A kind of data command analysis method
阅读说明:本技术 一种数据指令分析方法 (A kind of data command analysis method ) 是由 王栋林 房建东 于 2019-08-27 设计创作,主要内容包括:本发明公开了一种数据指令分析方法,包括:从数据指令集合中获取若干数据指令;基于各数据指令的机器码和内存地址为各数据指令进行分类,获得若干类别;基于各数据指令所属的类别及运行顺序号建立三维链表,以将各数据指令分别存储在所述三维链表的各链表结点中;基于各数据指令位于三维链表中的第二维方向的坐标以及各数据指令对应的第三指针地址所对应的后缀内存地址建立后缀字典链表,以将各数据指令位于三维链表中的第三指针地址存放在后缀字典链表的各结点中;比较后缀字典链表中相邻两个结点中对应的后缀内存地址,获得最大重复前缀;基于最大重复前缀删除三维链表中相应的链表结点,并统计删除的链表结点所对应的数据指令,获得分析结果。(The invention discloses a kind of data command analysis methods, comprising: several data commands are obtained from data command set;Machine code and memory address based on each data command are that each data command is classified, and obtain several classifications;Three-dimensional chained list is established based on classification belonging to each data command and operation order number, each data command is respectively stored in each chained list node of the three-dimensional chained list;Suffix memory address corresponding to the coordinate and the corresponding third pointer address of each data command of two-dimensional directional based on each data command in three-dimensional chained list establishes suffix dictionary chained list, and each data command is located at the third pointer address in three-dimensional chained list and is stored in each node of suffix dictionary chained list;Compare in suffix dictionary chained list corresponding suffix memory address in two neighboring node, obtains and maximum repeat prefix;Prefix is repeated based on maximum and deletes corresponding chained list node in three-dimensional chained list, and counts data command corresponding to the chained list node of deletion, obtains analysis result.)
1. a kind of data command analysis method characterized by comprising
Obtain data command set;
Several data commands are obtained from the data command set, include in each data command machine code, memory address with And operation order number;
Machine code and memory address based on each data command are that each data command is classified, and obtain several classifications;
Three-dimensional chained list is established based on classification belonging to each data command and operation order number, each data command is stored respectively In each chained list node of the three-dimensional chained list;Each chained list node separately includes: along the one-dimensional square of the same category First pointer address, the second pointer address along different classes of two-dimensional directional and the third dimension direction along operation order number Third pointer address;
It is located at the coordinate and each data command corresponding the of the two-dimensional directional in the three-dimensional chained list based on each data command Suffix memory address corresponding to three pointer address establishes suffix dictionary chained list, and each data command is located at the three-dimensional chained list In third pointer address be stored in each node of the suffix dictionary chained list;
Compare suffix memory address corresponding to the third pointer address in the suffix dictionary chained list in two neighboring node, with It obtains the maximum of the corresponding suffix memory address of two neighboring node and repeats prefix;
Based on the maximum memory address repeated in prefix, deleted along the third dimension direction of the three-dimensional chained list described in being stored with The chained list node of memory address obtains current three-dimensional chained list;
Data command corresponding to the chained list node deleted is counted, analysis result is obtained.
2. the method as described in claim 1, which is characterized in that the acquisition data command set specifically includes:
Determine target information and target process corresponding with target information;
Search the memory address of the target information;
Memory breakpoint is set based on the memory address, to run in the target process to position corresponding to the memory breakpoint Triggering first is abnormal when setting;
When target process triggering described first is abnormal, several subject threads corresponding with the target process are obtained;
Hardware Breakpoint is respectively set to each subject thread, it is right to the Hardware Breakpoint institute to be run in each subject thread Triggering second is abnormal when the position answered;Wherein, the address value of the Hardware Breakpoint is identical as the address value of the memory breakpoint;
When subject thread triggering described second is abnormal, referred to using single-step mode come each data in performance objective thread It enables, to obtain the current data command that subject thread is under middle off-state;
Each current data of acquisition is instructed and is saved according to scheduled format, data command set is obtained.
3. method according to claim 2, which is characterized in that it is described to obtain several threads corresponding with the target process, It specifically includes:
Determine the process ID of the target process;
Snapshot is carried out to all threads in system, to obtain all threads under current system;
Process ID based on the target process screens the process ID of each thread, obtains subject thread.
4. method according to claim 2, which is characterized in that it is described using single-step mode come each number in performance objective thread It is specifically included according to instruction with obtaining each current data command that subject thread is under each single step interrupt state:
It repeats the tracking mark position position of flag register to be 1, be produced after making an instruction in the every performance objective thread of CPU Raw single step interrupt;
It obtains under the single step interrupt state, CPU is carrying out the memory address of instruction;
Data command corresponding with the memory address is obtained based on the memory address.
5. method according to claim 2, which is characterized in that after finding the memory address of target information, the method Further include: the memory address of the target information is sequentially stored in an array according to what is found;
It is described that memory breakpoint is arranged based on the memory address, it specifically includes: corresponding to first value in the array Memory breakpoint is arranged in position.
6. method according to claim 2, which is characterized in that after to each subject thread, Hardware Breakpoint is set, the side Method further include: delete the memory breakpoint.
7. the method as described in claim 1, which is characterized in that described to obtain several data from the data command set and refer to It enables, specifically includes: obtaining the data command of predetermined number of lines from the data command set according to predetermined number of lines every time;It is wherein every The corresponding data instruction of row;
The data command of each row of acquisition is converted, with obtaining operation order number corresponding with each data command, memory Location and machine code.
8. the method as described in claim 1, which is characterized in that the method also includes:
Being located at the third pointer address in the three-dimensional chained list with each data command is traversal initial address, along third dimension direction time Go through each remaining chained list node in the three-dimensional chained list;
Obtain the memory address in each remaining chained list node;
Each memory address of acquisition is merged according to the sequence of acquisition, is obtained with the third pointer of each data command The corresponding suffix memory address in location.
9. the method as described in claim 1, which is characterized in that the method also includes: by the maximum number of characters for repeating prefix Magnitude is compared with preset threshold value, is greater than or equal to the preset thresholding in the maximum number of characters for repeating prefix When value, delete to the three-dimensional chained list operation of chained list node;
When the maximum number of characters for repeating prefix is less than the preset threshold value, the three-dimensional chained list is stopped deleting chain The operation of table node.
10. method as claimed in claim 9, which is characterized in that after obtaining current three-dimensional chained list, the method also includes: Based on the maximum memory address repeated in prefix, delete corresponding with the memory address the in the suffix dictionary chained list Node corresponding to three pointer address, to obtain current suffix dictionary chained list, to utilize the current suffix dictionary chained list and institute It states three-dimensional chained list and regains maximum repetition prefix, to repeat to delete the operation of chained list node to the three-dimensional chained list, directly When being less than the preset threshold value to the maximum repetition prefix, stop the operation for deleting chained list node.
Technical field
The present invention relates to software inverse engineering technical fields, more particularly to a kind of data command analysis method.
Background technique
In data command logical partitioning field, it usually needs first obtain data command, then carry out logical architecture analysis again. The prior art is represented as the F5 key of IDA: pseudocode (Pseudocode) Shipping Options Page function.The essence of the function is that IDA is utilized Included logical architecture itself carries out models fitting to data command, when data command type exceeds its identification range or data In the case that instruction is not by its identifiable compiler compiling, pseudocode Shipping Options Page can not play any effect.Furthermore When data command mixes Xi or the unbalanced situation of storehouse there are elaborated code, pseudocode Shipping Options Page is also that can not play a role , therefore logical architecture analysis accurately can not be carried out to data command.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of data command analysis method, in the prior art can not for solving The problem of accurately data command is analyzed.
In order to solve the above-mentioned technical problem, embodiments herein adopts the technical scheme that a kind of data command point Analysis method, comprising:
Obtain data command set;
It obtains several data commands from the data command set, includes machine code, memory in each data command Location and operation order number;
Machine code and memory address based on each data command are that each data command is classified, if obtaining Ganlei Not;
Three-dimensional chained list is established based on classification belonging to each data command and operation order number, each data command is distinguished It is stored in each chained list node of the three-dimensional chained list;Each chained list node separately includes: along the one-dimensional square of the same category To the first pointer address, along the second pointer address of different classes of two-dimensional directional and along the third dimension of operation order number The third pointer address in direction.
It is located at the coordinate of the two-dimensional directional in the three-dimensional chained list based on each data command and each data command corresponds to Third pointer address corresponding to suffix memory address establish suffix dictionary chained list, each data command is located at the three-dimensional Third pointer address in chained list is stored in each node of the suffix dictionary chained list;
With comparing suffix memory corresponding to the third pointer address in the suffix dictionary chained list in two neighboring node Location repeats prefix to obtain the maximum of the corresponding suffix memory address of two neighboring node;
Based on the maximum memory address repeated in prefix, deletes and be stored with along the third dimension direction of the three-dimensional chained list The chained list node of the memory address obtains current three-dimensional chained list;
Data command corresponding to the chained list node deleted is counted, analysis result is obtained.
Optionally, the acquisition data command set, specifically includes:
Determine target information and target process corresponding with target information;
Search the memory address of the target information;
Memory breakpoint is set based on the memory address, to run in the target process to corresponding to the memory breakpoint Position when triggering first it is abnormal;
When target process triggering described first is abnormal, several scores corresponding with the target process are obtained Journey;
Hardware Breakpoint is respectively set to each subject thread, to run in each subject thread to the Hardware Breakpoint Triggering second is abnormal when corresponding position;Wherein, the address value phase of the address value of the Hardware Breakpoint and the memory breakpoint Together;
When subject thread triggering described second is abnormal, using single-step mode come each data in performance objective thread Instruction, to obtain the current data command that subject thread is under middle off-state;
Each current data of acquisition is instructed and is saved according to scheduled format, data command set is obtained.
Optionally, described to obtain several threads corresponding with the target process, it specifically includes:
Determine the process ID of the target process;
Snapshot is carried out to all threads in system, to obtain all threads under current system;
Process ID based on the target process screens the process ID of each thread, obtains subject thread.
Optionally, it is described using single-step mode come each data command in performance objective thread, to obtain at subject thread Each current data command under each single step interrupt state, specifically includes:
It repeats the tracking mark position position of flag register to be 1, after making one in the every performance objective thread of CPU to instruct Generate single step interrupt;
It obtains under the single step interrupt state, CPU is carrying out the memory address of instruction;
Data command corresponding with the memory address is obtained based on the memory address.
Optionally, after finding the memory address of target information, the method also includes: it will be in the target information Address is deposited to be sequentially stored in an array according to what is found;
Described that memory breakpoint is arranged based on the memory address, specifically include: first value institute in the array is right The position setting memory breakpoint answered.
Optionally, after to each subject thread, Hardware Breakpoint is set, the method also includes: it is disconnected to delete the memory Point.
Optionally, described to obtain several data commands from the data command set, it specifically includes: every time according to predetermined Line number obtains the data command of predetermined number of lines from the data command set;The corresponding data instruction of wherein each row;
The data command of each row of acquisition is converted, to obtain corresponding with each data command operation order number, interior Deposit address and machine code;
Optionally, the method also includes:
Being located at the third pointer address in the three-dimensional chained list with each data command is traversal initial address, along third dimension side To each remaining chained list node traversed in the three-dimensional chained list;
Obtain the memory address in each remaining chained list node;
Each memory address of acquisition is merged according to the sequence of acquisition, obtains and refers to the third of each data command The corresponding suffix memory address in needle address.
Optionally, the method also includes: the maximum number of characters magnitude for repeating prefix is compared with preset threshold value Compared with when the maximum number of characters for repeating prefix is greater than or equal to the preset threshold value, to the three-dimensional chained list progress Delete the operation of chained list node;
When the maximum number of characters for repeating prefix is less than the preset threshold value, the three-dimensional chained list stopping is deleted Except the operation of chained list node.
Optionally, after obtaining current three-dimensional chained list, the method also includes: in the maximum repetition prefix Address is deposited, node corresponding to third pointer address corresponding with the memory address in the suffix dictionary chained list is deleted, with Current suffix dictionary chained list is obtained, to regain maximum repeat using the current suffix dictionary chained list and the three-dimensional chained list Prefix, to repeat to delete the operation of chained list node to the three-dimensional chained list, until the maximum prefix that repeats is less than described When preset threshold value, stop the operation for deleting chained list node.
The embodiment of the present invention stores each data command by establishing three-dimensional chained list, by establish suffix dictionary chained list come The address that each data command is located in the three-dimensional chained list is stored, can thus be stored according to node each in suffix dictionary chained list Address to traverse three-dimensional chained list, and then quickly obtain suffix memory address corresponding with suffix each node of dictionary chained list, with For it is subsequent suffix memory address corresponded to according to two neighboring node compare the maximum prefix that repeats of acquisition provide guarantee.It is obtaining most It is big to repeat that corresponding chained list node in three-dimensional chained list is deleted after prefix, the chained list node of deletion represent repeat it is secondary The most data command of number, to accurately realize the analysis to data command logic framework.
Detailed description of the invention
Fig. 1 is the flow chart of instruction analysis of embodiment of the present invention method;
Fig. 2 is the structural schematic diagram of three-dimensional of embodiment of the present invention chained list;
Fig. 3 is the structural schematic diagram of suffix of embodiment of the present invention dictionary chained list;
Fig. 4 is the current three-dimensional list structure schematic diagram after several chained list nodes in three-dimensional of embodiment of the present invention chained list;
Fig. 5 is the flow chart of instruction analysis of embodiment of the present invention method.
Specific embodiment
The various schemes and feature of the application are described herein with reference to attached drawing.
It should be understood that various modifications can be made to the embodiment applied herein.Therefore, description above should not regard To limit, and only as the example of embodiment.Those skilled in the art will expect in the scope and spirit of the present application Other modifications.
The attached drawing being included in the description and forms part of the description shows embodiments herein, and with it is upper What face provided is used to explain the application together to substantially description and the detailed description given below to embodiment of the application Principle.
By the description of the preferred form with reference to the accompanying drawings to the embodiment for being given as non-limiting example, the application's These and other characteristic will become apparent.
It is also understood that although the application is described referring to some specific examples, those skilled in the art Member realizes many other equivalents of the application in which can determine, they have feature as claimed in claim and therefore all In the protection scope defined by whereby.
When read in conjunction with the accompanying drawings, in view of following detailed description, above and other aspect, the feature and advantage of the application will become It is more readily apparent.
The specific embodiment of the application is described hereinafter with reference to attached drawing;It will be appreciated, however, that applied embodiment is only Various ways implementation can be used in the example of the application.Known and/or duplicate function and structure and be not described in detail to avoid Unnecessary or extra details makes the application smudgy.Therefore, applied specific structural and functionality is thin herein Section is not intended to restrictions, but as just the basis of claim and representative basis be used to instructing those skilled in the art with Substantially any appropriate detailed construction diversely uses the application.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment In " or " in other embodiments ", it can be referred to one or more of the identical or different embodiment according to the application.
The embodiment of the present invention provides a kind of data command analysis method, specifically comprises the following steps:
S101 obtains data command set;
Data command set is made of several data commands in this step.Wherein data command indicates several characters, or The combination of character and space, such as: | 7 | | 005E0421 | | FF157484BF00 | | CALL DWORD PTR DS: [12551284] |, that is, indicate that a data instructs.
S102 obtains several data commands from the data command set, includes machine code in each data command, interior Deposit address and operation order number;
It, specifically can be every time according to predetermined number of lines from the data command in this step when obtaining several data commands The data command of predetermined number of lines is obtained in set;For example 1000 row data commands are obtained every time, the corresponding data of wherein each row Instruction;Then the pieces of data instruction of acquisition is carried out conversion and obtains operation order by (obtaining the instruction of 1000 datas every time) Number, memory address and machine code.Such as it is right | 7 | | 005E0421 | | FF157484BF00 | | CALL DWORD PTR DS: [12551284] | it is converted, so that it may which the machine code for obtaining data command is " FF157484BF00 ", and memory address is " 005E0421 ", operation order number are " 8 ".Then 1000 row data commands are obtained again and are converted.Until by all numbers It is converted according to instruction.Wherein when last time is discontented with 1000, remaining row can be supplemented with space.
S103, machine code and memory address based on each data command are that each data command is classified, if obtaining Ganlei is other;
S104 establishes three-dimensional chained list based on classification belonging to each data command and operation order number, each data is referred to It enables and being respectively stored in each chained list node of the three-dimensional chained list;Each chained list node separately includes: along the of the same category First pointer address of one-dimensional square, along the second pointer address of different classes of two-dimensional directional and along operation order number The third pointer address in third dimension direction.
In this step, the structure of three-dimensional chained list is (third dimension direction of three-dimensional chained list is to show in Fig. 2) as shown in Figure 2, In A chained list node ROOT specifically can be first established when establishing the three-dimensional chained list, then for new chained list node application memory Each data command is stored in each new chained list node by location respectively.Than instructing if any 10 datas, operation order number is respectively 1- 10.By the chained list where the first data instruction 1 in the new node chain behind the head chained list node ROOT;Then to Memory address and machine code in two datas instruction 2 are compared with the instruction 1 respectively, and comparison result is difference, then edge Two-dimensional directional (direction right) by node chain corresponding to Article 2 data command 2 the first data instruction 1 node Right;By in Article 3 data command memory address and machine code successively with first instruction and Article 2 instruction in It deposits address and machine code compares, comparison result is difference, then by node chain corresponding to Article 3 data command 3 in Article 2 number According to the right (direction right) of the node of instruction 2;By in Article 4 data command 4 memory address and machine code successively with The memory address and machine code of first data instruction 1 are compared, and determine the memory address and machine of Article 4 data command 4 Code is identical as the memory address of the first data instruction 1 and machine code, i.e. Article 4 data command 4 and first number instruction evidence 1 is same category, then will be under the node corresponding to 1 of node chain corresponding to Article 4 data command 4 along one-dimensional square Side (direction down).Similarly to two-dimensional square in the memory address and machine code and three-dimensional chained list in remaining 6 data commands To the corresponding data command of each node in memory address and machine code be compared, obtain three-dimensional chained list as shown in Figure 2.In The memory address of the data command of the node of same row and machine code are identical in three-dimensional chained list shown in Fig. 2.One-dimensional square To as 1-4-7,2-5-8,3,6,9,10.Two-dimensional directional is 1-2-3-6-9-10.Third dimension direction (direction next) is i.e. For along the direction of the operation order number of each data command, i.e. 1-2-3-4-5-6-7-8-9-10.
S105 is located at the coordinate and each data command of the two-dimensional directional in the three-dimensional chained list based on each data command Suffix memory address corresponding to corresponding third pointer address establishes suffix dictionary chained list, each data command is located at described Third pointer address in three-dimensional chained list is stored in each node of the suffix dictionary chained list;
In this step, the foundation of suffix dictionary chained list is the size of the coordinate number according to the second dimension direction (direction down) The dictionary of (i.e. row number size) and the character in suffix memory address sequence, to construct suffix dictionary chained list.Suffix dictionary Each node storage of chained list is the third pointer address in three-dimensional chained list, but representative content is referred to really with third Needle address is traversal starting point, with traversing all memories that each remaining chained list node in three-dimensional chained list obtains along third dimension direction Location;Such as the three-dimensional chained list in step S104 in Fig. 2, the corresponding 10 data instruction difference of 10 nodes in three-dimensional chained list Are as follows: data command 1, operation order number be 1, memory address A, machine code 666, i.e. the first data instruction includes: 1, A,666;Article 2 data command include 2, B, 777, Article 3 data command include 3, C, 888, and so on write a Chinese character in simplified form are as follows: 4, A, 666;5,B,777;6,X,000;7,A,666;8,B,777;9,C,888;10,D,999;So suffix dictionary chained list just has 10 A node.According to the sequence that the corresponding row number of data command each in three-dimensional chained list is ascending, (each one-dimensional square is obtained in each column To) each chained list node in data command corresponding to suffix memory address.Specifically, obtaining the process of suffix memory address Are as follows: being located at the third pointer address in the three-dimensional chained list with each data command is traversal initial address, along third dimension direction time Go through each remaining chained list node in the three-dimensional chained list;Obtain the memory address in each remaining chained list node;By acquisition Each memory address is merged according to the sequence of acquisition, obtains suffix corresponding with the third pointer address of each data command Memory address.The suffix memory address ABCABXABCD for first obtaining the first data instruction 1, is abbreviated as 1, ABCABXABCD; The suffix memory address for obtaining Article 4 data command 4 again is ABXABCD, is abbreviated as 4, ABXABCD, then Article 7 data command 7 suffix memory address is ABCD, is abbreviated as 7, ABCD, and so on obtain each suffix memory address: 2, BCABXABCD;5, BXABCD;8,BCD;3,CABXABCD;9,CD;6,XABCD;10,D.Then in the corresponding suffix of each data command of acquisition It deposits address and carries out dictionary sequence, ranking results are as follows: 1, ABCABXABCD;7,ABCD;4,ABXABCD;2,BCABXABCD;8, BCD;5,BXABCD;3,CABXABCD;9,CD;10,D;6,XABCD.Then according to the ranking results of acquisition, each instruction is corresponded to Third pointer address be stored in suffix dictionary chained list with secondary, obtain suffix dictionary chained list as shown in Figure 3.
S106, in suffix corresponding to the third pointer address in the suffix dictionary chained list in two neighboring node Address is deposited, repeats prefix to obtain the maximum of the corresponding suffix memory address of two neighboring node;
In this step, such as by the suffix dictionary chained list to Fig. 3, the suffix memory address of two neighboring chained list node Prefix be compared, can be obtained and maximum repeat prefix " ABC ".
S107, based on the maximum memory address repeated in prefix, the third dimension direction along the three-dimensional chained list is deleted It is stored with the chained list node of the memory address, obtains current three-dimensional chained list;
In step according to above-mentioned acquisition it is maximum repeat prefix " ABC " can determine memory address for A, B, C, then edge The chained list node for having memory address A is deleted in third dimension direction, deletes the chained list node for having memory address B, and deletion has interior The chained list node of address C is deposited, i.e. deletion chained list node 1,2,3, then deletes chained list node 7,8,9, that is, obtains current three-dimensional chained list, As shown in Figure 4.
In this step, the maximum number of characters magnitude for repeating prefix can be specifically compared with preset threshold value, In When the maximum number of characters for repeating prefix is greater than or equal to the preset threshold value, deletion chain is carried out to the three-dimensional chained list The operation of table node.For example preset value is 2, and obtaining maximum repeat prefix " ABC " is 3, it can carry out chained list node deletion Operation.
S108 counts data command corresponding to the chained list node of deletion, obtains analysis result.
In the present embodiment after the chained list node for completing once to delete three-dimensional chained list, further includes: based on the maximum repetition Memory address in prefix is deleted in the suffix dictionary chained list corresponding to third pointer address corresponding with the memory address Node, to obtain current suffix dictionary chained list.
Prefix is repeated to search maximum again by obtaining current suffix dictionary chained list and current three-dimensional chained list, to described Three-dimensional chained list repeats to delete the operation of chained list node, until the maximum prefix that repeats is less than the preset threshold value When, stop the operation for deleting chained list node.
Inventive embodiments store each data command by establishing three-dimensional chained list, are deposited by establishing suffix dictionary chained list The address that each data command is located in the three-dimensional chained list is put, can thus be stored according to node each in suffix dictionary chained list Address quickly obtains suffix memory address corresponding with each node to traverse three-dimensional chained list, with to be subsequent according to adjacent Two nodes, which correspond to suffix memory address and compare the maximum prefix that repeats of acquisition, provides guarantee.After obtaining maximum repetition prefix i.e. Corresponding chained list node in three-dimensional chained list can be deleted, the chained list node of deletion represents the most data of frequency of occurrence and refers to It enables, to accurately realize the analysis to data command logic framework.
At the same time by establishing three-dimensional chained list, data command projection is stored in three-dimensional chained list, then after Asyllabia allusion quotation chained list repeats prefix to search the maximum of suffix memory address, as long as finding maximum repetition prefix at this time, that is, has found Memory address and original machine code data command all the same, it is not necessary to directly each original machine code be compared, reduced Workload of operation improves efficiency.
Further embodiment of this invention provides a kind of data command analysis method, as shown in figure 5, including the following steps:
Step S201 determines target information and target process corresponding with target information;"
" target information " is a contiguous memory unit in " target process " memory in the present embodiment, refers specifically to target journey Sensitive information in sequence, such as the cell-phone number of " in bank management system " some user.
Wherein target is indicated the multiple ongoing preset courses of some target program.
Step S202 searches the memory address of the target information;
In this step, after finding the memory address of target information, further includes: by the memory of the target information Location is sequentially stored in an array according to what is found;
In this step when actually obtaining memory address, since per thread has several target informations, meeting Several memory address are obtained, at this moment successively can be stored in each memory address according to the sequencing that memory address obtains In array
Memory breakpoint is arranged based on the memory address, to run in the target process to the memory in step S203 Triggering first is abnormal when position corresponding to breakpoint;
Specifically, when memory breakpoint is arranged, the specifically corresponding position setting of first in the array value Memory breakpoint.
Step S204, when target process triggering described first is abnormal, if obtaining corresponding with the target process Dry subject thread;
In this step, several subject threads corresponding with target process are obtained, specifically includes: determining the target process Process ID;Snapshot is carried out to all threads in system, to obtain all threads under current system;Based on the target process Process ID the process ID of each thread is screened, obtain subject thread.
Hardware Breakpoint is respectively set to each subject thread in step S205, to run in each subject thread to institute Triggering second is abnormal when stating position corresponding to Hardware Breakpoint;Wherein, the address value of the Hardware Breakpoint and the memory breakpoint Address value it is identical;
In this step, after to each subject thread, Hardware Breakpoint is set, further includes: delete the memory breakpoint.
Step S206, when subject thread triggering described second is abnormal, using single-step mode come performance objective thread In each data command, to obtain the current data command that subject thread is under middle off-state;
In this step, using single-step mode come each data command in performance objective thread, it is in obtaining subject thread Each current data command under each single step interrupt state, specifically includes: the tracking mark position position of flag register is by repetition 1, single step interrupt is generated after making an instruction in the every performance objective thread of CPU;It obtains under the single step interrupt state, CPU is carrying out the memory address of instruction;Data command corresponding with the memory address is obtained based on the memory address.
Step S207 instructs each current data of acquisition and saves according to scheduled format, obtains data command collection It closes;
Step S208 obtains several data commands from the data command set, includes machine code in each data, interior Deposit address and operation order number;
Step S209, machine code and memory address based on each data command are that each data command is classified, and are obtained Obtain several classifications;
Step S210 establishes three-dimensional chained list based on classification belonging to each data command and operation order number, by each number It is respectively stored according to instruction in each chained list node of the three-dimensional chained list;Each chained list node separately includes: along the same category One-dimensional square dowm the first pointer address, along different classes of two-dimensional directional right the second pointer address and Along the third pointer address of the third dimension direction next of operation order number;
Step S211, the coordinate of the two-dimensional directional based on each data command in the three-dimensional chained list and each data It instructs suffix memory address corresponding to corresponding third pointer address to establish suffix dictionary chained list, each data command is located at Third pointer address in the three-dimensional chained list is stored in each node of the suffix dictionary chained list;
Step S212, corresponding to the third pointer address in the suffix dictionary chained list in two neighboring node after Sew memory address, repeats prefix to obtain the maximum of the corresponding suffix memory address of two neighboring node;
Step S213 based on the maximum memory address repeated in prefix, delete by the third dimension direction along the three-dimensional chained list Except the chained list node for being stored with the memory address, current three-dimensional chained list is obtained;
Data command corresponding to the chained list node that step S214 statistics is deleted obtains analysis result.
The embodiment of the present invention is hard for the setting of each subject thread by setting memory breakpoint and in memory breakpoint trigger exception Part breakpoint thus can fast and accurately navigate to data command corresponding with target information, then be executed again by single step each Data command can accurately just obtain data command relevant to target information, establish for the analysis of subsequent data command Basis.
Another embodiment of the present invention provides a kind of data command analysis methods, for example need to obtain some target information correlation Data command analyzed, include the following steps: in the specific implementation process
One, data command set is obtained, is specifically comprised the following steps:
(1) target information and target process corresponding with target information are determined.
(2) mesh is attached to by DebugActiveProcess (pid) function according to the process ID of target process (i.e. pid) In mark process.
(3) by position of the memorySearch function lookup target information in target process memory, array is used InitalAdd [] record.
(4) pass through first value initalAdd [0] of the VirtualProtectEx function in initalAdd [] array Place's setting memory breakpoint.
(5) operational objective process waits memory abnormal triggering:
①WaitForDebugEvent(&DebugEvent,INFINITE);It is abnormal to obtain current triggering.
2. carrying out the screening of EXCEPTION_ACCESS_VIOLATION exception by swicth structure.
3. trigger it is corresponding with the memory breakpoint exception when, by hardBreakPhoto (pid, The Hardware Breakpoint (i.e. DRX breakpoint) of DR0=memoryFirst memoryFirst) is set for threads all under target pid process. It specifically includes as follows:
A. snapshot is carried out to threads all under operating system by CreateToolhelp32Snapshot, it is wired obtains institute Journey.
B. cycle sieve selects all threads of the target process of te32.th32OwnerProcessID==pid, obtains mesh Graticule journey.
C. SetHardWareBP function is called when meeting b condition, and the Hardware Breakpoint of subject thread is set on demand.
(context.ContextFlags=CONTEXT_DEBUG_REGISTERS)
After 4. Hardware Breakpoint is arranged successfully, by the 9th of PSW register -- TF flag bit is set as 1, jumps out circulation (5).
5. execution state will be restored to by target process by ContinueDebugEvent function.
(6) the memory breakpoint being arranged at initalAdd [0] before being deleted by VirtualProtectEx.
(7) enter circulation and wait the second abnormal (int 1 is abnormal) triggering:
①WaitForDebugEvent(&DebugEvent,INFINITE);It is abnormal to obtain current triggering.
2. carrying out the screening of EXCEPTION_SINGLE_STEP exception by swicth structure.
3. determine that triggering second is abnormal after screening, pass through context.EFlags=context.EFlags+0x100 The tracking mark position (TF flag bit) of flag register is set 1 by circulation.Make one in the every performance objective thread of CPU instruct after Generate single step interrupt;The thread under interrupt status is read using GetThreadContext (hThread, CONTEXT_FULL) to believe Breath.
4. passing through ReadProcessMemory according to the value of 3. middle context.Eip and reading original machine code, obtain number According to instruction.
5. data command is saved in corresponding txt file by specific format by ShowDecoded function, number is obtained According to instruction set.
6. modifying the environmental variance of current thread by SetThreadContext (hThread, &context).
7. execution state will be restored to by target process by ContinueDebugEvent function.
(8) system is unbinded by DebugActiveProcessStop (pid) from debugged program, completes data and refers to The acquisition of order.
Two, three-dimensional chained list is established, is specifically comprised the following steps:
(1) one layer of circulation: pass through for (i=0;i<totalLine/1000+1;I++), above-mentioned txt file is read every time In 1000 style of writing this into memory.
1. passing through the initial position of fseek (fp, i*101*1000,0) control read-write.
2. reading in 1000 rows (100 bytes and 1 newline of every row) by fread (* txt, 101*1000,1, fp) (fixed every time to read in 1000 rows).
3. the case where not necessarily expiring 1000 for last time, carries out cutTime (dividing number to txtContent) Corresponding adjustment (cutTime=totalLine%1000).
4. two layers of circulation: passing through for (j=0;j<cutTime;J++) every row information is stored in the node of linear linked list In.
A. pass through NODE*CUT=(NODE*) malloc (sizeof (NODE));For new node application memory address.
B. such as CUT- > number [n]=txtContent [m];By memory byte conversion at node to the number of dependent variable Value.Wherein the numerical value of variable includes: operation order number, memory address and original machine code.
C. it recycles for three layers: traversing the first trip of three-dimensional chained list along the direction right:
C1.cutlie++ row number there is not circulation primary to add 1.(row number initial value is -1, because there is a node in (0,0) position)
C2. judge: the variate-value and ADDRIGHT pointer of the memory address eip and machine code opcode of newly-built node are signified First trip node correspondence variate-value it is whether identical.If they are the same, then by newly-built node chain in the ADDRIGHT meaning node side down To bottom (four layers circulation in control line number variable cuthang++), and (control is jumped out and first by the mark position addflag 1 Row increases).
C3. judge: if (addflag==1) flag bit is to be set.If set, increase a number of repetition, break Jump out three layers of circulation.
C4. judge: if (ADDRIGHT- > right==NULL&&addflag==0).If flag bit be 0 and ADDRIGHT is directed toward the last one site position of the three-dimensional direction chained list first trip right, the variable duli+ of statistical iteration node number +。
Three, suffix dictionary chained list is established, the maximum repetition prefix after deleting chained list node is searched by continuous iteration, And constantly iteration deletes maximum repetition prefix, realizes the purpose for carrying out logical partitioning by different parameters standard to data command.Tool Steps are as follows for body execution:
1) it recycles: passing through while (repeatlength!=0) judge whether that reaching maximum repeats whether prefix reaches door Limit value.
1. repeatlength=LONGESTREPEAT (ROOT);Current longest is obtained by suffix memory address to repeat The length repeatlength of tuple, and each duplicate start bit is recorded with global pointer array * EACHLONGESTREPEAT The address set.
A. by looping through three-dimensional chained list (i.e. ROOT chained list), by row number and dictionary ordering rule, three-dimensional chain is constructed The suffix dictionary chained list of table.
The new suffix pointer address node of a1.malloc application, and initialize DICNEW- > REAR=PMOVE.
A2. judgement currently the node newly applied whether be initial application node.
A21. if initial application node: next of the direct chain in suffix dictionary linked list head node DICHEAD.
If not a22. initial application node: looping through established suffix dictionary chained list into two layers of circulation.
A221. judge: if having arrived the ending of suffix dictionary chained list, being applied directly to the direction next of ending.
A222. (SUFFIXDIC (DICNEW- > REAR, DICADD- > next- are utilized
>REAR)<0) break: whether meet the ranking relationship of row number size, newly-built Knots inserting to currently if meeting Traverse position.
B. compare suffix dictionary chained list neighborhood of nodes by recycling, find the maximum initial address for repeating prefix and repeat secondary Number.
B1. current suffix dictionary is judged by if (SAMEPREFIX (PREFIX, PREFIX- > next) > maxlength) Whether the repetition prefix that the neighborhood of nodes of position is currently traversed in chained list is new maximum repetition prefix.If new maximum repetition Prefix: rebuilding the record chained list prehead (the local chained list in function) of maximum-prefix in current function completely, and continue is jumped This step recycles out.
B2. current suffix word is judged by if (SAMEPREFIX (PREFIX, PREFIX- > next)==maxlength) The repetition prefix of the original machine code opcode of position neighborhood of nodes is traversed in allusion quotation chained list, and whether current record is most in and function Big repetition prefix length is equal.Newly-built suffix address node PRENEW chain in suffix dictionary chained list (prehead chain if equal Table) tail portion.
C. by global nodes address pointer array come duplicate record chained list prehead (function maximum in storage function In local chained list) all values.
C1. pass through the length of circle statistics suffix dictionary chained list (prehead chained list).
C2. by double circulation, traversal suffix dictionary chained list (prehead chained list) adjusts global pointer array * simultaneously The value of chained list is transferred in global array by the position of EACHLONGESTREPEAT label.
2. counting the number nodelength of recording address in global pointer array * EACHLONGESTREPEAT.
3. two layers of circulation: delete all nodes corresponding to maximum repetition prefix in three-dimensional chained list:
A. it recycles for three layers: by looping to determine DELETEBEFORE- > next!=CUT finds the previous node of most long-chain Address D ELETEBEFORE.
B. by cuttime variable zero setting.
C. it recycles for three layers: by looping to determine cuttime < repeatlength, finding the ground of most long-chain the latter node Location END.
D. pass through DELETEBEFORE- > next=END, complete the deletion of a largest loop tuple.
Four, the corresponding data command of chained list node deleted every time is counted, several single reports is obtained, is based on each single report Announcement is analyzed, and the logical partitioning of the specific operation process of target process is obtained.
Inventive embodiments store each data command by establishing three-dimensional chained list, are deposited by establishing suffix dictionary chained list The address that each data command is located in the three-dimensional chained list is put, can thus be stored according to node each in suffix dictionary chained list Address quickly obtains suffix memory address corresponding with each node to traverse three-dimensional chained list, with to be subsequent according to adjacent Two nodes, which correspond to suffix memory address and compare the maximum prefix that repeats of acquisition, provides guarantee.After obtaining maximum repetition prefix i.e. Corresponding chained list node in three-dimensional chained list can be deleted, the chained list node of deletion represents the most data of frequency of occurrence and refers to It enables, to accurately realize the analysis to data command logic framework.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.