[go: up one dir, main page]

CN104881610A - Method for defending hijacking attacks of virtual function tables - Google Patents

Method for defending hijacking attacks of virtual function tables Download PDF

Info

Publication number
CN104881610A
CN104881610A CN201510333581.5A CN201510333581A CN104881610A CN 104881610 A CN104881610 A CN 104881610A CN 201510333581 A CN201510333581 A CN 201510333581A CN 104881610 A CN104881610 A CN 104881610A
Authority
CN
China
Prior art keywords
virtual function
function table
virtual
pointer
executable program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510333581.5A
Other languages
Chinese (zh)
Other versions
CN104881610B (en
Inventor
胡昌振
王勇
闫海林
冉宇辰
杨亚峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201510333581.5A priority Critical patent/CN104881610B/en
Publication of CN104881610A publication Critical patent/CN104881610A/en
Application granted granted Critical
Publication of CN104881610B publication Critical patent/CN104881610B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种针对虚函数表劫持攻击的防御方法,其包括:构建有效虚函数表集合和有效虚函数集合;确定可执行程序中需要被保护的对象和对象中的虚函数,分析得到虚函数数据的读取地址和虚函数的调用地址;可执行程序的运行过程中在虚函数数据的读取地址处插装备份回调函数,在虚函数的调用地址处插装校验回调函数;对虚函数表指针及其指向的虚函数表进行备份;根据备份的虚函数表指针及其指向的虚函数表进行校验,并根据校验结果进行虚函数的执行与否。本发明基于二进制重写技术,不需要源码即可完成部署;且能够有效防护程序中的重要对象,不受虚函数表劫持攻击的影响;而本发明所带来的系统开销也在可接受范围之内。

The present invention provides a defense method against virtual function table hijacking attacks, which includes: constructing an effective virtual function table set and an effective virtual function set; The reading address of the function data and the calling address of the virtual function; during the running of the executable program, a backup callback function is inserted at the reading address of the virtual function data, and a verification callback function is inserted at the calling address of the virtual function; The virtual function table pointer and the virtual function table it points to are backed up; the backup virtual function table pointer and the virtual function table it points to are verified, and the virtual function is executed or not according to the verification result. The present invention is based on the binary rewriting technology, and deployment can be completed without source code; and it can effectively protect important objects in the program from being affected by virtual function table hijacking attacks; and the system overhead brought by the present invention is also within an acceptable range within.

Description

一种针对虚函数表劫持攻击的防御方法A defense method against virtual function table hijacking attack

技术领域technical field

本发明属于应用程序技术领域,尤其涉及一种针对虚函数表劫持攻击的防御方法。The invention belongs to the technical field of application programs, and in particular relates to a defense method against virtual function table hijacking attacks.

背景技术Background technique

内存破坏漏洞(memory corruption bugs)广泛存在于使用C/C++等低级语言编写的程序中,栈溢出、堆溢出、释放后重用等漏洞均属于内存破坏漏洞。攻击者利用此类漏洞,可以控制应用程序内存中的数据、代码,改变程序行为甚至劫持程序的控制流。Memory corruption bugs (memory corruption bugs) widely exist in programs written in low-level languages such as C/C++. Vulnerabilities such as stack overflow, heap overflow, and reuse after release are memory corruption bugs. By exploiting such vulnerabilities, attackers can control the data and codes in the memory of the application, change the behavior of the program and even hijack the control flow of the program.

现有技术中有以下两种处理方式:There are the following two processing methods in the prior art:

VTGuard:VTGuard是部署在IE浏览器中的一项虚函数表保护技术。其基本思想是:在每个虚函数表中插入一个私密的cookie,并在虚函数被调用时进行检查,当前表中的cookie和对应的cookie是否一致,如果不一致则会禁止此次调用。该方案能够有效减少虚函数表重用攻击,但对虚函数表破坏和虚函数表注入攻击无效。VTGuard: VTGuard is a virtual function table protection technology deployed in IE browser. The basic idea is: insert a private cookie into each virtual function table, and check when the virtual function is called, whether the cookie in the current table is consistent with the corresponding cookie, and if not, the call will be prohibited. This scheme can effectively reduce virtual function table reuse attacks, but is ineffective against virtual function table corruption and virtual function table injection attacks.

SafeDispatch:SafeDispatch是基于编译器的虚函数表劫持攻击防御方案,它首先对整个程序的类关系进行分析,推断出程序中有效的虚函数表集合及虚函数集合;接着在虚函数被调用时进行安全校验,检查当前虚函数及虚函数表是否在有效集合中,若不在则禁止此次调用。对于虚函数的检查,将带来7%的额外开销;对于虚函数表的检查,将带来30%的额外开销,且对虚函数表破坏攻击无效。SafeDispatch: SafeDispatch is a compiler-based virtual function table hijacking attack defense solution. It first analyzes the class relationship of the entire program, infers the effective virtual function table set and virtual function set in the program; then executes when the virtual function is called Security check, check whether the current virtual function and virtual function table are in the valid set, if not, the call is prohibited. For the virtual function check, it will bring 7% extra overhead; for the virtual function table check, it will bring 30% extra overhead, and it is invalid for the virtual function table damage attack.

DieHard:DieHard提供了自定义的内存分配器,在进行内存分配时实现随机化及隔离。该技术方案在某种程度上对虚函数表劫持攻击有效,但存在不确定性。DieHard: DieHard provides a custom memory allocator to achieve randomization and isolation during memory allocation. This technical solution is effective against virtual function table hijacking attacks to some extent, but there are uncertainties.

但是上述方案中,均存在以下缺陷:有效性:VTGuard、SafeDispatch、DIeHard均无法保证对所有类型的虚函数表劫持攻击进行有效防护;二进制兼容:VTGuard、SafeDispatch以及DieHard均不二进制兼容,即需要源代码。而在实际中获取目标保护程序的源码是极其困难的;系统开销:SafeDispatch所带来的系统开销(%7与%30)使其很难应用于实际中。However, the above schemes have the following defects: Effectiveness: VTGuard, SafeDispatch, and DIeHard cannot guarantee effective protection against all types of virtual function table hijacking attacks; binary compatibility: VTGuard, SafeDispatch, and DieHard are not binary compatible, that is, source code. It is extremely difficult to obtain the source code of the target protection program in practice; system overhead: the system overhead (%7 and %30) brought by SafeDispatch makes it difficult to be applied in practice.

发明内容Contents of the invention

为解决上述问题,本发明提供一种针对虚函数表劫持攻击的防御方法。本发明基于二进制重写技术,不需要源码即可完成部署;且能够有效防护程序中的重要对象,不受虚函数表劫持攻击的影响;而本发明所带来的系统开销也在可接受范围之内。In order to solve the above problems, the present invention provides a defense method against virtual function table hijacking attacks. The present invention is based on the binary rewriting technology, and deployment can be completed without source code; and it can effectively protect important objects in the program from being affected by virtual function table hijacking attacks; and the system overhead brought by the present invention is also within an acceptable range within.

本发明的针对虚函数表劫持攻击的防御方法,其包括:The defense method against virtual function table hijacking attack of the present invention comprises:

步骤一、构建有效虚函数表集合和有效虚函数集合;有效虚函数表集合用于存储虚函数表指针,虚函数表指针指向虚函数表;有效虚函数集合用于存储虚函数表,虚函数表用于存储虚函数指针,虚函数指针指向虚函数;Step 1. Build a valid virtual function table set and a valid virtual function set; the valid virtual function table set is used to store the virtual function table pointer, and the virtual function table pointer points to the virtual function table; the valid virtual function set is used to store the virtual function table, and the virtual function The table is used to store virtual function pointers, and virtual function pointers point to virtual functions;

步骤二、确定可执行程序中可能被虚函数表劫持攻击、需要被保护的对象和对象中的虚函数,分析得到虚函数数据的读取地址和虚函数的调用地址;其中,虚函数数据包括:虚函数表指针和虚函数表;同一个对象的不同虚函数数据采用相同读取地址,且虚函数数据中的虚函数表指针和虚函数表采用相同读取地址;Step 2, determine the object that may be hijacked by the virtual function table in the executable program, the object that needs to be protected and the virtual function in the object, and analyze the read address of the virtual function data and the calling address of the virtual function; wherein, the virtual function data includes : virtual function table pointer and virtual function table; different virtual function data of the same object use the same read address, and the virtual function table pointer and virtual function table in the virtual function data use the same read address;

步骤三、在可执行程序的运行过程中,采用动态二进制插装方式,在虚函数数据的读取地址处插装备份回调函数,在虚函数的调用地址处插装校验回调函数;Step 3. During the running of the executable program, a dynamic binary instrumentation method is used to insert a backup callback function at the reading address of the virtual function data, and insert a verification callback function at the calling address of the virtual function;

步骤四、当可执行程序执行到某个对象X的虚函数数据对应的备份回调函数时,在该备份回调函数中,将对象X的虚函数表指针及其指向的虚函数表进行备份,其中虚函数表指针备份到有效虚函数表集合中,虚函数表备份到有效虚函数集合中;Step 4. When the executable program executes to the backup callback function corresponding to the virtual function data of a certain object X, in the backup callback function, the virtual function table pointer of the object X and the virtual function table pointed to are backed up, wherein The virtual function table pointer is backed up to the valid virtual function table set, and the virtual function table is backed up to the valid virtual function set;

步骤五、当可执行程序执行到某个虚函数对应的校验回调函数时,在校验回调函数中,检查被调用的虚函数所在的虚函数表的虚函数表指针Y是否在有效虚函数表集合中;Step 5. When the executable program executes to the verification callback function corresponding to a certain virtual function, in the verification callback function, check whether the virtual function table pointer Y of the virtual function table where the called virtual function is located is in the valid virtual function in the table collection;

若虚函数表指针Y不在有效虚函数表集合中,则校验失败、拒绝调用虚函数,并立即终止该可执行程序;If the virtual function table pointer Y is not in the effective virtual function table set, the verification fails, the virtual function is refused to be called, and the executable program is terminated immediately;

若虚函数表指针Y在有效虚函数表集合中,则根据备份的有效虚函数表集合和有效虚函数集合,找到虚函数表指针Y指向的虚函数表Z;判断被调用的虚函数指针是否在虚函数表Z中,若在则校验成功,运行可执行程序调用虚函数,否则校验失败、拒绝调用虚函数,并终止该可执行程序。If the virtual function table pointer Y is in the effective virtual function table set, then according to the backed up effective virtual function table set and the effective virtual function set, find the virtual function table Z pointed to by the virtual function table pointer Y; judge whether the called virtual function pointer is In the virtual function table Z, if it exists, the verification is successful, and the executable program is run to call the virtual function; otherwise, the verification fails, the virtual function is refused to be called, and the executable program is terminated.

进一步的,步骤四中备份后将备份数据所在的内存页的访问属性修改为只读。Further, after the backup in step 4, modify the access attribute of the memory page where the backup data is located to read-only.

有益效果:Beneficial effect:

本发明通过二进制插装技术,在对象实例化时插装代码对虚函数表指针及虚函数表进行备份;在对象的虚函数被调用时,依据当前虚函数表指针和虚函数指针与原有值进行比对以判断是否能够进行调用。通过这种方式,本发明在二进制层面对虚函数表进行了防护,有效保护对象不受虚函数表劫持攻击的影响。The present invention uses the binary instrumentation technology to back up the virtual function table pointer and the virtual function table by inserting the code when the object is instantiated; when the virtual function of the object is called, according to the current virtual function table pointer and The value is compared to determine whether the call can be made. In this way, the present invention protects the virtual function table at the binary level, and effectively protects objects from being affected by virtual function table hijacking attacks.

附图说明Description of drawings

图1(a)为本发明的针对虚函数表劫持攻击的防御方法示意图;Fig. 1 (a) is the schematic diagram of the defense method against virtual function table hijacking attack of the present invention;

图1(b)为本发明的备份数据示意图;Fig. 1 (b) is the backup data schematic diagram of the present invention;

图1(c)为本发明的校验过程流程图;Fig. 1 (c) is the verification process flowchart of the present invention;

图2为可执行程序调用虚函数的代码示意图;Fig. 2 is the schematic diagram of the code that the executable program calls the virtual function;

图3(a)为本发明的实施例中对象d的类结构;Fig. 3 (a) is the class structure of object d in the embodiment of the present invention;

图3(b)为本发明的实施例中对象d的虚函数表内存布局。Fig. 3(b) is the virtual function table memory layout of the object d in the embodiment of the present invention.

具体实施方式Detailed ways

PE文件中有多个对象,其中部分对象的虚函数表易受到攻击者的攻击,夺取程序的控制流,执行危险代码,影响系统安全。There are many objects in the PE file, and the virtual function tables of some objects are vulnerable to attacks by attackers, which can seize the control flow of the program, execute dangerous codes, and affect system security.

本发明技术方案如图1(a)所示。首先,对待保护的PE文件进行预分析,得到需要保护对象的虚函数表的生成处及虚函数的调用处;接下来,在生成处及虚函数调用处进行插装,添加对目标程序的防护。为了对目标程序进行插装,需要通过预分析得到:1.虚函数表生成位置,以便进行插装进行数据备份;2.虚函数调用位置,以便进行插装在调用时做安全验证。目前有多种针对二进制文件的分析方法可以实现这个目标,包括自动分析平台、静态分析、动态分析等。The technical solution of the present invention is shown in Figure 1(a). First, pre-analyze the PE file to be protected to obtain the generation point of the virtual function table and the call point of the virtual function of the object to be protected; next, perform instrumentation at the point of generation and the call point of the virtual function to add protection to the target program . In order to instrument the target program, it is necessary to obtain through pre-analysis: 1. The virtual function table generation location for instrumentation and data backup; 2. The virtual function call location for security verification when instrumentation is called. There are currently a variety of analysis methods for binary files that can achieve this goal, including automated analysis platforms, static analysis, dynamic analysis, etc.

本发明的针对虚函数表劫持攻击的防御方法,其包括:The defense method against virtual function table hijacking attack of the present invention comprises:

步骤一、构建有效虚函数表集合和有效虚函数集合;有效虚函数表集合用于存储虚函数表指针,虚函数表指针指向虚函数表;有效虚函数集合用于存储虚函数表,虚函数表用于存储虚函数指针,虚函数指针指向虚函数。Step 1. Build a valid virtual function table set and a valid virtual function set; the valid virtual function table set is used to store the virtual function table pointer, and the virtual function table pointer points to the virtual function table; the valid virtual function set is used to store the virtual function table, and the virtual function The table is used to store virtual function pointers, and virtual function pointers point to virtual functions.

步骤二、确定可执行程序中可能被虚函数表劫持攻击、需要被保护的对象和对象中的虚函数,分析得到虚函数数据的读取地址和虚函数的调用地址;其中,虚函数数据包括:虚函数表指针和虚函数表;同一个对象的不同虚函数数据采用相同读取地址,且虚函数数据中的虚函数表指针和虚函数表采用相同读取地址;Step 2, determine the object that may be hijacked by the virtual function table in the executable program, the object that needs to be protected and the virtual function in the object, and analyze the read address of the virtual function data and the calling address of the virtual function; wherein, the virtual function data includes : virtual function table pointer and virtual function table; different virtual function data of the same object use the same read address, and the virtual function table pointer and virtual function table in the virtual function data use the same read address;

其中获得虚函数调用地址的方式为:The way to obtain the virtual function call address is:

通过网络获得攻击代码,修改攻击代码对虚函数指针或虚函数表指针的赋值语句,在可执行程序调用虚函数且该虚函数在被修改后的攻击代码攻击时,可执行程序报错,则可执行程序报错时可执行程序所执行的指令地址即为虚函数的调用位置。Obtain the attack code through the network, modify the assignment statement of the attack code to the virtual function pointer or virtual function table pointer, and when the executable program calls the virtual function and the virtual function is attacked by the modified attack code, the executable program reports an error, then you can When the execution program reports an error, the address of the instruction executed by the executable program is the calling location of the virtual function.

获得虚函数数据的读取地址的方式为:The way to get the read address of virtual function data is:

在可执行程序中分析虚函数调用时的代码,追踪该虚函数所属对象的数据流以确定对象的虚函数数据的读取位置。In the executable program, the code when the virtual function is called is analyzed, and the data flow of the object to which the virtual function belongs is traced to determine the reading position of the virtual function data of the object.

步骤三、在可执行程序的运行过程中,采用动态二进制插装方式,在虚函数数据的读取地址处插装备份回调函数,在虚函数的调用地址处插装校验回调函数。Step 3. During the running of the executable program, a dynamic binary instrumentation method is used to insert a backup callback function at the reading address of the virtual function data, and insert a verification callback function at the calling address of the virtual function.

步骤四、当可执行程序执行到某个对象X的虚函数数据对应的备份回调函数时,在该备份回调函数中,将对象X的虚函数表指针及其指向的虚函数表进行备份,其中虚函数表指针备份到有效虚函数表集合中,虚函数表备份到有效虚函数集合中。Step 4. When the executable program executes to the backup callback function corresponding to the virtual function data of a certain object X, in the backup callback function, the virtual function table pointer of the object X and the virtual function table pointed to are backed up, wherein The virtual function table pointer is backed up in the effective virtual function table set, and the virtual function table is backed up in the effective virtual function set.

步骤五、当可执行程序执行到某个虚函数对应的校验回调函数时,在校验回调函数中,检查被调用的虚函数所在的虚函数表的虚函数表指针Y是否在有效虚函数表集合中;Step 5. When the executable program executes to the verification callback function corresponding to a certain virtual function, in the verification callback function, check whether the virtual function table pointer Y of the virtual function table where the called virtual function is located is in the valid virtual function in the table collection;

若虚函数表指针Y不在有效虚函数表集合中,则校验失败、拒绝调用虚函数,并立即终止该可执行程序;If the virtual function table pointer Y is not in the effective virtual function table set, the verification fails, the virtual function is refused to be called, and the executable program is terminated immediately;

若虚函数表指针Y在有效虚函数表集合中,则根据备份的有效虚函数表集合和有效虚函数集合,找到虚函数表指针Y指向的虚函数表Z;判断被调用的虚函数指针是否在虚函数表Z中,若在则校验成功,运行可执行程序调用虚函数,否则校验失败、拒绝调用虚函数,并终止该可执行程序。If the virtual function table pointer Y is in the effective virtual function table set, then according to the backed up effective virtual function table set and the effective virtual function set, find the virtual function table Z pointed to by the virtual function table pointer Y; judge whether the called virtual function pointer is In the virtual function table Z, if it exists, the verification is successful, and the executable program is run to call the virtual function; otherwise, the verification fails, the virtual function is refused to be called, and the executable program is terminated.

进一步的,步骤四中备份后将备份数据所在的内存页的访问属性修改为只读。Further, after the backup in step 4, modify the access attribute of the memory page where the backup data is located to read-only.

图2中给出了对某程序反编译后(Intel语法)得到的调用虚函数的过程。在程序中调用虚函数包括三步:第一步为获得调用该虚函数的对象地址,然后获取该对象首地址处所存储的虚函数表地址(该虚函数表在内存中的起始地址),最终根据调用指令获得被调用的虚函数在虚函数表中的偏移量,根据该偏移量去调用该虚函数。其中,若该对象存在虚函数表,则其虚函数表位于该独享的前端。其中eax寄存器中存放的为对象首地址,ecx寄存器为虚函数表指针,其值为虚函数表的地址。从调用过程可以看出,无论虚函数表指针被篡改(虚函数表注入/重用攻击)或是虚函数表(虚函数表破坏攻击)被篡改,都将使得程序控制流完整性遭到破坏。Figure 2 shows the process of calling a virtual function obtained by decompiling a certain program (Intel syntax). Calling a virtual function in a program includes three steps: the first step is to obtain the address of the object calling the virtual function, and then obtain the address of the virtual function table stored at the first address of the object (the starting address of the virtual function table in memory), Finally, the offset of the called virtual function in the virtual function table is obtained according to the calling instruction, and the virtual function is called according to the offset. Wherein, if the object has a virtual function table, its virtual function table is located at the front end of the exclusive. Among them, the first address of the object is stored in the eax register, and the ecx register is the pointer of the virtual function table, and its value is the address of the virtual function table. It can be seen from the calling process that whether the virtual function table pointer is tampered (virtual function table injection/reuse attack) or the virtual function table (virtual function table destruction attack) is tampered with, the integrity of the program control flow will be destroyed.

现假设通过预分析阶段得知,某对象在完成虚函数表的分配后将虚函数表地址(虚函数指针)存入eax寄存器中,此时的代码位置为set_address;在call_address1….call_addres10处存在该对象的虚函数调用,调用指令为cal[ecx+14c]、call[ecx+20c]等。Now assume that through the pre-analysis stage, it is known that an object stores the virtual function table address (virtual function pointer) in the eax register after the allocation of the virtual function table, and the code location at this time is set_address; there are The virtual function call of the object, the calling instruction is cal[ecx+14c], call[ecx+20c], etc.

在set_address地址处进行插装。备份寄存器eax中存储的虚函数表指针,并依次备份被调用的虚函数指针。被调用的虚函数指针可以通过调用指令获得其位于虚函数表中的位置,例如call[ecx+14c],则意味着在虚函数表中偏移量为14c处的虚函数被调用,需要进行备份。将所有备份的被调用的虚函数指针,称为有效虚函数表集合。虚函数表指针及虚函数指针备份在新申请的内存页中,当备份操作完成后,将当前页的属性设为只读。Perform instrumentation at the set_address address. The virtual function table pointer stored in the backup register eax is backed up, and the called virtual function pointer is backed up in turn. The virtual function pointer to be called can obtain its position in the virtual function table through the call instruction, for example, call[ecx+14c], which means that the virtual function at the offset of 14c in the virtual function table is called, and needs to be backup. All backed-up virtual function pointers called are called effective virtual function table sets. The virtual function table pointer and the virtual function pointer are backed up in the newly applied memory page. After the backup operation is completed, the attribute of the current page is set as read-only.

有效性分析:本发明在虚函数调用时会对虚函数表指针进行校验,因此能够有效防御虚函数表重用攻击及虚函数表注入攻击;而对调用的虚函数指针的备份则保证了程序不受虚函数表破坏攻击的影响。同时,本发明将数据备份在内存的只读页中。在本发明所定义的威胁模型下,尽管攻击者扫描到了备份数据,也无法进行篡改。Effectiveness analysis: the present invention will check the virtual function table pointer when the virtual function is called, so it can effectively defend against the virtual function table reuse attack and virtual function table injection attack; and the backup of the virtual function pointer for the call ensures that the program Immune to vtable corruption attacks. At the same time, the present invention backs up data in the read-only pages of the memory. Under the threat model defined in the present invention, although the attacker has scanned the backup data, it cannot be tampered with.

上述虚函数表(virtual table,简称虚表或vtable):C++的动态多态是由虚函数(Vitrual Function)实现的。每个含有虚函数的类都有一张虚函数表,表中的每一项是一个虚函数的地址,虚函数表解决了继承、覆盖的问题。The above virtual function table (virtual table, referred to as virtual table or vtable): C++ dynamic polymorphism is realized by virtual function (Vitrual Function). Each class containing virtual functions has a virtual function table, each item in the table is the address of a virtual function, and the virtual function table solves the problems of inheritance and coverage.

虚函数表劫持攻击(vtable hijacking attack)指通过篡改虚函数表或虚函数表指针(指向虚函数表的指针,其值为虚函数表起始地址),而达到劫持程序控制流目的的一类攻击。Virtual function table hijacking attack (vtable hijacking attack) refers to a class that achieves the purpose of hijacking program control flow by tampering with virtual function table or virtual function table pointer (pointer to virtual function table, whose value is the starting address of virtual function table) attack.

对于被防护程序,本发明假设:被防护程序为PE格式文件;二进制文件没有进行代码混淆;程序由gcc、visual C++等主流编译器生成。For the protected program, the present invention assumes that the protected program is a PE format file; the binary file is not code-obfuscated; the program is generated by mainstream compilers such as gcc and visual C++.

对象虚函数表内存布局:当使用父类的指针操作一个子类的时候,虚函数表就像一张地图,指明了实际应该调用的函数。通过遍历表中的函数指针,便可以调用相应的虚函数。图3(a)展示了对象d的类结构,图3(b)描述了对象d的虚函数表内存布局,从图中可以看出,每个父类有自己的虚表,子类的虚函数被放到了第一个父类(以声明顺序决定)的虚表中;被子类覆盖的虚函数放在虚表中原父类虚函数的位置,没有被覆盖的函数不变;如图3(b),对象的虚函数表指针位于对象内存布局中靠前的位置;图3(a)中Base1中依次声明了f()、g()、h()三个虚函数,由图3(b)中Base1的虚函数表可以看出,虚函数按照其声明顺序放于表中;图3(a)Derive类类图,该类为多重继承且子类覆盖了父类的一个虚函数f();(b)Derive类对象d的内存布局,虚函数表指针位于对象实例中靠前的位置,它指向该对象的各个虚函数表,父类虚函数表中的f()的位置被替换成了子类的函数指针。Object virtual function table memory layout: When using the pointer of the parent class to operate a subclass, the virtual function table is like a map, indicating the actual function that should be called. By traversing the function pointers in the table, the corresponding virtual function can be called. Figure 3(a) shows the class structure of object d, and Figure 3(b) describes the virtual function table memory layout of object d. It can be seen from the figure that each parent class has its own virtual table, and the virtual function table of the subclass The function is placed in the virtual table of the first parent class (determined by the order of declaration); the virtual function covered by the subclass is placed in the virtual function of the original parent class in the virtual table, and the function that is not covered remains unchanged; as shown in Figure 3 ( b), the virtual function table pointer of the object is located in the front position of the object's memory layout; in Figure 3(a), Base1 declares three virtual functions f(), g(), h() in turn, as shown in Figure 3(a) From the virtual function table of Base1 in b), it can be seen that the virtual functions are placed in the table according to the order of their declaration; Figure 3 (a) Derive class diagram, this class is multiple inheritance and the subclass covers a virtual function f of the parent class (); (b) The memory layout of the Derive class object d, the virtual function table pointer is located in the front position of the object instance, it points to each virtual function table of the object, and the position of f() in the parent class virtual function table is replaced by Replaced by a function pointer of the subclass.

虚函数表劫持攻击的主要方式包括:The main methods of virtual function table hijacking attack include:

1.虚函数表破坏(vtable corruption):攻击者覆盖虚函数表中存储的虚函数指针来达到攻击目的。1. Virtual function table corruption (vtable corruption): The attacker overwrites the virtual function pointer stored in the virtual function table to achieve the purpose of attack.

2.虚函数表注入(vtable injection):攻击者覆盖虚函数表指针,令该指针指向由攻击者构造的虚函数表。这种方式可靠且高效,是攻击者最常采用的攻击方法。2. Virtual function table injection (vtable injection): The attacker overwrites the virtual function table pointer, making the pointer point to the virtual function table constructed by the attacker. This method is reliable and efficient, and is the most commonly used attack method by attackers.

3.虚函数表重用(vtable reuse):攻击者覆盖虚函数表指针,令该指针指向内存中已存在的虚函数表。此种方式利用难度高且并不稳定,目前并未在实际攻击中出现3. Virtual function table reuse (vtable reuse): The attacker overwrites the virtual function table pointer and makes the pointer point to the existing virtual function table in memory. This method is difficult to use and unstable, and has not yet appeared in actual attacks

二进制插装是指在二进制层面对程序进行修改,通过增加、删除、修改代码,达到增加功能、监视程序运行等目的。Binary instrumentation refers to modifying the program at the binary level, by adding, deleting, and modifying codes to achieve the purpose of adding functions and monitoring program operation.

本发明假设攻击者满足以下条件:The present invention assumes that the attacker meets the following conditions:

1.攻击者能够读取全内存,从而攻击者能够进行信息泄露攻击(informationleakage attacks),并绕过ASLR(Adress space layout randomization,通过对内存堆、栈等线性区布局的随机化,增加攻击者预测目的地址的难度,防止攻击者直接定位攻击代码位置的防御手段)等防御机制;1. The attacker can read the entire memory, so that the attacker can carry out information leakage attacks (informationleakage attacks), and bypass ASLR (Adress space layout randomization). The difficulty of predicting the destination address, the defense method to prevent the attacker from directly locating the location of the attack code) and other defense mechanisms;

2.攻击者能够在所有可写内存页进行写操作,从而攻击者能够修改函数返回地址、虚函数表指针等重要数据,达到改变程序执行流的目的;2. The attacker can perform write operations on all writable memory pages, so that the attacker can modify important data such as function return addresses and virtual function table pointers to achieve the purpose of changing the program execution flow;

3.攻击者无法直接读取、写入寄存器;3. Attackers cannot directly read and write registers;

上述假设已足够严格,满足真实世界中利用内存破坏漏洞所进行攻击时的条件;同时,利用内存破坏漏洞,攻击者也能够实现上述条件。The above assumptions are strict enough to meet the conditions of attacks using memory corruption vulnerabilities in the real world; at the same time, attackers can also achieve the above conditions by using memory corruption vulnerabilities.

当然,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。Of course, the present invention can also have other various embodiments, and those skilled in the art can make various corresponding changes and deformations according to the present invention without departing from the spirit and essence of the present invention, but these corresponding Changes and deformations should belong to the scope of protection of the appended claims of the present invention.

Claims (2)

1.一种针对虚函数表劫持攻击的防御方法,其特征在于,包括:1. A method for defense against virtual function table hijacking attacks, characterized in that it comprises: 步骤一、构建有效虚函数表集合和有效虚函数集合;有效虚函数表集合用于存储虚函数表指针,虚函数表指针指向虚函数表;有效虚函数集合用于存储虚函数表,虚函数表用于存储虚函数指针,虚函数指针指向虚函数;Step 1. Build a valid virtual function table set and a valid virtual function set; the valid virtual function table set is used to store the virtual function table pointer, and the virtual function table pointer points to the virtual function table; the valid virtual function set is used to store the virtual function table, and the virtual function The table is used to store virtual function pointers, and virtual function pointers point to virtual functions; 步骤二、确定可执行程序中可能被虚函数表劫持攻击、需要被保护的对象和对象中的虚函数,分析得到虚函数数据的读取地址和虚函数的调用地址;其中,虚函数数据包括:虚函数表指针和虚函数表;Step 2, determine the object that may be hijacked by the virtual function table in the executable program, the object that needs to be protected and the virtual function in the object, and analyze the read address of the virtual function data and the calling address of the virtual function; wherein, the virtual function data includes : virtual function table pointer and virtual function table; 步骤三、在可执行程序的运行过程中,采用动态二进制插装方式,在虚函数数据的读取地址处插装备份回调函数,在虚函数的调用地址处插装校验回调函数;Step 3. During the running of the executable program, a dynamic binary instrumentation method is used to insert a backup callback function at the reading address of the virtual function data, and insert a verification callback function at the calling address of the virtual function; 步骤四、当可执行程序执行到某个对象X的虚函数数据对应的备份回调函数时,在该备份回调函数中,将对象X的虚函数表指针及其指向的虚函数表进行备份,其中虚函数表指针备份到有效虚函数表集合中,虚函数表备份到有效虚函数集合中;Step 4. When the executable program executes to the backup callback function corresponding to the virtual function data of a certain object X, in the backup callback function, the virtual function table pointer of the object X and the virtual function table pointed to are backed up, wherein The virtual function table pointer is backed up to the valid virtual function table set, and the virtual function table is backed up to the valid virtual function set; 步骤五、当可执行程序执行到某个虚函数对应的校验回调函数时,在校验回调函数中,检查被调用的虚函数所在的虚函数表的虚函数表指针Y是否在有效虚函数表集合中;Step 5. When the executable program executes to the verification callback function corresponding to a certain virtual function, in the verification callback function, check whether the virtual function table pointer Y of the virtual function table where the called virtual function is located is in the valid virtual function in the table collection; 若虚函数表指针Y不在有效虚函数表集合中,则校验失败、拒绝调用虚函数,并立即终止该可执行程序;If the virtual function table pointer Y is not in the effective virtual function table set, the verification fails, the virtual function is refused to be called, and the executable program is terminated immediately; 若虚函数表指针Y在有效虚函数表集合中,则根据备份的有效虚函数表集合和有效虚函数集合,找到虚函数表指针Y指向的虚函数表Z;判断被调用的虚函数指针是否在虚函数表Z中,若在则校验成功,运行可执行程序调用虚函数,否则校验失败、拒绝调用虚函数,并终止该可执行程序。If the virtual function table pointer Y is in the effective virtual function table set, then according to the backed up effective virtual function table set and the effective virtual function set, find the virtual function table Z pointed to by the virtual function table pointer Y; judge whether the called virtual function pointer is In the virtual function table Z, if it exists, the verification is successful, and the executable program is run to call the virtual function; otherwise, the verification fails, the virtual function is refused to be called, and the executable program is terminated. 2.如权利要求1所述的针对虚函数表劫持攻击的防御方法,其特征在于,步骤四中备份后将备份数据所在的内存页的访问属性修改为只读。2. The defense method for virtual function table hijacking attack as claimed in claim 1, characterized in that, after the backup in step 4, the access attribute of the memory page where the backup data is located is modified to read-only.
CN201510333581.5A 2015-06-16 2015-06-16 A kind of defence method for virtual table hijack attack Active CN104881610B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510333581.5A CN104881610B (en) 2015-06-16 2015-06-16 A kind of defence method for virtual table hijack attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510333581.5A CN104881610B (en) 2015-06-16 2015-06-16 A kind of defence method for virtual table hijack attack

Publications (2)

Publication Number Publication Date
CN104881610A true CN104881610A (en) 2015-09-02
CN104881610B CN104881610B (en) 2017-09-29

Family

ID=53949100

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510333581.5A Active CN104881610B (en) 2015-06-16 2015-06-16 A kind of defence method for virtual table hijack attack

Country Status (1)

Country Link
CN (1) CN104881610B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105808251A (en) * 2016-03-03 2016-07-27 武汉斗鱼网络科技有限公司 Virtual function table based method and system for bypassing security detection by hijack
CN105868641A (en) * 2016-04-01 2016-08-17 北京理工大学 Defending method based on virtual function table hijacking
CN106021110A (en) * 2016-05-24 2016-10-12 南京大学 Code reuse attach detection method based on virtual function table inheritance relation
CN107368742A (en) * 2017-08-16 2017-11-21 南京大学 Fine granularity virtual table hijack attack defence method based on GCC
CN110187988A (en) * 2019-06-06 2019-08-30 中国科学技术大学 Static function call graph construction method suitable for virtual functions and function pointers
CN111859372A (en) * 2020-07-29 2020-10-30 中国工商银行股份有限公司 Heap memory attack detection method and device and electronic equipment
CN112581582A (en) * 2020-12-24 2021-03-30 西安翔腾微电子科技有限公司 TLM device of GPU (graphic processing Unit) rasterization module based on SysML (System markup language) view and operation method
CN114416221A (en) * 2022-01-04 2022-04-29 统信软件技术有限公司 Application execution method, computing device and storage medium
CN114741131A (en) * 2022-04-02 2022-07-12 深圳软牛科技有限公司 Hiding method, device and equipment of dynamic library derived symbols and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7426718B2 (en) * 2005-03-21 2008-09-16 Microsoft Corporation Overriding constructors to provide notification in order to detect foreign code
US20100205674A1 (en) * 2009-02-11 2010-08-12 Microsoft Corporation Monitoring System for Heap Spraying Attacks
US20120144480A1 (en) * 2010-12-02 2012-06-07 Microsoft Corporation Using Virtual Table Protections to Prevent the Exploitation of Object Corruption Vulnerabilities
CN103714292A (en) * 2014-01-15 2014-04-09 四川师范大学 Method for detecting exploit codes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7426718B2 (en) * 2005-03-21 2008-09-16 Microsoft Corporation Overriding constructors to provide notification in order to detect foreign code
US20100205674A1 (en) * 2009-02-11 2010-08-12 Microsoft Corporation Monitoring System for Heap Spraying Attacks
US20120144480A1 (en) * 2010-12-02 2012-06-07 Microsoft Corporation Using Virtual Table Protections to Prevent the Exploitation of Object Corruption Vulnerabilities
CN103714292A (en) * 2014-01-15 2014-04-09 四川师范大学 Method for detecting exploit codes

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105808251B (en) * 2016-03-03 2021-02-02 武汉斗鱼网络科技有限公司 Virtual function table hijacking bypass security detection method and system
CN105808251A (en) * 2016-03-03 2016-07-27 武汉斗鱼网络科技有限公司 Virtual function table based method and system for bypassing security detection by hijack
CN105868641A (en) * 2016-04-01 2016-08-17 北京理工大学 Defending method based on virtual function table hijacking
CN106021110A (en) * 2016-05-24 2016-10-12 南京大学 Code reuse attach detection method based on virtual function table inheritance relation
CN106021110B (en) * 2016-05-24 2019-03-26 南京大学 Code huge profit attack detection method based on virtual table inheritance
CN107368742B (en) * 2017-08-16 2022-10-18 南京大学 Fine-grained virtual function table hijacking attack defense method based on GCC
CN107368742A (en) * 2017-08-16 2017-11-21 南京大学 Fine granularity virtual table hijack attack defence method based on GCC
CN110187988A (en) * 2019-06-06 2019-08-30 中国科学技术大学 Static function call graph construction method suitable for virtual functions and function pointers
CN110187988B (en) * 2019-06-06 2021-08-13 中国科学技术大学 Static function call graph construction method for virtual functions and function pointers
CN111859372A (en) * 2020-07-29 2020-10-30 中国工商银行股份有限公司 Heap memory attack detection method and device and electronic equipment
CN111859372B (en) * 2020-07-29 2023-08-22 中国工商银行股份有限公司 Heap memory attack detection method and device and electronic equipment
CN112581582A (en) * 2020-12-24 2021-03-30 西安翔腾微电子科技有限公司 TLM device of GPU (graphic processing Unit) rasterization module based on SysML (System markup language) view and operation method
CN112581582B (en) * 2020-12-24 2024-08-16 西安翔腾微电子科技有限公司 TLM device of GPU (graphics processing unit) rasterization module based on SysML (graphics processing unit) view and operation method
CN114416221A (en) * 2022-01-04 2022-04-29 统信软件技术有限公司 Application execution method, computing device and storage medium
CN114741131A (en) * 2022-04-02 2022-07-12 深圳软牛科技有限公司 Hiding method, device and equipment of dynamic library derived symbols and storage medium
CN114741131B (en) * 2022-04-02 2023-08-15 深圳软牛科技有限公司 Hiding method, device, equipment and storage medium for dynamic library derived symbol

Also Published As

Publication number Publication date
CN104881610B (en) 2017-09-29

Similar Documents

Publication Publication Date Title
CN104881610B (en) A kind of defence method for virtual table hijack attack
US10977370B2 (en) Method of remediating operations performed by a program and system thereof
US12235962B2 (en) Method of remediating operations performed by a program and system thereof
US10990667B2 (en) Systems and/or methods for automatically protecting against memory corruption vulnerabilities
Younan FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers.
US10310991B2 (en) Timely address space randomization
Akritidis et al. Preventing memory error exploits with WIT
US8037529B1 (en) Buffer overflow vulnerability detection and patch generation system and method
EP3362937B1 (en) Method of remediating a program and system thereof by undoing operations
US20220258955A1 (en) Non-disruptive mitigation of malware attacks
US20140317742A1 (en) Hypervisor-based buffer overflow detection and prevention
CN105868641A (en) Defending method based on virtual function table hijacking
CN102521079B (en) Fault-tolerant method of software stack buffer overflow
CN106228065A (en) The localization method of a kind of buffer-overflow vulnerability and device
CN111625296B (en) Method for protecting program by constructing code copy
Feifei The principle and prevention of windows buffer overflow
KR101842263B1 (en) Method and apparatus for preventing reverse engineering
Barbar et al. Live path control flow integrity
CN119830281A (en) Memory vulnerability protection method and device, electronic equipment and storage medium
WONG Rust and the importance of memory safe systems programming languages
Slowinska Using information flow tracking to protect legacy binaries
Jauernig Towards A write [oplus, direkte Summe] execute architecture for JIT interpreters: lobotomy

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant