[go: up one dir, main page]

CN118228249A - Static injection hook method and device based on LuaJIT byte code format analysis - Google Patents

Static injection hook method and device based on LuaJIT byte code format analysis Download PDF

Info

Publication number
CN118228249A
CN118228249A CN202410333393.1A CN202410333393A CN118228249A CN 118228249 A CN118228249 A CN 118228249A CN 202410333393 A CN202410333393 A CN 202410333393A CN 118228249 A CN118228249 A CN 118228249A
Authority
CN
China
Prior art keywords
luajit
proto
file
structure information
static injection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410333393.1A
Other languages
Chinese (zh)
Inventor
汪昌兴
吴春明
魏之千
边振昆
陶逸铭
刘智杨
张浩然
买买江·克然木
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN202410333393.1A priority Critical patent/CN118228249A/en
Publication of CN118228249A publication Critical patent/CN118228249A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/42Syntactic analysis
    • G06F8/427Parsing

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a static injection hook method and a device based on LuaJIT byte code format analysis, which often require static or dynamic modification of a corresponding Lua source file to update a code operation effect when software development and network security attack and defense research are performed in a LuaJIT operation scene. The invention builds and merges new binary files on the standard LuaJIT virtual machine based on the binary format analysis of LuaJIT byte codes, and can be compatible with the operating systems including Windows, android, IOS, macOS and the like and CPU architectures including X86, ARM, RISCV and the like.

Description

一种基于LuaJIT字节码格式解析的静态注入hook方法和装置A static injection hook method and device based on LuaJIT bytecode format parsing

技术领域Technical Field

本发明属于网络安全技术领域,尤其涉及一种基于LuaJIT字节码格式解析的静态注入hook方法和装置。The present invention belongs to the technical field of network security, and in particular relates to a static injection hook method and device based on LuaJIT bytecode format parsing.

背景技术Background technique

Lua是一种轻量小巧的脚本语言,用标准C语言编写并以源代码形式开放,其设计目的是为了嵌入应用程序中,从而为应用程序提供灵活的扩展和定制功能。Lua拥有自动内存管理、完整的词法作用域、闭包、迭代器、协程、正确的尾部调用以及使用关联数组进行非常实用的数据处理等特性。Lua的语法简洁优雅,易于学习和使用。Lua可以与C或其他常用的编程语言相互集成,利用其它语言已经做好的方面,同时提供了C这类语言不太擅长的高层抽象、动态的结构、简易的测试等功能。Lua的可移植性很高,可以运行在各种平台上,包括Windows、Linux、Mac OS X、Android、iOS等。Lua不仅是一个可以作为独立程序运行的脚本语言,也是一个可以嵌入其他应用的嵌入式语言。Lua被广泛应用于游戏开发、独立应用脚本、Web应用脚本、扩展和数据库插件等领域。Lua is a lightweight and compact scripting language written in standard C language and open in source code form. It is designed to be embedded in applications, providing flexible extension and customization capabilities for applications. Lua has features such as automatic memory management, complete lexical scope, closures, iterators, coroutines, correct tail calls, and very practical data processing using associative arrays. Lua's syntax is concise and elegant, easy to learn and use. Lua can be integrated with C or other commonly used programming languages, taking advantage of what other languages have done well, while providing high-level abstraction, dynamic structure, simple testing and other functions that languages such as C are not good at. Lua is highly portable and can run on various platforms, including Windows, Linux, Mac OS X, Android, iOS, etc. Lua is not only a scripting language that can run as a standalone program, but also an embedded language that can be embedded in other applications. Lua is widely used in game development, standalone application scripts, web application scripts, extensions and database plug-ins.

而LuaJIT是一种高性能的Lua语言实现,它使用即时编译技术将Lua代码转换为机器码执行,其运行效率相比于原本的Lua大大加快,因此LuaJIT在实际的软件开发中也被广泛加以使用。LuaJIT的字节码格式是一种中间表示形式,LuaJIT的字节码格式是一种低级的、与平台无关的、可移植的格式,它在Lua代码和机器码之间起到桥梁作用。相比于Lua的中间码结构,LuaJIT的中间码结构更加紧凑且每种指令的含义也更加抽象,因此也更难以被理解,这也导致了LuaJIT相关的开源项目比原生Lua更少。LuaJIT is a high-performance Lua language implementation that uses just-in-time compilation technology to convert Lua code into machine code for execution. Its operating efficiency is much faster than that of the original Lua, so LuaJIT is also widely used in actual software development. LuaJIT's bytecode format is an intermediate representation. LuaJIT's bytecode format is a low-level, platform-independent, portable format that acts as a bridge between Lua code and machine code. Compared with Lua's intermediate code structure, LuaJIT's intermediate code structure is more compact and the meaning of each instruction is more abstract, so it is more difficult to understand. This also leads to fewer LuaJIT-related open source projects than native Lua.

静态注入hook是一种在目标程序运行前修改其代码或数据的技术,它可以实现对目标程序的监控、控制或扩展。静态注入hook的优点是不需要运行时注入,不会引起目标程序的异常或崩溃,也不会被目标程序的防护机制检测到。静态注入hook的难点是需要对目标程序的代码或数据进行精确的分析和修改,避免破坏其原有的功能和逻辑。Static injection hook is a technology that modifies the code or data of the target program before it runs. It can monitor, control or expand the target program. The advantage of static injection hook is that it does not require runtime injection, will not cause abnormalities or crashes in the target program, and will not be detected by the protection mechanism of the target program. The difficulty of static injection hook is that it requires precise analysis and modification of the code or data of the target program to avoid destroying its original functions and logic.

目前国内外现有的技术并没有针对LuaJIT字节码层面进行细致的研究分析,出于安全以及性能的考虑,在某些场景下Lua文件会被编译成LuaJIT字节码来加载,如果缺少明文的源码并且此时只是想简单重定位微调某些函数和指令将是难以达成的。At present, the existing technologies at home and abroad have not conducted detailed research and analysis on the LuaJIT bytecode level. For security and performance reasons, Lua files will be compiled into LuaJIT bytecode for loading in some scenarios. If the plain text source code is missing and you just want to simply relocate and fine-tune some functions and instructions, it will be difficult to achieve.

基于LuaJIT字节码格式解析的静态注入hook方法是一种利用LuaJIT的字节码格式特性,对LuaJIT编译后的程序进行静态注入hook的技术。该技术的核心思想是通过解析LuaJIT的字节码格式,找出目标程序的关键函数或变量,然后在其前后插入自定义的字节码,实现对目标程序的hook。该技术的优势是可以对LuaJIT编译后的程序进行无损的静态注入hook,不影响其正常运行,也不需要额外的运行时支持。The static injection hook method based on LuaJIT bytecode format parsing is a technology that uses the bytecode format characteristics of LuaJIT to statically inject hooks into LuaJIT-compiled programs. The core idea of this technology is to parse the bytecode format of LuaJIT, find the key functions or variables of the target program, and then insert custom bytecodes before and after them to hook the target program. The advantage of this technology is that it can perform lossless static injection hooks into LuaJIT-compiled programs without affecting their normal operation and without requiring additional runtime support.

发明内容Summary of the invention

本发明的目的在于针对现有技术的不足,提供了一种基于LuaJIT字节码格式解析的静态注入hook方法和装置。The purpose of the present invention is to address the deficiencies of the prior art and provide a static injection hook method and device based on LuaJIT bytecode format parsing.

本发明的目的是通过以下技术方案来实现的:一种基于LuaJIT字节码格式解析的静态注入hook方法,包括以下步骤:The object of the present invention is to achieve the following technical solution: a static injection hook method based on LuaJIT bytecode format parsing, comprising the following steps:

(1)准备等待修补的目标源LuaJIT二进制文件F1和需要注入的LuaJIT文件F2,之后解析并提取出LuaJIT二进制文件F1的结构信息S1,所述结构信息S1包括头部元信息和proto结构信息集合/>即/> (1) Prepare the target source LuaJIT binary file F1 to be patched and the LuaJIT file F2 to be injected, then parse and extract the structure information S1 of the LuaJIT binary file F1 , the structure information S1 including the header meta information And proto structure information collection /> That is/>

(2)依据LuaJIT的二进制文件格式对proto结构信息集合进行拆分,获取每个proto的结构信息,即/>其中,i=1,2,…,i,…,n-1,n,/>为proto结构信息集合/>中任意一个proto结构信息;/>为LuaJIT二进制文件F1的末尾空proto结构信息标志,/>为LuaJIT二进制文件F1语义上最外层的proto对应结构信息;(2) Proto structure information collection based on LuaJIT's binary file format Split and obtain the structural information of each proto, that is /> Where i=1,2,…,i,…,n-1,n,/> It is a collection of proto structure information /> Any proto structure information in; /> It is the empty proto structure information mark at the end of the LuaJIT binary file F1 . /> It is the semantically outermost proto structure information of LuaJIT binary file F1 ;

(3)依据LuaJIT的二进制文件格式解析待修补的目标proto结构信息得到待修补的目标proto结构信息/>的结构头部元信息、指令表IT和常量表CT;(3) Parse the target proto structure information to be patched based on the binary file format of LuaJIT Get the target proto structure information to be patched/> The structure header meta information, instruction table IT and constant table CT;

(4)对常量表CT的末尾进行修补插入require字符串和LuaJIT文件F2的文件名字符串;随后依据实际生产需求分析指令表IT,找到LuaJIT二进制文件F1需要被hook的函数所对应的FNEW指令和GSET指令;随后在GSET指令的位置之后依次插入三条LuaJIT硬编码指令,得到修补完的LuaJIT二进制文件F1(4) Patch the end of the constant table CT and insert the require string and the file name string of the LuaJIT file F2 ; then analyze the instruction table IT according to the actual production requirements, find the FNEW instruction and GSET instruction corresponding to the function that needs to be hooked in the LuaJIT binary file F1 ; then insert three LuaJIT hard-coded instructions in sequence after the position of the GSET instruction to obtain the patched LuaJIT binary file F1 ;

(5)最后将修补完的LuaJIT二进制文件F1和LuaJIT文件F2放置于LuaJIT的加载路径完成静态注入hook。(5) Finally, the patched LuaJIT binary file F1 and LuaJIT file F2 are placed in the loading path of LuaJIT to complete the static injection hook.

进一步地,所述LuaJIT文件F2兼容文本和二进制。Furthermore, the LuaJIT file F2 is text and binary compatible.

进一步地,所述LuaJIT硬编码指令为GGET、KSTR、CALL指令或者其他等价逻辑。Furthermore, the LuaJIT hard-coded instructions are GGET, KSTR, CALL instructions or other equivalent logics.

本发明还包括一种基于LuaJIT字节码格式解析的静态注入hook装置,包括存储器和一个或多个处理器,所述存储器中存储有可执行代码,所述一个或多个处理器执行所述可执行代码时,用于上述的一种基于LuaJIT字节码格式解析的静态注入hook方法。The present invention also includes a static injection hook device based on LuaJIT bytecode format parsing, including a memory and one or more processors, wherein the memory stores executable code, and when the one or more processors execute the executable code, it is used for the above-mentioned static injection hook method based on LuaJIT bytecode format parsing.

本发明还包括一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时,实现上述的一种基于LuaJIT字节码格式解析的静态注入hook方法。The present invention also includes a computer-readable storage medium on which a program is stored. When the program is executed by a processor, the above-mentioned static injection hook method based on LuaJIT bytecode format parsing is implemented.

本发明的有益效果是:The beneficial effects of the present invention are:

1)注入的LuaJIT文件兼容文本和二进制,内部的hook代码既可以选用Lua内部库方法debug.hook也可以是全局G表替换的方法;1) The injected LuaJIT file is compatible with text and binary. The internal hook code can use either the Lua internal library method debug.hook or the global G-table replacement method;

2)可以对LuaJIT编译后的程序进行无损的静态注入hook,不影响其正常运行,也不需要额外的运行时支持;2) It is possible to perform static injection hooks on LuaJIT-compiled programs without affecting their normal operation and without requiring additional runtime support;

3)只对LuaJIT加载的文件进行了修补而并没有对LuaJIT引擎本身做出任何修改,因此能够兼容标准LuaJIT所能运行的所有操作系统以及CPU。3) Only the files loaded by LuaJIT are patched without making any changes to the LuaJIT engine itself, so it is compatible with all operating systems and CPUs that standard LuaJIT can run on.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为一种基于LuaJIT字节码格式解析的静态注入hook方法的流程图;FIG1 is a flow chart of a static injection hook method based on LuaJIT bytecode format parsing;

图2为等待修补的目标源LuaJIT二进制文件F1的Lua源码图;FIG2 is a Lua source code diagram of the target source LuaJIT binary file F1 waiting to be patched;

图3为需要注入的LuaJIT文件F2的Lua源码图;FIG3 is a Lua source code diagram of the LuaJIT file F2 that needs to be injected;

图4为一种基于LuaJIT字节码格式解析的静态注入hook装置的结构图。FIG. 4 is a structural diagram of a static injection hook device based on LuaJIT bytecode format parsing.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加明白清楚,结合附图和实施例,对本发明进一步的详细说明,应当理解,此处所描述的具体实施例仅仅用以解释本发明,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,均在本发明保护范围。In order to make the purpose, technical scheme and advantages of the present invention more clear, the present invention is further described in detail in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, rather than all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of the present invention.

实施例1Example 1

如图1所示,本发明提供了一种基于LuaJIT字节码格式解析的静态注入hook方法,包括以下步骤:As shown in FIG1 , the present invention provides a static injection hook method based on LuaJIT bytecode format parsing, comprising the following steps:

(1)准备等待修补的目标源LuaJIT二进制文件F1和需要注入的LuaJIT文件F2,在实际执行的场景中如图2所示的等待修补的目标源LuaJIT二进制文件F1的Lua源码会被编译成LuaJIT的字节码,而如图3所示的需要注入的LuaJIT文件F2的Lua源码可以是文本文件和LuaJIT字节码其中之一的形式。之后解析并提取出LuaJIT二进制文件F1的结构信息S1,所述结构信息S1包括头部元信息和proto结构信息集合/>即/> (1) Prepare the target source LuaJIT binary file F1 to be patched and the LuaJIT file F2 to be injected. In the actual execution scenario, the Lua source code of the target source LuaJIT binary file F1 to be patched as shown in FIG2 will be compiled into LuaJIT bytecode, and the Lua source code of the LuaJIT file F2 to be injected as shown in FIG3 can be in the form of a text file or LuaJIT bytecode. Then parse and extract the structural information S1 of the LuaJIT binary file F1 , which includes header meta information And proto structure information collection /> That is/>

具体来说,头部元信息是5个字节的一个区块,首先是1B 4C 4A固定的signature,之后是1个字节的version和1字节的flag。proto结构信息集合/>为一个proto数组。Specifically, the header meta information It is a 5-byte block, first of all, there is a fixed signature of 1B 4C 4A, followed by a 1-byte version and a 1-byte flag. proto structure information set/> A proto array.

所述LuaJIT文件F2兼容文本和二进制,内部的hook代码可以选用Lua内部库方法debug.hook以及全局G表替换的方法。The LuaJIT file F2 is compatible with text and binary. The internal hook code can use the Lua internal library method debug.hook and the global G-table replacement method.

(2)依据LuaJIT的二进制文件格式对proto结构信息集合进行拆分,获取每个proto的结构信息,即/>其中,i=1,2,…,i,…,n-1,n,/>为proto结构信息集合/>中任意一个proto结构信息;值得说明的是/>为LuaJIT二进制文件F1的末尾空proto结构信息标志,/>为LuaJIT二进制文件F1语义上最外层的proto对应结构信息。(2) Proto structure information collection based on LuaJIT's binary file format Split and obtain the structural information of each proto, that is /> Where i=1,2,…,i,…,n-1,n,/> It is a collection of proto structure information /> Any proto structure information in; it is worth noting that/> It is the empty proto structure information mark at the end of the LuaJIT binary file F1 . /> It is the semantically outermost proto structure information of the LuaJIT binary file F1 .

一般待修补目标是而当修补目标是任意一个proto结构信息的时候需要根据需求定位分析具体/>中i的值。The general target to be repaired is When the patch target is any proto structure information, it is necessary to locate and analyze the specific information according to the needs/> The value of i in .

具体来说,LuaJIT字节码文件中proto数组(proto结构信息集合)的结构是紧凑的,LuaJIT二进制文件F1的源码在编译的时候会被当做最外层的proto对应结构信息,即其排布顺序按照函数为单位进行逐层嵌套,由于没有字段标识proto数量的大小,LuaJIT加载proto数组的时候会逐proto进行解析,当遇到proto的header标该proto的size为0,则说明已经载入到二进制文件F1的末尾proto结构信息/>示例为:当LuaJIT二进制文件F1中总共有3个proto结构,其中/>对应Add函数,/>对应整个外层proto,/>为结尾空proto标识。Specifically, the proto array (proto structure information collection) in the LuaJIT bytecode file ) is compact, and the source code of the LuaJIT binary file F1 will be treated as the outermost proto corresponding structure information when compiling, that is, The arrangement order is nested layer by layer according to the function. Since there is no field to identify the number of protos, LuaJIT will parse each proto when loading the proto array. When the proto header is marked with a size of 0, it means that the proto structure information has been loaded at the end of the binary file F1 /> For example, when there are 3 proto structures in the LuaJIT binary file F1 , where /> Corresponding to the Add function, /> Corresponding to the entire outer proto, /> It is the ending empty proto identifier.

(3)依据LuaJIT的二进制文件格式解析待修补的目标proto结构信息得到proto结构头部元信息/>proto指令表IT和proto常量表CT,即/>其中,/>为待修补的目标proto结构信息/>的proto结构头部元信息,IT为待修补的目标proto结构信息/>的proto指令表,CT为待修补的目标proto结构信息/>的proto常量表。(3) Parse the target proto structure information to be patched based on the binary file format of LuaJIT Get the proto structure header meta information /> proto instruction table IT and proto constant table CT, that is/> Among them,/> The target proto structure information to be patched/> proto structure header meta information, IT is the target proto structure information to be patched/> proto instruction table, CT is the target proto structure information to be patched/> proto constant table.

具体来说,任意一个proto结构信息中都有一个proto结构头部元信息标识该proto的组织结构。在示例中,LuaJIT二进制文件F1的待修补的目标proto结构信息/>中,proto结构头部元信息/>的大小为8个字节,第一个字节为0x58,值得注意的是在LuaJIT字节码文件中标识大小的数字为可变长数字uleb128类型,这也导致整个字节码文件的读取和修改变得更加困难;第二个字节为flag标识,flag标识中的FLAG_HAS_JIT说明待修补的目标proto结构信息/>被加载进LuaJIT虚拟机的时候可以被just in time机制优化,FLAG_HAS_CHILD位说明待修补的目标proto结构信息/>之前的proto结构信息为/>的子proto结构信息。第三、第四和第五个字节为uchar字节,分别标识着待修补的目标proto结构信息/>的参数数量、运行时所需寄存器数量、upvalue数量。随后紧跟三个uleb128可变长数字分别标识了complex_constant_count、numeric_constant_count和instruction_count。在进行完步骤(3)之后需要注意的是由于uleb128数字变长,任何修改的操作均有可能会导致整个文件结构的错位,所以此处只是记录complex_constant_count的数量和所处于字节码文件中的位置。Specifically, any proto structure information There is a proto structure header meta information in each file that identifies the organizational structure of the proto. In the example, the target proto structure information to be patched in the LuaJIT binary file F1 /> In the proto structure header meta information/> The size is 8 bytes, the first byte is 0x58. It is worth noting that the number identifying the size in the LuaJIT bytecode file is a variable-length number of type uleb128, which also makes it more difficult to read and modify the entire bytecode file; the second byte is the flag identifier, and the FLAG_HAS_JIT in the flag identifier indicates the target proto structure information to be patched/> When loaded into the LuaJIT virtual machine, it can be optimized by the just in time mechanism. The FLAG_HAS_CHILD bit indicates the target proto structure information to be patched/> The previous proto structure information is /> The third, fourth and fifth bytes are uchar bytes, which respectively identify the target proto structure information to be patched/> The number of parameters, the number of registers required at run time, and the number of upvalues. Then three uleb128 variable-length numbers follow, identifying complex_constant_count, numeric_constant_count, and instruction_count. After completing step (3), it should be noted that due to the length of the uleb128 number, any modification operation may cause the entire file structure to be misaligned, so here only the number of complex_constant_count and its position in the bytecode file are recorded.

(4)对常量表CT的末尾进行修补插入require字符串和LuaJIT文件F2的文件名字符串;随后依据实际生产需求分析指令表IT,找到LuaJIT二进制文件F1需要被hook的函数所对应的FNEW指令和GSET指令;随后在GSET指令的位置之后依次插入三条LuaJIT硬编码指令,得到修补完的LuaJIT二进制文件F1(4) Patch the end of the constant table CT and insert the require string and the file name string of the LuaJIT file F2 ; then analyze the instruction table IT according to the actual production requirements, find the FNEW instruction and GSET instruction corresponding to the function that needs to be hooked in the LuaJIT binary file F1 ; then insert three LuaJIT hard-coded instructions in sequence after the position of the GSET instruction to obtain the patched LuaJIT binary file F1 .

所述LuaJIT硬编码指令为GGET、KSTR、CALL指令,其主要目的为引入LuaJIT文件F2。因此也可以采用其他指令组合实现等价的逻辑。The LuaJIT hard-coded instructions are GGET, KSTR, and CALL instructions, and their main purpose is to introduce the LuaJIT file F 2. Therefore, other instruction combinations can also be used to implement equivalent logic.

所述步骤(4)具体包括以下子步骤:The step (4) specifically includes the following sub-steps:

(4.1)Lua源码中的Add函数在被LuaJIT编译为字节码的过程中会产生FNEW、GSET两条指令,其含义为创建运行时的closure并且绑定符号Add到全局变量表_G表中。所以在解析完待修补的目标proto结构信息的proto结构头部元信息/>之后需要定位被hook的Lua函数对应的FNEW、GSET两条指令对应在proto指令表IT中的位置,记录下来。为避免理解混淆,此处定义两种顺序分别为结构顺序和寻址顺序。结构顺序为在LuaJIT字节码文件中的空间顺序,寻址顺序为LuaJIT在实际运行时读取的顺序,二者顺序相反。(4.1) The Add function in the Lua source code will generate two instructions, FNEW and GSET, when it is compiled into bytecode by LuaJIT. Its meaning is to create a runtime closure and bind the symbol Add to the global variable table _G. So after parsing the target proto structure information to be patched, proto structure header meta information/> After that, you need to locate the positions of the two instructions FNEW and GSET corresponding to the hooked Lua function in the proto instruction table IT and record them. To avoid confusion, two orders are defined here: structure order and addressing order. The structure order is the spatial order in the LuaJIT bytecode file, and the addressing order is the order that LuaJIT reads during actual runtime. The two orders are opposite.

(4.2)之后解析proto常量表CT的信息,常量的类型有很多种,且其对应在指令码中的数字为proto常量表CT从后往前计算的下标,下标从0开始计数。例如,proto指令表IT的第5条GSET指令字节码为35 00 03 00,其中03为常量表下标,对应具体的项是Add字符串。常量表的规则是一个字节的type标识该complex_constant的类型,以及紧随其后的具体数值,其中字符串的常量标识是0x5+len(constant),且其为uleb128变长数字。(4.2) Then parse the information of the proto constant table CT. There are many types of constants, and the corresponding numbers in the instruction code are the subscripts of the proto constant table CT calculated from the back to the front, and the subscripts start counting from 0. For example, the byte code of the 5th GSET instruction in the proto instruction table IT is 35 00 03 00, where 03 is the subscript of the constant table, and the corresponding specific item is the Add string. The rule of the constant table is a byte type that identifies the type of the complex_constant, and the specific value that follows it, where the constant identifier of the string is 0x5+len(constant), and it is a uleb128 variable-length number.

(4.3)解析完成proto常量表CT的信息之后就可以进行修补工作了,具体来讲,需要插入require字符串和LuaJIT文件F2的文件名字符串,为了避免插入引起的常量表数据错位,此处的插入应当符合LuaJIT常量寻址顺序规则,即在常量表的结构顺序表头插入。二者十六进制串分别为0C 72 65 71 75 69 72 65和07 46 32。(4.3) After parsing the information of the proto constant table CT, you can start the patching work. Specifically, you need to insert the require string and the file name string of the LuaJIT file F2 . In order to avoid the constant table data dislocation caused by the insertion, the insertion here should comply with the LuaJIT constant addressing order rule, that is, insert it at the structure order table header of the constant table. The hexadecimal strings of the two are 0C 72 65 71 75 69 72 65 and 07 46 32 respectively.

(4.4)然后对指令表进行插入,此时取出之前记录的FNEW、GSET两条指令对应在proto指令表IT中的位置,在GSET指令的位置(FNEW指令和GSET指令在二进制文件中会成对出现)之后依次插入三条指令GGET、KSTR、CALL,第一条GGET指令所携带的参数为修改完proto常量表CT后的require字符串所处的寻址顺序下标,第二条KSTR指令同前一条指令,该指令所携带的参数是修改完proto常量表CT后的F2字符串所处的寻址顺序下标,第三条CALL指令为以require为函数名,参数为F2的函数调用,具体的寄存器下标需要根据实际情况实际选用,在此处为CALL 0 1 2,表示选用0号寄存器作为函数名,1号寄存器为参数,无返回值。值得注意的是这里的指令选用并不局限于这几种,包括此处的GGET和KSTR指令均为等价效果。(4.4) Then insert the instruction table. At this time, take out the positions of the two previously recorded FNEW and GSET instructions in the proto instruction table IT. After the position of the GSET instruction (the FNEW instruction and the GSET instruction will appear in pairs in the binary file), insert three instructions GGET, KSTR, and CALL in sequence. The parameter carried by the first GGET instruction is the addressing order subscript of the require string after the proto constant table CT is modified. The second KSTR instruction is the same as the previous instruction. The parameter carried by this instruction is the addressing order subscript of the F2 string after the proto constant table CT is modified. The third CALL instruction is a function call with require as the function name and F2 as the parameter. The specific register subscript needs to be selected according to the actual situation. Here it is CALL 0 1 2, which means that register 0 is selected as the function name, register 1 is the parameter, and there is no return value. It is worth noting that the instruction selection here is not limited to these types, including the GGET and KSTR instructions here are equivalent.

(4.5)在proto指令表IT和proto常量表CT都修补完之后还需要对待修补的目标proto结构信息的proto结构头部元信息/>(即示例中,待修补的目标proto结构信息的proto结构头部元信息/>)进行修复,其中需要修复complex_constant_count的值为complex_constant_count+2,instruction_count的值为instruction_count+3,得到修补完的LuaJIT二进制文件F1(4.5) After the proto instruction table IT and the proto constant table CT are patched, the target proto structure information to be patched is also required proto structure header meta information/> (That is, in this example, the target proto structure information to be patched proto structure header meta information/> ) is repaired, wherein the value of complex_constant_count that needs to be repaired is complex_constant_count+2, and the value of instruction_count is instruction_count+3, and a patched LuaJIT binary file F 1 is obtained.

(5)完成所有修补工作后,将修补完的LuaJIT二进制文件F1和LuaJIT文件F2放置于LuaJIT的加载路径完成静态注入hook。(5) After all patching work is completed, the patched LuaJIT binary file F1 and LuaJIT file F2 are placed in the loading path of LuaJIT to complete the static injection hook.

本发明提出的基于LuaJIT字节码格式解析的静态注入hook方法只对LuaJIT加载的文件进行了修补而并没有对LuaJIT引擎本身做出任何修改,因此能够兼容标准LuaJIT所能运行的所有操作系统以及CPU。The static injection hook method based on LuaJIT bytecode format parsing proposed by the present invention only patches the files loaded by LuaJIT without making any modifications to the LuaJIT engine itself, so it is compatible with all operating systems and CPUs that can run on standard LuaJIT.

实施例2Example 2

本实施例涉及一种基于LuaJIT字节码格式解析的静态注入hook装置,包括存储器和一个或多个处理器,所述存储器中存储有可执行代码,所述一个或多个处理器执行所述可执行代码时,用于上述实施例1的一种基于LuaJIT字节码格式解析的静态注入hook方法;装置实施例可以应用在任意具备数据处理能力的设备上,该任意具备数据处理能力的设备可以为诸如计算机等设备或装置。The present embodiment relates to a static injection hook device based on LuaJIT bytecode format parsing, including a memory and one or more processors, wherein the memory stores executable code, and when the one or more processors execute the executable code, a static injection hook method based on LuaJIT bytecode format parsing of the above-mentioned embodiment 1 is used; the device embodiment can be applied to any device with data processing capabilities, and the any device with data processing capabilities can be a device or apparatus such as a computer.

如图4,在硬件层面,该知识蒸馏装置包括处理器、内部总线、网络接口、内存以及非易失性存储器,当然还可能包括其他业务所需要的硬件。处理器从非易失性存储器中读取对应的计算机程序到内存中然后运行,以实现上述图1所示的方法。当然,除了软件实现方式之外,本发明并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。As shown in Figure 4, at the hardware level, the knowledge distillation device includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and of course may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs it to implement the method shown in Figure 1 above. Of course, in addition to software implementations, the present invention does not exclude other implementations, such as logic devices or a combination of software and hardware, etc., that is to say, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

对于一个技术的改进可以很明显地区分是硬件上的改进(例如,对二极管、晶体管、开关等电路结构的改进)还是软件上的改进(对于方法流程的改进)。然而,随着技术的发展,当今的很多方法流程的改进已经可以视为硬件电路结构的直接改进。设计人员几乎都通过将改进的方法流程编程到硬件电路中来得到相应的硬件电路结构。因此,不能说一个方法流程的改进就不能用硬件实体模块来实现。例如,可编程逻辑器件(ProgrammableLogic Device,PLD)(例如现场可编程门阵列(Field Programmable Gate Array,FPGA))就是这样一种集成电路,其逻辑功能由用户对器件编程来确定。由设计人员自行编程来把一个数字系统“集成”在一片PLD上,而不需要请芯片制造厂商来设计和制作专用的集成电路芯片。而且,如今,取代手工地制作集成电路芯片,这种编程也多半改用“逻辑编译器(logiccompiler)”软件来实现,它与程序开发撰写时所用的软件编译器相类似,而要编译之前的原始代码也得用特定的编程语言来撰写,此称之为硬件描述语言(Hardware DescriptionLanguage,HDL),而HDL也并非仅有一种,而是有许多种,如ABEL(Advanced BooleanExpression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java HardwareDescription Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware DescriptionLanguage)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated CircuitHardware Description Language)与Verilog。本领域技术人员也应该清楚,只需要将方法流程用上述几种硬件描述语言稍作逻辑编程并编程到集成电路中,就可以很容易得到实现该逻辑方法流程的硬件电路。For the improvement of a technology, it can be clearly distinguished whether it is a hardware improvement (for example, improvement of the circuit structure of diodes, transistors, switches, etc.) or a software improvement (improvement of the method flow). However, with the development of technology, many improvements of the method flow today can be regarded as direct improvements of the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be implemented with a hardware entity module. For example, a programmable logic device (PLD) (such as a field programmable gate array (FPGA)) is such an integrated circuit whose logical function is determined by the user's programming of the device. Designers can "integrate" a digital system on a PLD by programming themselves, without having to ask a chip manufacturer to design and make a dedicated integrated circuit chip. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly implemented by "logic compiler" software, which is similar to the software compiler used when developing and writing programs, and the original code before compilation must also be written in a specific programming language, which is called hardware description language (HDL). There is not only one HDL, but many kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc. The most commonly used ones are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also know that it is only necessary to program the method flow slightly in the above-mentioned hardware description languages and program it into the integrated circuit, and then it is easy to obtain the hardware circuit that implements the logic method flow.

控制器可以按任何适当的方式实现,例如,控制器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑控制器和嵌入微控制器的形式,控制器的例子包括但不限于以下微控制器:ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20以及Silicone Labs C8051F320,存储器控制器还可以被实现为存储器的控制逻辑的一部分。本领域技术人员也知道,除了以纯计算机可读程序代码方式实现控制器以外,完全可以通过将方法步骤进行逻辑编程来使得控制器以逻辑门、开关、专用集成电路、可编程逻辑控制器和嵌入微控制器等的形式来实现相同功能。因此这种控制器可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构。或者甚至,可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。The controller can be implemented in any appropriate manner, for example, the controller can take the form of a microprocessor or processor and a computer-readable medium storing a computer-readable program code (such as software or firmware) that can be executed by the (micro)processor, a logic gate, a switch, an application-specific integrated circuit (ASIC), a programmable logic controller, and an embedded microcontroller. Examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320. The memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art also know that in addition to implementing the controller in a purely computer-readable program code manner, the controller can be implemented in the form of a logic gate, a switch, an application-specific integrated circuit, a programmable logic controller, and an embedded microcontroller by logically programming the method steps. Therefore, this controller can be considered as a hardware component, and the devices included therein for implementing various functions can also be regarded as structures within the hardware component. Or even, the devices for implementing various functions can be regarded as both software modules for implementing the method and structures within the hardware component.

上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机。具体的,计算机例如可以为个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

本领域技术人员应明白,本发明的实施例可提供为方法、系统或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as methods, systems or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.

本发明可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本发明,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。The present invention may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. The present invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules may be located in local and remote computer storage media, including storage devices.

实施例3Example 3

本发明实施例还提供一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时,实现上述实施例1的一种基于LuaJIT字节码格式解析的静态注入hook方法。An embodiment of the present invention further provides a computer-readable storage medium on which a program is stored. When the program is executed by a processor, a static injection hook method based on LuaJIT bytecode format parsing of the above-mentioned embodiment 1 is implemented.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention should be included in the scope of protection of the present invention.

Claims (5)

1. A static injection hook method based on LuaJIT byte code format parsing, comprising the steps of:
(1) The target source LuaJIT binary file F 1 waiting for repair and the LuaJIT file F 2 to be injected are prepared, and then the structure information S 1 of the LuaJIT binary file F 1 is parsed and extracted, wherein the structure information S 1 comprises header meta information And proto Structure information set/>I.e./>
(2) Proto structure information set according to LuaJIT binary file formatSplitting to obtain structural information of each proto, namely/>Wherein i=1, 2, …, i, …, n-1, n, p i 1 is the proto structure information set/>Any one of the proto structure information; /(I)For LuaJIT binary F 1, the end empty proto structure information flag,/>The corresponding structural information of the proto of the semantically outermost layer of the LuaJIT binary file F 1;
(3) Analyzing the target proto structure information P i 1 to be repaired according to the binary file format of LuaJIT to obtain the structure header meta information, the instruction table IT and the constant table CT of the target proto structure information P i 1 to be repaired;
(4) Repairing and inserting a required character string and a file name character string of LuaJIT file F 2 at the tail of the constant table CT; then analyzing an instruction table IT according to actual production requirements, and finding FNEW instructions and GSET instructions which are required to be corresponding to the hook functions of the LuaJIT binary file F 1; sequentially inserting three LuaJIT hard-coded instructions after the GSET instruction to obtain a repaired LuaJIT binary file F 1;
(5) Finally, the patched LuaJIT binary files F 1 and LuaJIT file F 2 are placed on the loading path of LuaJIT to complete the static injection hook.
2. The static injection hook method based on LuaJIT bytecode format parsing of claim 1, wherein the LuaJIT file F 2 is text and binary compatible.
3. The static injection hook method based on LuaJIT bytecode format parsing of claim 1, wherein the LuaJIT hard-coded instruction is GGET, KSTR, CALL instruction or other equivalent logic.
4. A static injection hook device based on LuaJIT bytecode format parsing, comprising a memory and one or more processors, wherein the memory stores executable code, and the one or more processors are configured to implement a static injection hook method based on LuaJIT bytecode format parsing as claimed in any one of claims 1-3 when the executable code is executed by the one or more processors.
5. A computer readable storage medium having stored thereon a program which, when executed by a processor, implements a LuaJIT byte code format parsing based static injection hook method as claimed in any one of claims 1 to 3.
CN202410333393.1A 2024-03-22 2024-03-22 Static injection hook method and device based on LuaJIT byte code format analysis Pending CN118228249A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410333393.1A CN118228249A (en) 2024-03-22 2024-03-22 Static injection hook method and device based on LuaJIT byte code format analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410333393.1A CN118228249A (en) 2024-03-22 2024-03-22 Static injection hook method and device based on LuaJIT byte code format analysis

Publications (1)

Publication Number Publication Date
CN118228249A true CN118228249A (en) 2024-06-21

Family

ID=91504269

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410333393.1A Pending CN118228249A (en) 2024-03-22 2024-03-22 Static injection hook method and device based on LuaJIT byte code format analysis

Country Status (1)

Country Link
CN (1) CN118228249A (en)

Similar Documents

Publication Publication Date Title
US11249758B2 (en) Conditional branch frame barrier
US11314490B2 (en) Special calling sequence for caller-sensitive methods
KR100712767B1 (en) A method for compiling instructions of a computer system and a computer readable medium for reducing the cost of checking dynamic class initialization in compiled code
US7281237B2 (en) Run-time verification of annotated software code
US10417024B2 (en) Generating verification metadata and verifying a runtime type based on verification metadata
US10789047B2 (en) Returning a runtime type loaded from an archive in a module system
US20250199785A1 (en) Compilation methods, compilers, and wasm virtual machines
CN100395703C (en) Method of generating interpretable code for storage in a device with limited memory
US20180018163A1 (en) Overriding a migrated method in an updated type
CN100585561C (en) The Method of Tailoring Relocatable ELF Files in Embedded System
EP3887959B1 (en) Indexing and searching a time-travel trace for arbitrary length/arbitrary alignment values
CN112099880A (en) Scenario-driven application reduction method and system
RU2347269C2 (en) System and method of declarative definition and use of subclasses in marking
CN116627429A (en) Assembly code generation method and device, electronic equipment and storage medium
US8020156B2 (en) Bulk loading system and method
CN106354624A (en) Automatic testing method and device
US10733095B2 (en) Performing garbage collection on an object array using array chunk references
CN101002174A (en) Method for loading software with an intermediate object oriented language in a portable device
CN112765676B (en) Intelligent contract executing method, intelligent contract executing device and node equipment
CN107451050B (en) Function acquisition method and device and server
US8042103B2 (en) Pre-translated files used in a virtual machine
US8661425B1 (en) Method, apparatus, and computer-readable medium for storing data associated with a firmware program
CN114625403B (en) Application hot repair method, device, equipment and storage medium
CN118228249A (en) Static injection hook method and device based on LuaJIT byte code format analysis
CN116089280A (en) Debugging method and device for intelligent contract

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination