll inserted by malicious code |
| CN101470619A (en) * | 2007-12-29 | 2009-07-01 | 安凯(广州)软件技术有限公司 | Application program dynamic loading method based on microkernel operating system |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102999354A (en) * | 2012-11-15 | 2013-03-27 | 北京奇虎科技有限公司 | File loading method and file loading device |
-
2015
- 2015-02-15 CN CN201510081941.7A patent/CN104679561B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7210141B1 (en) * | 1998-07-21 | 2007-04-24 | Touchtunes Music Corporation | System for remote loading of objects or files in order to update software |
| EP1762957A1 (en) * | 2005-09-13 | 2007-03-14 | Cloudmark, Inc | Signature for executable code |
| CN1945589A (en) * | 2006-10-16 | 2007-04-11 | 珠海金山软件股份有限公司 | Method for protecting dynamic chanining bank interface under windows platform |
| US20090133126A1 (en) * | 2007-11-20 | 2009-05-21 | Jang Moon Su | Apparatus and method for detecting dll inserted by malicious code |
| CN101470619A (en) * | 2007-12-29 | 2009-07-01 | 安凯(广州)软件技术有限公司 | Application program dynamic loading method based on microkernel operating system |
| CN101309149A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Address processing method and apparatus |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102999354A (en) * | 2012-11-15 | 2013-03-27 | 北京奇虎科技有限公司 | File loading method and file loading device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105843640A (en) * | 2016-03-21 | 2016-08-10 | 武汉斗鱼网络科技有限公司 | Dynamic link library injection method and apparatus |
| CN105843640B (en) * | 2016-03-21 | 2017-11-14 | 武汉斗鱼网络科技有限公司 | The method for implanting and device of a kind of dynamic link library |
| CN105955762A (en) * | 2016-04-19 | 2016-09-21 | 北京金山安全软件有限公司 | Method and device for injecting dynamic link library file and electronic equipment |
| CN106339247A (en) * | 2016-09-13 | 2017-01-18 | 武汉斗鱼网络科技有限公司 | Loading system and loading method for DLL (Dynamic Link Library) file |
| CN106599730A (en) * | 2016-12-20 | 2017-04-26 | 武汉斗鱼网络科技有限公司 | File detection method, apparatus and system |
| CN106599730B (en) * | 2016-12-20 | 2019-08-02 | 武汉斗鱼网络科技有限公司 | File test method, device and system |
| CN109656571A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Loading method, device, terminal and computer readable storage medium |
| CN115543586A (en) * | 2022-11-28 | 2022-12-30 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
| CN115543586B (en) * | 2022-11-28 | 2023-03-17 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104679561B (en) | 2018-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104679561A (en) | Dynamic link library file loading method and dynamic link library file loading system | |
| CN104111848B (en) | Multi-thread software dynamic upgrading method based on asynchronous check points | |
| EP3906488B1 (en) | Method and contract rewriting framework system for supporting smart contracts in a blockchain network | |
| CN1329836C (en) | Method for locating program abnormity | |
| US7225431B2 (en) | Method and apparatus for setting breakpoints when debugging integrated executables in a heterogeneous architecture | |
| CN105224370A (en) | A kind of method and apparatus of loading ELF document | |
| US20110302565A1 (en) | Implicit workspace dependencies | |
| EP1347384A3 (en) | Internal memory type tamper resistant microprocessor with secret protection function | |
| US20130086348A1 (en) | Lock-Clustering Compilation for Software Transactional Memory | |
| CN101458705A (en) | Data collating method between different utility systems, apparatus and system | |
| CN103631712B (en) | A kind of medelling software critical behavior tracking based on memory management | |
| CN106295340A (en) | A kind of program file recovery system and method | |
| CN104573420B (en) | Prevent the method and apparatus manslaughtered by process | |
| CN102073525A (en) | Method and device for dynamically upgrading Web service system based on Java platform | |
| CN102495736A (en) | Method and system for identifying software code svn version in executable file | |
| SE0402710D0 (en) | Management of internal logic for electronic pens | |
| CN106201608A (en) | Computer UEFI firmware update | |
| US8745741B1 (en) | Detecting and handling vtable pointer corruption | |
| CN102364433B (en) | Method for realizing Wine construction tool transplanting on ARM (Advanced RISC Machines) processor | |
| CN101251799B (en) | Apparatus and method for implementing management | |
| CN105874429A (en) | Systems and methods for injecting code into an application | |
| CN102819717B (en) | Method and device for carrying out protection processing on file | |
| CN101625659A (en) | Method for monitoring memory in real time by embedded system | |
| CN102521079B (en) | Fault-tolerant method of software stack buffer overflow | |
| CN104866388A (en) | Data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |