[go: up one dir, main page]

CN114968328B - A function search method, computing device and readable storage medium - Google Patents

A function search method, computing device and readable storage medium Download PDF

Info

Publication number
CN114968328B
CN114968328B CN202210398129.7A CN202210398129A CN114968328B CN 114968328 B CN114968328 B CN 114968328B CN 202210398129 A CN202210398129 A CN 202210398129A CN 114968328 B CN114968328 B CN 114968328B
Authority
CN
China
Prior art keywords
detected
class
api
address
reference address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210398129.7A
Other languages
Chinese (zh)
Other versions
CN114968328A (en
Inventor
崔新乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chezhi Interconnection Beijing Technology Co ltd
Original Assignee
Chezhi Interconnection Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chezhi Interconnection Beijing Technology Co ltd filed Critical Chezhi Interconnection Beijing Technology Co ltd
Priority to CN202210398129.7A priority Critical patent/CN114968328B/en
Publication of CN114968328A publication Critical patent/CN114968328A/en
Application granted granted Critical
Publication of CN114968328B publication Critical patent/CN114968328B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a function searching method, computing equipment and a readable storage medium. The method is executed in the computing equipment and comprises the steps of firstly obtaining an executable file of a product to be detected and configuration information of each API to be detected, wherein the configuration information comprises names of the methods and names of classes. Next, for each API to be detected, based on the name of its method and the name of the class, it is detected whether there is a reference address of the class and a reference address of the method in the program data section of the executable file. If the application program exists, searching a push address of each function calling the API to be detected in an assembly code section of the executable file based on the reference address of the class and the reference address of the method. And finally, searching a symbol name corresponding to each push address in a symbol table, and taking the symbol name as the name of each function calling the API to be detected. The method and the device are independent of the source code, and can accurately locate the positions of the functions calling the API to be detected under the condition that only the source code compiles the product.

Description

Function searching method, computing device and readable storage medium
Technical Field
The present invention relates to the field of computers, and in particular, to a method for searching a function, a computing device, and a readable storage medium.
Background
In order to practically strengthen the personal information protection of users and provide safer, healthier and cleaner information environments for people, it is becoming more and more important to carry out compliance API detection on APP before online or when a third party SDK is accessed.
Based on this, related researchers have proposed some methods for detecting whether API calls are compliant, such as scanning privacy authority APIs using regular matching and string positioning. However, current API call detection methods all rely on source code implementation. That is, for the compiled product of source code, it is currently not possible to perform compliance API detection. However, in many cases, there is no way for a developer to obtain the source code at all, which can only take the source code compiled binary executable.
For this reason, a method is needed to solve the above-mentioned problems.
Disclosure of Invention
To this end, the present invention provides a method of finding a function, a computing device and a readable storage medium in an effort to solve or at least alleviate the above-identified problems.
According to one aspect of the invention, a method for searching functions is provided and executed in a computing device, the method comprises the steps of obtaining an executable file of a product to be detected and configuration information of all APs to be detected, wherein the configuration information comprises names of methods and names of classes, detecting whether a class reference address and a method reference address exist in a program data section of the executable file based on the names of the methods and the names of the classes of all APs to be detected, if so, searching a stack entry address of each function calling the APs to be detected in an assembly code section of the executable file based on the class reference address and the method reference address, and searching a symbol name corresponding to each stack entry address in a symbol table and taking the symbol name as the name of each function calling the APs to be detected.
Optionally, in the method for searching a function according to the present invention, the product to be detected is a static library, a dynamic library or a product compiled by software.
Optionally, in the method for searching the function according to the invention, the step of obtaining the executable file of the product to be detected comprises the steps of judging whether the product to be detected is a static library, if so, converting the product to be detected into a dynamic library, and obtaining the corresponding executable file.
Optionally, in the method for searching the function according to the invention, the step of acquiring the executable file of the product to be detected comprises the step of acquiring the executable file of the product to be detected under ARM64 architecture.
Optionally, in the method for searching for a function according to the invention, the step of detecting, in a program data section of the executable file, whether there is a reference address of the class and a reference address of the method comprises detecting, in the reference class data section, whether there is a reference address of the class, and if there is, detecting, in the reference method data section, whether there is a reference address of the method.
Optionally, in the function searching method according to the invention, the step of detecting whether the reference address of the class exists in the reference class data segment comprises the steps of matching the name of the class with the names of the classes in the reference class data segment, if the matching is successful, determining that the reference address of the class exists, and taking the address corresponding to the name of the class in the reference class data segment as the reference address of the class.
Optionally, in the searching method of the function according to the invention, the step of detecting whether the reference address of the method exists in the reference method data segment comprises the steps of matching the name of the method with the name of each method in the reference method data segment, if the matching is successful, determining that the reference address of the method exists, and taking the address corresponding to the name of the method in the reference method data segment as the reference address of the method.
Optionally, in the searching method of the function according to the invention, the step of searching the assembly code section of the executable file for the push address of each function calling the API to be detected comprises searching the assembly code section for the push address of each function calling the API to be detected by a high-low matching method.
Optionally, in the method for searching the function according to the invention, the step of searching the stacking address of each function calling the API to be detected in the assembly code segment through a high-low matching method comprises the steps of detecting whether the address in two adjacent assembly instructions is spliced and then the same as the reference address of the class in each class to be detected in the assembly code segment, sequentially detecting whether the address in two adjacent assembly instructions is spliced and then the reference address of the method is the same from the starting point of the class to be detected if the address in the two adjacent assembly instructions is spliced, and taking the stacking address of the function where the two adjacent assembly instructions which are contained and are the same as the reference address of the method are spliced as the stacking address of the function calling the API to be detected if the address in the two adjacent assembly instructions is spliced, and continuing to execute the step of detecting whether the address in the two adjacent assembly instructions is spliced and then the reference address of the method is the same until the ending point of the class to be detected.
Alternatively, in the method of finding a function according to the present invention, the product to be detected is a compiled product of a library or software used on the iOS operating system.
According to yet another aspect of the present invention there is provided a computing device comprising at least one processor, and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing a lookup method of a function according to the present invention.
According to yet another aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform a method of finding a function according to the present invention.
According to the function searching method, firstly, an executable file of a product to be detected and names and class names of methods of all APIs to be detected are obtained. Next, for each API to be detected, it is detected whether there is a reference address of a class of the API to be detected and a reference address of a method in a program data section of the executable file based on the name of the method and the name of the class thereof. If so, searching a push address of each function calling the API to be detected in an assembly code section of the executable file based on the reference address of the class of the API to be detected and the reference address of the method. And finally, searching the symbol names corresponding to the obtained push addresses in a symbol table, and taking the symbol names as the names of the functions calling the API to be detected.
It can be seen that the invention obtains the names of the functions calling the API to be detected based on the executable file. That is, the method and the device do not depend on source codes, can accurately detect whether the compiled product calls the API to be detected under the condition that only the source codes are compiled, and can accurately locate the positions and names of all functions calling the API to be detected. In addition, compared with a method for acquiring each function calling the API to be detected based on the source code, the method for searching based on the assembly code is faster, and the method can detect the condition that the compiled products call the API to be detected in batches.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which set forth the various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to fall within the scope of the claimed subject matter. The above, as well as additional objects, features, and advantages of the present disclosure will become more apparent from the following detailed description when read in conjunction with the accompanying drawings. Like reference numerals generally refer to like parts or elements throughout the present disclosure.
FIG. 1 illustrates a block diagram of a computing device 100, according to one embodiment of the invention;
FIG. 2 illustrates a flow chart of a method 200 of finding a function according to one embodiment of the invention;
FIG. 3 shows a schematic diagram of a process for treating a product to be detected according to one embodiment of the invention;
FIG. 4 shows a schematic diagram of the structure of a Mach-O file according to one embodiment of the present invention;
FIG. 5 illustrates a schematic diagram of obtaining a reference address of a class of an API to be detected and a reference address of a method according to one embodiment of the invention;
FIG. 6 illustrates a schematic diagram of locating addresses and function names of functions that call an API to be tested, according to one embodiment of the invention;
FIG. 7 illustrates assembly code for a method in a class of a Mach-O executable according to one embodiment of the invention;
FIG. 8 shows a schematic diagram of a flow for detecting a product to be detected based on an API detection tool, according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The search method of the function of the present invention is performed in a computing device. The computing device may be any device having storage and computing capabilities, and may be implemented, for example, as a server, a workstation, or the like, or may be implemented as a personal configured computer such as a desktop computer, a notebook computer, or may be implemented as a terminal device such as a mobile phone, a tablet computer, an intelligent wearable device, or an internet of things device, but is not limited thereto.
FIG. 1 illustrates a block diagram of a computing device 100, according to one embodiment of the invention. It should be noted that the computing device 100 shown in fig. 1 is only an example, and in practice, the computing device used to implement the method of searching the function of the present invention may be any type of device, and the hardware configuration of the computing device may be the same as the computing device 100 shown in fig. 1 or may be different from the computing device 100 shown in fig. 1. In practice, the computing device used to implement the method of searching for the function of the present invention may add or delete hardware components of the computing device 100 shown in fig. 1, and the present invention is not limited to the specific hardware configuration of the computing device.
As shown in FIG. 1, in a basic configuration 102, a computing device 100 typically includes a system memory 106 and one or more processors 104. The memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processing including, but not limited to, a microprocessor (μP), a microcontroller (μC), a digital information processor (DSP), or any combination thereof. The processor 104 may include one or more levels of caches, such as a first level cache 110 and a second level cache 112, a processor core 114, and registers 116. The example processor core 114 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 118 may be used with the processor 104, or in some implementations, the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory including, but not limited to, volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. Physical memory in a computing device is often referred to as volatile memory, RAM, and data in disk needs to be loaded into physical memory in order to be read by processor 104. The system memory 106 may include an operating system 120, one or more applications 122, and program data 124. In some implementations, the application 122 may be arranged to execute instructions on an operating system by the one or more processors 104 using the program data 124. Operating system 120 may be, for example, linux, windows or the like, which includes program instructions for handling basic system services and performing hardware-dependent tasks. The application 122 includes program instructions for implementing various functions desired by the user, and the application 122 may be, for example, a browser, instant messaging software, a software development tool (e.g., integrated development environment IDE, compiler, etc.), or the like, but is not limited thereto. When an application 122 is installed into computing device 100, a driver module may be added to operating system 120.
When the computing device 100 starts up running, the processor 104 reads and executes program instructions of the operating system 120 from the system memory 106. Applications 122 run on top of operating system 120, utilizing interfaces provided by operating system 120 and underlying hardware to implement various user-desired functions. When a user launches the application 122, the application 122 is loaded into the system memory 106, and the processor 104 reads and executes the program instructions of the application 122 from the system memory 106.
Computing device 100 also includes storage device 132, storage device 132 including removable storage 136 and non-removable storage 138, both removable storage 136 and non-removable storage 138 being connected to storage interface bus 134.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to basic configuration 102 via bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices such as a display or speakers via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communication with one or more other computing devices 162 via one or more communication ports 164 over a network communication link.
The network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media in a modulated data signal, such as a carrier wave or other transport mechanism. A "modulated data signal" may be a signal that has one or more of its data set or changed in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or special purpose network, and wireless media such as acoustic, radio Frequency (RF), microwave, infrared (IR) or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In the computing device 100 according to the invention, the application 122 comprises instructions for performing the lookup method 200 of the function of the invention, which instructions may instruct the processor 104 to perform the lookup method of the function of the invention. Those skilled in the art will appreciate that the application 122 may include other applications 126 for implementing other functions in addition to instructions for performing the lookup method 200 of a function.
FIG. 2 illustrates a flow diagram of a method 200 of finding a function according to one embodiment of the invention, the method 200 being suitable for execution in a computing device (e.g., the computing device 100 shown in FIG. 1). As shown in fig. 2, the method starts at step S210.
In step S210, an executable file of the product to be detected and configuration information of each API to be detected are obtained, where the configuration information includes a name of a method and a name of a class. That is, the configuration information of the API to be detected means the name of the method of the API to be detected and the name of the class of the API to be detected. Wherein, according to one embodiment of the invention, the names of the methods and the names of the classes of the APIs to be detected can be configured in one configuration file. Further, it may be configured in a json format file, specifically as follows:
Of course, the above is merely an example, and the configuration information of each API to be detected may be configured in a file with another format, or may be configured in a configuration table, which is not particularly limited to this embodiment.
Regarding the API to be detected, it needs to be set according to the actual situation. For example, when detecting whether the product to be detected calls the positioning authority API and the address list authority API, the API to be detected is the positioning authority API [ CLLocationManager requestAlwaysAuthorization ] and the address list authority API [ CNContactStore requestAccessForEntityType ]. For another example, when the compliance API call is detected for the product to be detected that does not need to have the positioning authority function, the positioning authority API may be used as an API to be detected. Thus, when detecting that the product to be detected contains an API for calling the positioning authority, judging that the product to be detected is illegal and not compliant. Otherwise, determining the legal compliance. The setting of the API to be detected is not illustrated here. In a specific embodiment, the person skilled in the art may set the settings according to the actual needs.
Regarding the product to be detected, it may be a static library, a dynamic library, or a software compiled product, according to one embodiment of the invention. Further, the product to be detected may be a compiled product of libraries or software used on the iOS operating system. That is, the product to be detected may be an iOS static library, an iOS dynamic library, or a compiled iOS software product. The extension name of the iOS static library is the extension name of the iOS dynamic library, the extension name of the iOS dynamic library is the extension name of the iOS dynamic library, and the extension name of the product compiled by the iOS software is the extension name of the iOS dynamic library. Thus, the product to be detected is expressed in the form of. Ipa,. Framework or. A. It is emphasized that the product to be detected in the present invention refers to a product obtained by compiling an iOS static library, an iOS dynamic library or iOS software.
In addition, the static library does not support API call detection, so in order to detect that it also calls an API, it is preferable to convert the static library into a dynamic library and then extract the executable file from it, see FIG. 3. Based on this, in the step of obtaining the executable file of the product to be detected, the type of the product to be detected needs to be detected first. Specifically, whether the product to be detected is a static library is judged, wherein the dynamic library and the static library are determined by Xcode compiling item configuration. If the product to be detected is a static library, converting the product to be detected into a dynamic library, and acquiring a corresponding executable file. And if the product to be detected is not a static library, namely a dynamic library or a product compiled by software, directly acquiring an executable file of the product.
When the executable file of the product to be detected is acquired, the executable file of the product to be detected can be acquired by acquiring the executable file with the same name as the product to be detected in a next-stage directory in the product to be detected. Namely, the executable file with the same name as the product to be detected in the next-stage catalogue in the product to be detected is used as the executable file of the product to be detected.
Further, considering that ARM64 is the mainstream architecture of the current market, when acquiring an executable file of a product to be detected, it may be preferable to acquire the executable file of the product to be detected under the ARM64 architecture. The format of the executable file on the IOS operating system is Mach-O (Mach Object), so that the IOS dynamic library, the IOS static library and the IOS software are all executable files in Mach-O format after compiling. In this way, the step of obtaining the executable file of the product to be detected is specifically to obtain the Mach-O executable file of the product to be detected under the ARM64 architecture, as shown in fig. 3.
Thus, the executable file of the product to be detected and the configuration information of each API to be detected are obtained. In order to make the detection of the subsequent API call more convenient and faster, the names of the methods and the names of the classes of each API to be detected recorded in the configuration file may be preferably parsed into a form of a plurality of groups. Of course, the present invention is not limited to this, and other forms may be used.
Subsequently, step S220 is entered, for each API to be detected, based on the name of its method and the name of the class, in the program data section of the executable file, it is detected whether there is a reference address of the class and a reference address of the method.
Here, it is explained that the Mach-O file is mainly composed of Header, loadCommands, data three areas, as shown in fig. 4. The Header area mainly comprises some basic information of Mach-O files, including information of platforms, file types, load Commands and the like. The Load Command structure follows the Header structure and they specify the logical structure of the file and the layout of the file in virtual memory, each Load Command beginning with a field specifying the Command type and Command data size. The Data area contains specific codes and Data, etc.
Specifically, each segment Data (segment) in the Data area defines attributes such as Data, virtual address, file offset, and memory protection of some Mach-O files, and each segment has a different function. The __ DATA contains program DATA, which stores address information of all classes and address information of methods in the Mach-O file. Thus, in this step, it is possible to preliminarily determine whether there is a possibility of calling the API to be detected in the executable file by detecting whether there is a reference address of the class and a reference address of the method of each API to be detected in the program DATA section __ DATA of the executable file, so as to continue the subsequent detection.
Typically, __ DATA segments are divided into several sections. Wherein the names and corresponding addresses of all classes used in the Mach-O file are recorded in the referencing class DATA segment (i.e., __ DATA, __ objc _ classrefs), and the names and corresponding addresses of all methods used in the Mach-O file are recorded in the referencing method DATA segment (i.e., __ DATA, __ objc _ selrefs). Therefore, further, the step is to detect whether there are a reference address of a class and a reference address of a method of each API to be detected in the reference class data section and the reference method data section of the executable file based on the name of the method and the name of the class of each API to be detected. The method comprises the following specific steps:
For each API to be detected, first in the reference class data segment, it is detected whether there is a reference address of the class of the API to be detected. The above has pointed out that names and corresponding addresses of all classes are recorded in the referenced class data section, so that whether there is a referenced address of a class of an API to be detected in the referenced class data section can be detected by comparing the names of the classes of the API to be detected with the names of the respective classes recorded in the referenced class data section. Specifically, the names of classes of the API to be detected are matched with the names of the classes in the reference class data segment. If the matching is successful, determining that the reference address of the class of the API to be detected exists, and taking the address corresponding to the name of the class of the API to be detected in the reference class data segment as the reference address of the class of the API to be detected, as shown in fig. 5.
After determining that the reference address of the class of the API to be detected exists in the reference class data section (or after obtaining the reference address of the class of the API to be detected), detecting whether the reference address of the method of the API to be detected exists in the reference method data section. Specifically, the names of the methods of the API to be detected are matched with the names of the methods in the referencing method data section. If the matching is successful, determining that the reference address of the method to be detected exists, and taking the address corresponding to the name of the method to be detected in the data segment of the reference method as the reference address of the method to be detected, as shown in fig. 5.
Of course, when detecting whether the reference address of the class and the reference address of the method of the API to be detected exist in the reference class data section and the reference method data section of the executable file, the reference address of the method of the API to be detected may be detected in the reference method data section. If so, detecting whether the reference address of the class of the API to be detected exists in the reference class data segment. The present invention is not limited to this.
Whether the reference address of the class of the API to be detected is detected first or the reference address of the method of the API to be detected is detected first, as long as the reference address is not detected in the first detection, no subsequent step is executed, and the default executable file does not call the detection API. As an example, the reference address of the class of the API to be detected is detected first, then when the reference address of the class of the API to be detected does not exist in the reference class data segment of the executable file, the subsequent steps are not executed, and it is determined that the executable file does not call the API to be detected.
And when the reference address of the class of the API to be detected exists in the reference class data segment and the reference address of the method of the API to be detected also exists in the reference method data segment, judging that the possibility of calling the API to be detected exists in the execution file. Step S230 is then performed to find the push address of each function calling the API to be detected in the assembly code segment of the executable file based on the obtained reference address of the class and the reference address of the method.
All the assembly codes in the Mach-O file are recorded in the assembly code section (__ TEXT ) of the Mach-O file, so that after the reference address of the class of the API to be detected and the reference address of the method are obtained, the push address of each function calling the API to be detected can be searched by matching the reference address of the class of the API to be detected and the reference address of the method in the assembly code section of the executable file, as shown in fig. 6.
Further, in the executable file, the addresses of the class and the addresses of the method are stored after being split into the high-order address and the low-order address, so that when the stack address of each function calling the API to be detected is searched in the assembly code section of the executable file based on the obtained reference address of the class and the reference address of the method, the stack address of each function calling the API to be detected can be searched in the assembly code section by a high-order matching method. Specifically:
First, each class in the assembly code segment is taken as a class to be detected. Then, in each class to be detected of the assembly code segment, whether the address in two adjacent assembly instructions is spliced is detected, and the reference address of the class of the API to be detected is the same. That is, after detecting whether the address parameters in two adjacent assembly sentences are spliced, the reference address of the class of the API to be detected is the same as the reference address of the class of the API to be detected. If so, starting from the starting point (namely the starting position) of the class to be detected, sequentially detecting whether the addresses in the two adjacent assembly instructions are spliced and then the reference addresses are the same as the reference addresses of the method of the API to be detected. If the function exists, the address contained in the function is spliced and then used as the push address of the function of the calling API to be detected, wherein the push address of the function where the two adjacent assembly instructions are located is identical to the reference address of the method. That is, when it is detected that the address parameters included in two adjacent assembly sentences are spliced and are the same as the reference address of the method of the API to be detected, the push address of the function where the two assembly sentences are located is used as a push address of the function calling the API to be detected. And then, starting from the next assembly sentence of the two assembly sentences, continuing to execute the step of detecting whether the addresses in the two adjacent assembly instructions are spliced and then the step of detecting the same reference address as the method of the API to be detected until the ending point of the class to be detected is detected, namely, until the ending position of the class to be detected is detected.
Based on the above description, it is known that the method calls the API to be detected only when the reference address of the method of the API to be detected is matched in one method a (i.e., the method name a) of the assembly code segment, and the reference address of the class of the API to be detected also appears in the method a or the class in which the method a is located.
To better illustrate this step, a specific example is given below in connection with fig. 7. Fig. 7 shows assembly code of a method in a class (for example, class name ClassD) of a Mach-O executable file, and in the class ClassD, the reference address of the class of the API to be detected is the same after the address in two adjacent assembly instructions are detected to be spliced. In addition, the reference address of the method of the API to be detected is 0x1003 fcf. Therefore, from the beginning position of the class ClassD, it is required to sequentially detect whether there are address splicing in two adjacent assembler instructions, and then the address splicing is the same as the reference address of the method of the API to be detected.
When two adjacent assembly sentences of 'adrp x' and '0 x1003 fc000' and 'add x8, x 8' and '0 xf 28' in fig. 7 are detected, the address parameters '0 x1003 fc000' and '0 xf 28' are found to be the same as the reference address '0 x1003 fcf' of the method of the API to be detected after being spliced, so that the push address of the function where the two assembly sentences of 'adrp x', '0 x1003 fc000' and 'add x8, x 8' and '0 xf 28' are located is the push address of the method for calling the API to be detected. As can be seen from fig. 7, the sub corresponding to the assembler instruction of the function stacking where the two assembler sentences of "adrp x, #0x1003fc000" and "add x8, x8, #0xf28" are located, and then the corresponding stacking address can be obtained.
Here, the description will be given of the case where the addresses of the class and the method are stored in the executable file after being split into the upper address and the lower address. The reference address of the method of the API to be detected in the above example is 0x1003fcf, and the address parameters in the two adjacent assembly sentences matched in the executable file are "0x1003fc000" and "0xf28". Thus, this indicates that the reference address 0x1003fcf of the method of the API to be detected is stored after being split into the high-order address "0x1003fc000" and the low-order address "0xf28" in the executable file.
After each class in the assembly code segment is detected, the push addresses of all functions calling the API to be detected are obtained. Wherein each executable file corresponds to a symbol table (SymbolTable) which records the push address and function name of each function in the executable file. Thus, after the push addresses of all functions calling the API to be detected are obtained, the function names of all functions calling the API to be detected can be obtained based on the symbol table. That is, step S240 looks up the symbol name corresponding to each push address in the symbol table and uses it as the name of each function calling the API to be detected. Specifically, the obtained push addresses are sequentially matched with the addresses in the symbol table, and the symbol name corresponding to each push address successfully matched is used as the name of each function calling the API to be detected, as shown in fig. 6.
Therefore, based on the function searching method provided by the invention, each function calling the appointed API in the product to be detected can be detected rapidly and accurately. Obviously, based on the invention, the research and development personnel can timely find out the condition that the API is illegally called in the App or the third party SDK and correct the condition, so that the safety of the App can be ensured.
In addition, according to an embodiment of the present invention, the method for searching the function in the present invention may be implemented as an API detection tool or system, and after detecting that the product to be detected is input, it is detected whether the product to be detected calls the designated API according to the above-mentioned processing procedure, and the detection result is output, as shown in fig. 8. Further, when detecting software, it may be set that in the software release process, when entering the release node, the API detection tool or system is automatically triggered, so that the tool or system detects the API detection tool or system.
In order to better illustrate the complete implementation of the present invention, an embodiment of the present invention is also presented. In this embodiment, the product to be detected is a compiled product of an APP, that is, the expression form of the product to be detected is. Ipa, and in this embodiment, there is only one API to be detected, the class name is ClassT, and the method name is MethodT. Specifically:
First, a Mach-O executable file of a product to be detected under an ARM64 architecture is obtained, and a class name ClassT and a method name MethodT of an API to be detected are obtained.
Second, the __ DATA, __ objc _ classrefs DATA segment of the Mach-O executable is read, and ClassT reference addresses are found. If so, continuing to execute the next step. Otherwise, ending.
Third, the __ DATA, __ objc _ selrefs DATA segment of the Mach-O executable file is read, and MethodT reference addresses are found. If so, continuing to execute the next step. Otherwise, ending.
Fourthly, matching the ClassT reference address and the MethodT reference address with high-low address segments in the __ TEXT and __ TEXT (assembly code) segments of the Mach-O file, and searching the function push address where the high-low address segments are located after matching.
And fifthly, matching the function push address searched in the fourth step in SymbolTable (symbol table) to obtain the corresponding calling function symbol name.
And step six, circularly executing the fourth step and the fifth step until __ TEXT and __ TEXT (assembly code) section searching is finished, obtaining all functions calling the API to be detected, and outputting a detection result.
For specific details regarding the method for searching the function of the present embodiment, reference may be made to the descriptions based on fig. 1 and fig. 8, which are not described herein.
According to the function searching method, firstly, an executable file of a product to be detected and names and class names of methods of all APIs to be detected are obtained. Next, for each API to be detected, based on the name of its method and the name of the class, it is detected whether there is a reference address of the class of the API to be detected and a reference address of the method in the program data section of the executable file of the product to be detected. If so, searching a push address of each function calling the API to be detected in an assembly code section of an executable file of a product to be detected based on the reference address of the class of the API to be detected and the reference address of the method. And finally, searching the symbol names corresponding to the obtained push addresses in a symbol table, and taking the symbol names as the names of the functions calling the API to be detected.
It can be seen that the invention obtains the names of the functions calling the API to be detected based on the executable file. That is, the method and the device do not depend on source codes, can accurately detect whether the compiled product calls the API to be detected under the condition that only the source codes are compiled, and can accurately locate the positions and names of all functions calling the API to be detected. In addition, compared with a method for acquiring each function calling the API to be detected based on the source code, the method for searching based on the assembly code is faster, and the method can detect the condition that the compiled products call the API to be detected in batches.
A9, the method of A8, wherein the step of searching the stacking address of each function calling the API to be detected in the assembly code segment through a high-low matching method comprises the steps of detecting whether the addresses in two adjacent assembly instructions are spliced and then are identical to the reference addresses of the classes in each class to be detected in the assembly code segment, sequentially detecting whether the addresses in two adjacent assembly instructions are spliced and then are identical to the reference addresses of the method from the starting point of the class to be detected if the addresses exist, splicing the contained addresses and then being identical to the reference addresses of the method, and taking the stacking address of the function of the two adjacent assembly instructions as the stacking address of the function calling the API to be detected, and continuously executing the step of detecting whether the addresses in the two adjacent assembly instructions are spliced and then are identical to the reference addresses of the method until the ending point of the class to be detected is detected. A10, the method of any one of A1-A9, wherein the product to be detected is a compiled product of a library or software used on an iOS operating system.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions of the methods and apparatus of the present invention, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U-drives, floppy diskettes, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code and the processor is configured to perform the method of finding a function of the invention in accordance with instructions in said program code stored in the memory.
By way of example, and not limitation, readable media comprise readable storage media and communication media. The readable storage medium stores information such as computer readable instructions, data structures, program modules, or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with examples of the invention. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
It should be appreciated that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into a plurality of sub-modules.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the embodiments are described herein as methods or combinations of method elements that may be implemented by a processor of a computer system or by other means of performing the functions. Thus, a processor with the necessary instructions for implementing the described method or method element forms a means for implementing the method or method element. Furthermore, the elements of the apparatus embodiments described herein are examples of apparatus for performing the functions performed by the elements for the purpose of practicing the invention.
As used herein, unless otherwise specified the use of the ordinal terms "first," "second," "third," etc., to describe a general object merely denote different instances of like objects, and are not intended to imply that the objects so described must have a given order, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is defined by the appended claims.

Claims (12)

1.一种函数的查找方法,适于在计算设备中执行,所述方法包括:1. A method for searching a function, suitable for execution in a computing device, the method comprising: 获取待检测产物的可执行文件以及各待检测API的配置信息,所述配置信息包括方法的名称和类的名称;Obtain the executable file of the product to be tested and the configuration information of each API to be tested, wherein the configuration information includes the name of the method and the name of the class; 针对每一待检测API,基于其方法的名称和类的名称,在所述可执行文件的程序数据段中,检测是否存在所述类的引用地址和所述方法的引用地址;For each API to be detected, based on the name of its method and the name of its class, detect whether there is a reference address of the class and a reference address of the method in the program data segment of the executable file; 若存在,基于所述类的引用地址和所述方法的引用地址,在所述可执行文件的汇编代码段中,查找调用所述待检测API的各函数的入栈地址;If it exists, based on the reference address of the class and the reference address of the method, searching the stack address of each function that calls the API to be detected in the assembly code segment of the executable file; 在符号表中查找与所述各入栈地址对应的符号名称,并将其作为调用所述待检测API的各函数的名称。The symbol names corresponding to the stack addresses are searched in the symbol table, and the symbol names are used as the names of the functions that call the API to be detected. 2.如权利要求1所述的方法,其中,所述待检测产物为静态库、动态库或软件编译后的产物。2. The method according to claim 1, wherein the product to be detected is a static library, a dynamic library or a product after software compilation. 3.如权利要求1或2所述的方法,其中,所述获取待检测产物的可执行文件的步骤,包括:3. The method according to claim 1 or 2, wherein the step of obtaining the executable file of the product to be detected comprises: 判断所述待检测产物是否为静态库;Determining whether the product to be detected is a static library; 若是,则将其转换为动态库,并获取对应的可执行文件。If so, convert it into a dynamic library and obtain the corresponding executable file. 4.如权利要求1或2所述的方法,其中,获取待检测产物的可执行文件的步骤,包括:4. The method according to claim 1 or 2, wherein the step of obtaining the executable file of the product to be detected comprises: 获取所述待检测产物在ARM64架构下的可执行文件。Obtain the executable file of the product to be detected under the ARM64 architecture. 5.如权利要求1或2所述的方法,其中,所述在所述可执行文件的程序数据段中,检测是否存在所述类的引用地址和所述方法的引用地址的步骤,包括:5. The method according to claim 1 or 2, wherein the step of detecting whether the reference address of the class and the reference address of the method exist in the program data segment of the executable file comprises: 在引用类数据段中,检测是否存在所述类的引用地址;In the reference class data segment, detecting whether there is a reference address of the class; 若存在,则在引用方法数据段中,检测是否存在所述方法的引用地址。If it exists, then in the reference method data segment, check whether there is a reference address of the method. 6.如权利要求5所述的方法,其中,所述在引用类数据段中,检测是否存在所述类的引用地址的步骤,包括:6. The method of claim 5, wherein the step of detecting whether there is a reference address of the class in the reference class data segment comprises: 将所述类的名称与所述引用类数据段中各类的名称进行匹配;Matching the name of the class with the names of the classes in the reference class data segment; 若匹配成功,则确定存在所述类的引用地址,并将所述引用类数据段中与所述类的名称相对应的地址作为所述类的引用地址。If the match is successful, it is determined that the reference address of the class exists, and the address corresponding to the name of the class in the reference class data segment is used as the reference address of the class. 7.如权利要求5所述的方法,其中,所述在引用方法数据段中,检测是否存在所述方法的引用地址的步骤,包括:7. The method according to claim 5, wherein the step of detecting whether there is a reference address of the method in the reference method data segment comprises: 将所述方法的名称与所述引用方法数据段中各方法的名称进行匹配;Matching the method name with the method names in the reference method data segment; 若匹配成功,则确定存在所述方法的引用地址,并将所述引用方法数据段中与所述方法的名称相对应的地址作为所述方法的引用地址。If the match is successful, it is determined that the reference address of the method exists, and the address corresponding to the name of the method in the reference method data segment is used as the reference address of the method. 8.如权利要求1或2所述的方法,其中,所述在所述可执行文件的汇编代码段中,查找调用所述待检测API的各函数的入栈地址的步骤,包括:8. The method according to claim 1 or 2, wherein the step of searching the stack address of each function that calls the API to be detected in the assembly code segment of the executable file comprises: 通过高低位匹配法,在所述汇编代码段中查找调用所述待检测API的各函数的入栈地址。By using a high-low bit matching method, the stack address of each function that calls the API to be detected is searched in the assembly code segment. 9.如权利要求8所述的方法,其中,所述通过高低位匹配法,在所述汇编代码段中查找调用所述待检测API的各函数的入栈地址的步骤,包括:9. The method according to claim 8, wherein the step of searching the stack address of each function that calls the API to be detected in the assembly code segment by high-low bit matching method comprises: 在所述汇编代码段的每一待检测类中,检测是否存在相邻的两条汇编指令中的地址拼接后与所述类的引用地址相同;In each to-be-detected class of the assembly code segment, detecting whether there are two adjacent assembly instructions whose addresses after being concatenated are the same as the reference address of the class; 若存在,则从所述待检测类的起始点,顺序检测是否存在相邻的两条汇编指令中的地址拼接后与所述方法的引用地址相同;If so, starting from the starting point of the class to be detected, sequentially detect whether there are two adjacent assembly instructions whose addresses are concatenated to be the same as the reference address of the method; 若存在,则将其所包含的地址拼接后与所述方法的引用地址相同的两条相邻汇编指令所在函数的入栈地址,作为一个调用所述待检测API的函数的入栈地址;If it exists, the stack addresses of the function containing the two adjacent assembly instructions which are the same as the reference address of the method after concatenating the addresses contained therein are used as the stack address of the function that calls the API to be detected; 继续执行检测是否存在相邻的两条汇编指令中的地址拼接后与所述方法的引用地址相同的步骤,直至检测至所述待检测类的结束点。Continue to execute the step of detecting whether there are two adjacent assembly instructions whose addresses are concatenated to be the same as the reference address of the method until the end point of the class to be detected is detected. 10.如权利要求1或2所述的方法,其中,所述待检测产物为在iOS操作系统上所使用的库或软件的编译产物。10. The method according to claim 1 or 2, wherein the product to be detected is a compiled product of a library or software used on an iOS operating system. 11.一种计算设备,包括:11. A computing device comprising: 至少一个处理器;以及at least one processor; and 存储器,存储有程序指令,其中,所述程序指令被配置为适于由所述至少一个处理器执行,所述程序指令包括用于执行如权利要求1-10中任一项所述的方法的指令。A memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, and the program instructions include instructions for executing the method according to any one of claims 1 to 10. 12.一种存储有程序指令的可读存储介质,当所述程序指令被计算设备读取并执行时,使得所述计算设备执行如权利要求1-10中任一项所述方法。12. A readable storage medium storing program instructions, when the program instructions are read and executed by a computing device, the computing device executes the method according to any one of claims 1 to 10.
CN202210398129.7A 2022-04-13 2022-04-13 A function search method, computing device and readable storage medium Active CN114968328B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210398129.7A CN114968328B (en) 2022-04-13 2022-04-13 A function search method, computing device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210398129.7A CN114968328B (en) 2022-04-13 2022-04-13 A function search method, computing device and readable storage medium

Publications (2)

Publication Number Publication Date
CN114968328A CN114968328A (en) 2022-08-30
CN114968328B true CN114968328B (en) 2025-03-28

Family

ID=82977647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210398129.7A Active CN114968328B (en) 2022-04-13 2022-04-13 A function search method, computing device and readable storage medium

Country Status (1)

Country Link
CN (1) CN114968328B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103019787A (en) * 2012-12-14 2013-04-03 华为技术有限公司 Function call relation determining method, hotfix updating method and hotfix updating device
CN106227668A (en) * 2016-07-29 2016-12-14 腾讯科技(深圳)有限公司 Data processing method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9280665B2 (en) * 2013-09-13 2016-03-08 Airwatch Llc Fast and accurate identification of message-based API calls in application binaries
US9910724B2 (en) * 2013-09-13 2018-03-06 Airwatch Llc Fast and accurate identification of message-based API calls in application binaries
CN108132790B (en) * 2017-12-22 2020-11-03 广州酷狗计算机科技有限公司 Method, apparatus and computer storage medium for detecting a garbage code
CN113946821A (en) * 2021-02-05 2022-01-18 北京火绒网络科技有限公司 Method for generating API sequence through static method and using API sequence for heuristic virus searching and killing
CN113946347B (en) * 2021-09-29 2022-07-08 北京五八信息技术有限公司 Function call detection method and device, electronic equipment and readable medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103019787A (en) * 2012-12-14 2013-04-03 华为技术有限公司 Function call relation determining method, hotfix updating method and hotfix updating device
CN106227668A (en) * 2016-07-29 2016-12-14 腾讯科技(深圳)有限公司 Data processing method and device

Also Published As

Publication number Publication date
CN114968328A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
CN106980504B (en) Application program development method and tool and equipment thereof
CN105739981B (en) Code completion implementation method and device and computing equipment
WO2015165232A1 (en) Driver program loading method and embedded device
CN111813385B (en) A web application-based page plug-in method, device and equipment
WO2018040270A1 (en) Method and device for loading linux-system elf file in windows system
CN112379888B (en) Code change analysis method
US10394756B2 (en) System and method for customizing archive of a device driver generator tool for a user
CN111428241B (en) Multi-security access policy control method and computing device
CN113791732B (en) Optical disc information acquisition method, computing device and readable storage medium
CN113535642B (en) A file search method and computing device
CN113961919A (en) Malicious software detection method and device
CN113485712B (en) Kernel clipping method and computing device
CN114879978B (en) Processing method of software package dependency relationship, computing device and readable storage medium
CN112698867A (en) Method and device for dynamically modifying annotation information, electronic equipment and medium
CN114911541B (en) Processing method and device of configuration information, electronic equipment and storage medium
CN114416550A (en) Test method and test system of operating system
CN106201595A (en) The cleaning control method of a kind of application program and device
CN114968328B (en) A function search method, computing device and readable storage medium
CN111563259B (en) Puppet process detection method and device, readable storage medium and computing device
CN110058849A (en) Generation method, device, computer equipment and the storage medium of flow chart
WO2017054731A1 (en) Method and device for processing hijacked browser
US9110893B2 (en) Combining problem and solution artifacts
CN111752620B (en) Processing method and loading method of kernel module
CN113656347A (en) File directory export method, file directory import method and computing device
CN103631886B (en) In the method and apparatus that browser side is inputted

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant