CN102004884A - Method and device capable of acquiring executable file input table - Google Patents
Method and device capable of acquiring executable file input table Download PDFInfo
- Publication number
- CN102004884A CN102004884A CN2009101714154A CN200910171415A CN102004884A CN 102004884 A CN102004884 A CN 102004884A CN 2009101714154 A CN2009101714154 A CN 2009101714154A CN 200910171415 A CN200910171415 A CN 200910171415A CN 102004884 A CN102004884 A CN 102004884A
- Authority
- CN
- China
- Prior art keywords
- address
- dynamic link
- cryptor
- link library
- information list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The embodiment of the invention discloses a method capable of acquiring an executable file input table. The embodiment of the invention also provides a corresponding device. The method comprises the following steps of: exporting an address of a function in each dynamic link library (DLL) loaded by a target packing program included in a created DLL information list, querying the address the same as the acquired destination address of a control stream jump instruction so as to acquire IAT_3; and creating the input table according to the DLL information list and the IAT_3. The method is applicable to any packing method. Compared with the prior art, the method is more universal, does not need manual intervention and has high automation degree.
Description
Technical field
The present invention relates to computing machine and communication technical field, be specifically related to a kind of method and device that obtains executable file input table.
Background technology
Shell (Shell) is a kind of mapping mode of binary code, is a kind of attached on the target program, is responsible for protection software and makes it be difficult to analyzed program.Because this defencive function is so be referred to as shell visually.Shell all is to carry out prior to program usually, gets access to control, finishes the task of their protection target softwares then.
Add shell and extensively applied to software protection and malicious code reverse-examination survey field.Software is added shell, generally include the content of three aspects, the one, the binary code of target software is obscured conversion or encryption; The 2nd, the software configuration of target software is carried out conversion, system information is loaded interrupt or change, destroy the essential environment of running software, wherein, topmost means are exactly the input table of change executable file, hide the application programming interface (API, Application ProgrammingInterface) that running software institute must introducing; The 3rd, add antagonism, check code etc. to disturb debugging, shelling.
When the target software that will move after adding shell, just need shell to target software.A kind of general hulling method is: direct inverse is to hulling method, promptly at certain specific shell side method that adds, analyzes its realization, seeks algorithm for inversion and shells.Direct inverse comprises to the hulling method concrete operations:
At first, be which kind of shell by added shells of feature identification target software such as entrance codes; Afterwards, its code encryption method of manual analysis and input table transform method get access to decryption method; After the deciphering, remove antagonism and check code, finish shelling; At last, with shell feature and hulling method warehouse-in, treat that next time, the match is successful, directly calls this method and shell.
In research and practice process to prior art, the present inventor finds that above-mentioned hulling method shells at the shell of specific targeted species.In case shell mutation, new shell occur, even the conversion of simple encryption in the encrypted code also can make this method thoroughly lose efficacy, therefore, above-mentioned hulling method of the prior art does not have general applicability.
And its code encryption method of manual analysis and input table transform method make that this method automaticity is not high, and efficient is low.
Also having other hulling method in the prior art, mainly is at decrypted code how in the shelling process, can correctly reduce binary code by deciphering, removes antagonism, check code, is convenient to conventional at present virus killing of condition code coupling and static conversed analysis.But only recover binary code, the input table not being repaired the program that makes shelling can't rerun.
Summary of the invention
The embodiment of the invention provides a kind of executable file input table method and device of obtaining, and provides a kind of and generally is suitable for, do not needed manual intervention, can obtain and the technical scheme of the input table of reconstruct target cryptor, makes shelling back target program normally to move.
The embodiment of the invention provides a kind of executable file input table method that obtains, and comprising:
Obtain all dynamic link libraries that the target cryptor is loaded, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
Code to described target cryptor carries out dis-assembling, obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
In described dynamic link library information list, search the identical address of destination address with the control stream jump class instruction of obtaining;
According to the address of the address of the derivative function that comprises in the lookup result and described derivative function corresponding all information in described dynamic link library information list, set up the input table of described target cryptor; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
The embodiment of the invention also provides a kind of executable file input meter apparatus that obtains, and comprising:
Dynamic link library (DLL) information acquisition unit, be used to obtain all dynamic link libraries that the target cryptor is loaded, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
The dis-assembling unit is used for the code of described target cryptor is carried out dis-assembling;
Address location is obtained in the instruction of control stream jump class, is used for from the dis-assembling code that described dis-assembling unit is exported, and obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
The effective address acquiring unit is used for comprising at described dynamic link library information list, in the address of derivative function, searches the destination address identical address with the control stream jump class instruction of obtaining in each dynamic link library that described target cryptor loads;
Input table reconfiguration unit; The address that is used for the address of the derivative function that comprises according to lookup result and described derivative function corresponding all information in described dynamic link library information list are set up the input table of described target cryptor; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
The embodiment of the invention in the address of derivative function, is searched the identical address of destination address of instructing with the control stream jump class that obtains, thereby is obtained IAT_3 among each DLL that the target cryptor that comprises is loaded by in the DLL information list of setting up; Set up the input table according to DLL information list and IAT_3.This method all is suitable for for any shell side method that adds, and compared with prior art, this method is more general, and does not need artificial analysis, the automaticity height.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is that the embodiment of the invention one provides a kind of executable file input table method general flow chart that obtains;
Fig. 2 is the gauge outfit synoptic diagram of the DLL information list of a kind of establishment of providing in the embodiment of the invention one;
Fig. 3 is the tabulation synoptic diagram that comprises the content that address and this address are pointed to that provides in the embodiment of the invention one;
Fig. 4 is the foundation input hoist pennants that provides in the embodiment of the invention one;
Fig. 5 is that the embodiment of the invention two provides a kind of executable file input table method general flow chart that obtains;
Fig. 6 is that the embodiment of the invention three provides a kind of logical block synoptic diagram that obtains executable file input meter apparatus.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention provides a kind of executable file input table method that obtains, and the embodiment of the invention also provides corresponding actuating unit.Below be elaborated respectively.
For the ease of understanding the technical scheme that various embodiments of the present invention provide, need to prove, equipment elder generation loaded targets cryptor, finish place, the original entrance that promptly presents (OEP, orignal entrypoint) in the code deciphering, breakpoint is set, the method of obtaining executable file input table that the embodiment of the invention provides began to carry out from this moment, and the method by the embodiment of the invention provides finally gets access to the input table from the target cryptor of encrypting.When this breakpoint is triggered, the target program that then has the input table after the deciphering just can dynamic load DLL, thereby can carry out target program.Below be elaborated respectively.
Embodiment one,
The embodiment of the invention provides a kind of executable file input table method that obtains.Before the method that present embodiment is provided is done explanation, at first this notion is shown in input and done explanation, so that the understanding of the method that the embodiment of the invention is provided.
The target software that adds shell that moves is made up of executable file, can call one or in this executable file more than one dynamic link library (DLL, Dynamic Link Library) dll file in, promptly call code or the data of DLL, the code of the DLL that this calls or data are called input.The location of input function address is when executable file loads, and operating system is fixed by the input voting.Input table (Improt Table) is a part indispensable in the executable file structure.When executable file need call the alternative document function, need search the input table and carry out addressing.Content in the input table all is the address that alternative document can invoked function.Wherein, said can invoked function, promptly be meant api function, it is not a target executable file itself, but system provides, so target will be called it, must find the address of calling by the input table.
The input table is the data structure that a plurality of arrays are formed, comprise: input description list (IID, IMAGE_IMPORT_DESCRIPTOR), input namelist (INT, Import Name Table), Import Address Table (IAT, Import Address Table) and the input function name (IIN, IMAGE_IMPORT_BY_NAME).Operating system is introduced function address by IID, INT and IIN location, and the function address of introducing is write IAT, finishes DLL and loads.And the target software that adds shell is deleted IID, INT and IIN usually, fills IAT voluntarily by the target software that adds shell.Therefore, after the shelling, the code that IID, INT, the IIN of filling IAT is three is removed, and obviously can not be operated the normal identification of institute of system by the IAT that the target software that adds shell is filled voluntarily, causes target software to move in the prior art.
A kind of method of obtaining the input table that the embodiment of the invention provides can be discerned the Import Address Table (IAT) that executable file calls DLL code or data, repairs IAT, rebulids input table (ImportTable).Described referring to Fig. 1, this method comprises:
Step 1: obtain all dynamic link library (DLL)s that the target cryptor is loaded, set up the DLL information list, comprise in the following content any one in this DLL information list according to the DLL that obtains:
The title of all DLL that the target cryptor is loaded,
The plot of each DLL that the target cryptor is loaded,
The memory range that each DLL that the target cryptor is loaded takies,
Among each DLL that the target cryptor is loaded the address of derivative function wherein all, and
Among each DLL that the target cryptor is loaded the title of derivative function and
Among each DLL that the target cryptor is loaded the sequence number of derivative function wherein each.
As shown in Figure 2, be the gauge outfit of the DLL information list created, i.e. every title in the DLL information list.
Wherein, all dynamic link library (DLL)s that loaded according to the target cryptor that obtains in the step 1, set up specifically going out to operate and can comprising of DLL information list:
Steps A 1: obtain the title of all DLL that the target cryptor loaded, the memory range that each DLL that pairing plot of each DLL title and target cryptor are loaded takies;
Steps A 2: according to the title of obtaining all DLL that the target cryptor loaded, the sequence number that gets access to derivative function among the title of the derivative function among each DLL that the target cryptor loaded and each DLL that the target cryptor is loaded wherein each; Can also obtain the skew of the relative plot of each derivative function;
Steps A 3: according to the skew of each derivative function that obtains in pairing plot of DLL title that obtains in the steps A 1 and the steps A 2 with respect to plot, the address that obtains derivative function among each DLL; Thereby set up the DLL information list.
Wherein, in this DLL information list, comprising:
The memory range that each DLL that the title of all DLL that the target cryptor that obtains in the steps A 1 is loaded, the pairing plot of DLL title and target cryptor are loaded takies; With
The title of the derivative function among each DLL that the target cryptor that obtains in the steps A 2 is loaded, the perhaps sequence number of derivative function among each DLL of being loaded of target cryptor; And
The address of derivative function among each DLL that obtains in this steps A 3.
Wherein, among each DLL that obtains in the steps A 3 address of derivative function for the side-play amount of the plot of the DLL at this derivative function place and the relative plot of this derivative function with.
By above-mentioned explanation to steps A 1 to A3, the relevant information of all dynamic link library (DLL)s that the target cryptor is loaded can be known in the system that makes, promptly sets up above-mentioned DLL information list.Wherein, the address of all functions that called in this target cryptor can finding in the address entries of the derivative function in this DLL information list.Therefore, this DLL information list plays a significant role in follow-up operation.
Step 2: target cryptor code is carried out dis-assembling, obtain the destination address of all control stream jump class instructions and the content that this destination address points to;
As shown in Figure 3, the gauge outfit of the tabulation that the content of pointing to for destination address and this destination address of the control of obtaining in the step 2 stream jump class instruction is formed, promptly should tabulation in every title.
Wherein, target cryptor code all is a scale-of-two in step 2, what is for the ease of the instruction of understanding and discern in this target cryptor, need carry out dis-assembling to target cryptor code; By dis-assembling, identify all the control stream jump class instructions in the target cryptor, thereby obtain the destination address of all control stream jump class instructions, the destination address of such instruction is generally the address of the function that will call, i.e. the destination address of control stream jump class instruction is generally the address of api function.The destination address of control stream jump class instruction also can be the address of non-executable file.
Wherein, the form of control stream jump class instruction can be: jmp[xxx], perhaps call[xxx], perhaps other form specifically should not be construed as the restriction to the embodiment of the invention herein for example.Wherein, xxx is the address (the perhaps address of api function) of function of being called.Said in the step 2 " content that this address is pointed to " can be meant this address sensing api function itself; If the destination address of control stream jump class instruction is the address of non-executable file, then " content that this address is pointed to " is other data.
Step 3: comprise in the DLL information list of in step 1, having set up, among each DLL that the target cryptor is loaded in the address of derivative function, search with step 2 in the identical address of destination address of the control stream jump class instruction of obtaining, the content that the address that finds and this address that finds are pointed to is as the 3rd Import Address Table (being IAT_3);
Be convenient to be understood that the listings format of IAT_3 can be with reference to figure 3.
Wherein, in the destination address of all control stream jump class instructions, the address (being the address of API) that can comprise the system function that target program calls, by controlling the destination address of stream jump class instruction, the address of derivative function compares among each DLL that is loaded with the target cryptor that obtains in the step 1, find out identical address, these identical addresses so, it just should be the address (being the address of API) of system call function, if the destination address of the stream of the control in target cryptor jump class instruction is the API address, the target cryptor can be jumped to this API address, thereby the function among the calling system DLL (certainly as derivative function, the address of this derivative function is the address of this API to this function to DLL).
For the ease of understanding, here also need to prove, in the step 3, in the DLL information list, do not find with step 2 in the identical address of destination address of the control stream jump class instruction of obtaining, the pairing derivative function of sort address can unify to be called the address of needs reparation, but can also remove before reparation must executive address (so because being that there is no need of carrying out repaired), to alleviate time loss.
Similar, in the destination address of the control stream jump class instruction of in step 2, obtaining, do not find with step 1 in the identical address, address of the derivative function that comprises in the DLL information list, the destination address of this class control stream jump class instruction is the address of non-executable file, or, the destination address that this class control stream jump class instructs needs to repair (concrete explanation of repairing can illustrate, not introduce earlier) herein in follow-up literal.The explanation understood just be convenient in this section literal, but not absolute, should not be construed the restriction to the embodiment of the invention.
Step 4: according to all addresses that comprise among the IAT_3 that obtains, the content that this address is pointed to and in the DLL information list of having set up all information of this address correspondence, set up the input table of this target cryptor.
Wherein, in the step 4 derivative function address in address among the IAT_3 and the DLL information list is mated, address among the IAT_3 identical with the address of derivative function, according to the DLL name class in the DLL information list, address among the IAT_3 identical with the address that belongs to a derivative function in the DLL title, filled among the IAT in the input table, and according to address among the IAT_3, obtain corresponding information, insert the IID of input table from the DLL information list, INT, among IAT and the IIN, and, IID set up, INT, the pointer relation between IAT and the IIN.
Wherein, can be the pairing input table of a certain DLL with reference to shown in Figure 4, the address of filling among the IAT in this input table be derivative function address among the DLL of same title in the DLL information list, and this derivative function address is included among the IAT_3 all.
Wherein, each DLL title correspondence input table that structure is identical as shown in Figure 4 comprises a plurality of derivative functions among each DLL, therefore, in the input table of identical DLL title, comprises one or more than one call function address in IAT.
Because the address among the IAT_3 all is included in the DLL information list, then a kind of concrete method of filling in the input table can be:
Step C1: derivative function address in address among the IAT_3 and the DLL information list is mated;
Step C2: judge whether to exist an input table, it is pairing that the DLL name is called an above-mentioned address in this input table, and the DLL title in the DLL information list if do not have, then enters step C3; If have, then enter step C5;
Step C3: create an input table, this address is filled in the input table of establishment among the IAT, then, execution in step C4;
Step C4: the DLL title in the DLL information list that will obtain after will mating, the plot of this DLL and the shared memory range of this DLL all, insert among the IID in this input table; With the title of the derivative function that obtains or the sequence number of derivative function after the coupling, insert among the IIN in this input table and INT in; Set up IID, IIN, IAT and the INT pointer between all;
Wherein, the content of filling among IIN and the INT is identical, comprises the title of the derivative function that obtains after the coupling and/or the sequence number of derivative function.
Step C5: this address is filled in the input table of establishment among the IAT, the title of the derivative function that obtains after the coupling or the sequence number of derivative function, insert among the IIN in this input table and INT in; Set up IIN, the pointer of IAT and INT respective items.Wherein, above-mentioned understanding to step C5, also can be in conjunction with Fig. 4, promptly there is an input table according to judging among the step C2, it is pairing that the DLL name is called an above-mentioned address in this input table, the DLL title in the DLL information list, so, just in the IAT of input table tabulation, increase delegation, be used for filling in this address of IAT_3.
Wherein, set up IID, IIN, IAT and the INT pointer between all, the direction of arrow as shown in Figure 4 is the pointer direction.The method of IID, IIN, IAT and the INT pointer between all is a prior art in the concrete foundation input table, does not describe in detail herein.
Step C6: above-mentioned steps C1 to C5 is all carried out in each address among the IAT_3, finish then.
By above-mentioned explanation, can more clearly understand the step 4 in the embodiment of the invention to step C1 to C6.
By to the explanation of above-mentioned steps 1 to step 4, in the DLL information list of in step 1, having set up, among each DLL that the target cryptor that comprises is loaded in the address of derivative function, search with step 2 in the identical address of destination address of the control stream jump class instruction of obtaining, thereby obtain IAT_3; According to the DLL information list, and IAT_3, thereby the input table set up.This method all is suitable for for any shell side method that adds, and compared with prior art, this method has more universality, and does not need manual intervention, the automaticity height.
Embodiment two,
The embodiment of the invention provides a kind of method of obtaining executable file input table, and this method is similar to the method that embodiment one provides, can be to getting access to the input table of target cryptor; And the method that the embodiment of the invention provides has increased certain operations on the basis of embodiment one, makes that the input table that obtains is more accurate, also can be so that this operating process efficient is higher.
Do explanation below in conjunction with the method that 5 pairs of present embodiments of accompanying drawing provide, this method comprises:
Step D3: but the address in the non-executive address scope in the destination address of all control stream jump classes instructions of obtaining among the removal step D2, but the content that the address in this non-executive address scope of reaching is pointed to; Thereby get access to IAT_1, comprise among this IAT_1: do not have the destination address of the control stream jump class instruction of removing and the content of the destination address sensing of the control stream jump class instruction that should not have to remove.
Be convenient to be understood that the listings format of IAT_1 can be with reference to figure 3.
Wherein, but the non-executive address scope described in the above-mentioned steps D3 comprises usually at least: the null pointer zone, kernel area, perhaps other Off Limits addresses wherein each; But non-executive address scope also can comprise: the address that belongs to reserved state (unappropriated space).
Also need to prove, owing to carried out step D3, when making among the subsequent step D7 to D9 reparation operation to the invalid address, reduce the number of times of repairing, improved the speed that method is carried out.
Step D4: the maximal value of obtaining the destination address of the control stream jump class instruction that does not have removal among the IAT_1, from this maximal value, to the address greater than this peaked direction search, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that address that searches and the address that searches are pointed to is filled up to IAT_1;
And/or, obtain the minimum value of the destination address of the control stream jump class instruction that does not have removal among the IAT_1, from this minimum value, direction search to the address less than this minimum value, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that address that searches and the address that searches are pointed to is filled up to IAT_1;
Wherein, compare with embodiment one, increase this step D4, owing to carried out step D4, make the scope of address among the IAT_1, scopes than the destination addresses that just obtain all control stream jump classes instructions among the step D2 are big, make the input table that finally the obtains input table of target program when not adding shell to the full extent.
Step D5: judge whether each address can find the address identical with the address among this IAT_1 among the IAT_1 in the DLL information list, if, execution in step D6 then; If not, execution in step D7 then;
Step D6: will in the DLL information list, find address among the IAT_1 of identical address, and be filled up among the IAT_2;
Be convenient to be understood that the listings format of IAT_2 also can be with reference to figure 3.
Wherein, in the DLL information list, find address among the IAT_1 of identical address, also can be called " effective address "; In the DLL information list, do not find address among the IAT_1 of identical address, can be called " invalid address " yet.
Step D7: to the content of address among the IAT_1 that in the DLL information list, does not find identical address, carry out dis-assembling, obtain the code after the dis-assembling;
Step D8: judge in the code after the dis-assembling whether API Calls is arranged, if having, execution in step D9; If no, process ends then;
Step D9: obtain the address of first API Calls in the code after the dis-assembling, this address is filled among the IAT_2;
Wherein, compare with embodiment one, the step D7 that increases among this embodiment two is to step D9, and equipment can be repaired the invalid address, promptly gets access to the address of API Calls in the content of pointing to the invalid address.In the DLL information list of having created, can find the derivative function address identical with the address of this API Calls.Thereby, in follow-up step D10, can realize reconstruct input table.
Step D10: similar to step 4 among the embodiment one, all addresses that comprise among the IAT_2 that obtains according to step D6 and step D9, the content that this address is pointed to and in the DLL information list of having set up all information of this address correspondence, set up the input table of this target cryptor.
Wherein, the effect that acts on IAT_3 among the embodiment one of IAT_2 is identical.To the explanation of step D10, please refer among the embodiment one about the explanation of step 4, do not repeat herein.
By to the explanation of above-mentioned steps D1 to step D10, by in the DLL information list of setting up, among each DLL that the target cryptor that comprises is loaded in the address of derivative function, search the address identical with address among the IAT_2, thereby the effective address of obtaining and invalid address, the invalid address is repaired, thereby obtain IAT_3; According to the DLL information list, and IAT_3, thereby the input table set up.This method all is suitable for for any shell side method that adds, and compared with prior art, this method has more universality, and does not need manual intervention, the automaticity height.
Further, but removed the operation of the address in the non-executive address scope in this method, reduced in the subsequent operation unnecessary reparation, thereby improved the execution efficient of this method the invalid address;
Further, increased in this method among the step D4 and begun search address, prevented to omit the possible API address of calling, made that the input table that finally obtains is more accurate at IAT_1 from address maximal value and/or minimum value.
Further, increase the operation of step D7 to D9 in this method, the invalid address is repaired, can get access to the API address of control stream jump class instruction indirect call, make that the input table that finally obtains is more accurate.
Embodiment three,
The embodiment of the invention provides a kind of device that obtains executable file input table, as shown in Figure 6, this device comprises: dynamic link library (DLL) information acquisition unit 100, dis-assembling unit 101, control stream jump class instruction address acquiring unit 102, effective address acquiring unit 103 and input table reconfiguration unit 104.
Wherein, DLL information acquisition unit 100, be used to obtain all dynamic link library (DLL)s that the target cryptor is loaded, set up the DLL information list according to the DLL that obtains, comprise in this DLL information list: the title of all DLL that the target cryptor is loaded, the plot of each DLL that the target cryptor is loaded, the memory range that each DLL that the target cryptor is loaded takies, among each DLL that the target cryptor is loaded the address of derivative function wherein all, the title of derivative function among each DLL that is loaded with the target cryptor, among each DLL that is loaded with the target cryptor sequence number of derivative function wherein each;
Dis-assembling unit 101 is used for target cryptor code is carried out dis-assembling;
Control stream jump class instruction address acquiring unit 102 is used for from the result of dis-assembling unit 101 dis-assemblings, obtains the destination address of all control stream jump class instructions and the content that this address is pointed to;
Effective address acquiring unit 103, be used in obtaining the DLL information list that DLL message unit 100 set up, among each DLL that the target cryptor that comprises is loaded in the address of derivative function, search and control the identical address of destination address of flowing the control stream jump class instruction of obtaining in the jump class instruction address acquiring unit 102, the content production that address and this address of comprising in the lookup result are pointed to is IAT_3;
Input table reconfiguration unit 104 is used for all addresses of comprising according to the IAT_3 that obtains, the content that this address is pointed to and in the DLL information list of having set up all information of this address correspondence, set up the input table of this target cryptor.
Wherein, need to prove also that the logical block of this device can also be divided into: Import Address Table identification module, Import Address Table are repaired module and input table rebuilding module.
It should be understood that the Import Address Table identification module can comprise: above-mentioned explanation obtain dynamic link library (DLL) message unit 100, dis-assembling unit 101 and control stream jump class instruction address acquiring unit 102 these three unit;
Import Address Table is repaired module and can be comprised: the effective address acquiring unit 103 of above-mentioned explanation;
Input table rebuilding module can comprise: the input table reconfiguration unit 104 of above-mentioned explanation.
Understand the device that present embodiment provides in order more to have known, the explanation of the method that can be in conjunction with the embodiments provides in.
Explanation by device that the embodiment of the invention is provided, this device is by in the DLL information list of having set up, among each DLL that the target cryptor that comprises is loaded in the address of derivative function, the identical address of destination address of the control stream jump class instruction of searching and obtaining, thus IAT_3 obtained; According to the DLL information list, and IAT_3, thereby the input table set up.This device all is suitable for for any shell side method that adds, and compared with prior art, this device has more universality, and does not need manual intervention, the automaticity height.
Further, but in order to remove the address in the non-executive address scope in the control stream jump class instruction address acquiring unit 102, can also comprise in this device: screening unit 105, be used for removing control stream jump class instruction address acquiring unit 102, but the address in the non-executive address scope in the destination address of all control stream jump class instructions of obtaining, but the content that the address in this non-executive address scope of reaching is pointed to; Thereby get access to IAT_1, comprise among this IAT_1: do not have the destination address of the control stream jump class instruction of removing and the content of the destination address sensing of the control stream jump class instruction that should not have to remove.
Further, in order not omit Input Address, enlarge the Input Address scope of being selected, this device can also comprise: search unit 106, be used for from control stream jump class instruction address acquiring unit 102, perhaps screen unit 105 wherein among the output result in each, obtain the maximal value of address, from this maximal value, to the address greater than this peaked direction search, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that address that searches and the address that searches are pointed to is filled up to IAT_1;
And/or, obtain the minimum value of address, from this minimum value, the direction search to the address less than this minimum value, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that address that searches and the address that searches are pointed to is filled up to IAT_1;
Wherein, the control that does not have to remove be can preserve among the IAT_1 here and the destination address of jump class instruction and the content that the address is pointed to flowed, also can preserve from control stream jump class instruction address acquiring unit 102, all that obtain flow the content that the jump class instruction address is and the address is pointed to from control.
Further, the effective address acquiring unit 103 in the device that provides of the embodiment of the invention can specifically comprise: first judging unit 2001 and first is filled in unit 2002.
Wherein, first judging unit 2001 is used for judging whether each address of IAT_1 can find the address identical with the address among this IAT_1 in the DLL information list; Notify first to fill in unit 2002 judged result;
First fills in unit 2002, is used for first judging unit 2001 is judged, and finds address among the IAT_1 of identical address in the DLL information list, is filled up among the IAT_2.
Need to prove that the address among the above-mentioned IAT_2 that obtains is an effective address, but do not comprise the address that is repaired, also can show to set up in the reconfiguration unit 104 correct input table in input according to current IAT_2.And in fact, effective address acquiring unit 103 can also be repaired the invalid address, and therefore, effective address acquiring unit 103 can also comprise: the second dis-assembling unit 2003, second judging unit 2004 and second are filled in unit 2005.
Wherein, the second dis-assembling unit 2003 is used for first judging unit 2001 is judged, and does not find the content of address among the IAT_1 of identical address in the DLL information list, carries out dis-assembling, obtains the code after the dis-assembling;
Second fills in unit 2005, is used for obtaining the address of first API Calls of code after the dis-assembling, and this address is filled among the IAT_2.
Wherein, in order to prevent to obscure, also it should be explained that: that write down among the above-mentioned IAT_3 is the result that control stream jump class instruction address acquiring unit 102 obtains, and this result is exported to input table reconfiguration unit 104; And IAT_2 has increased screening unit 105 when device, and perhaps search unit 106 or after this device has increased repair function is finally exported to the address of input table reconfiguration unit 104.
By increase the above-mentioned second dis-assembling unit 2003, second judging unit 2004 and second is filled in unit 2005, make this device have to repair the function of invalid address to make that the input table that finally obtains is more accurate.
Wherein, a kind of understanding of obtaining the device of executable file input table that the embodiment of the invention is provided, the explanation in also can reference example one, two.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of the foregoing description is to instruct relevant hardware to finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
More than a kind ofly to the embodiment of the invention provided obtain executable file input table method and device is described in detail, used specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (10)
1. one kind is obtained executable file input table method, it is characterized in that, comprising:
Obtain all dynamic link libraries that the target cryptor is loaded, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
Code to described target cryptor carries out dis-assembling, obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
In described dynamic link library information list, search the identical address of destination address with the control stream jump class instruction of obtaining;
According to the address of the address of the derivative function that comprises in the lookup result and described derivative function corresponding all information in described dynamic link library information list, set up the input table of described target cryptor; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
2. method according to claim 1, it is characterized in that, described obtaining after destination addresses of all control stream jump classes instructions and the content that described destination address points to, before the identical address of the destination address of the described control stream jump class instruction of searching and obtaining, described method also comprises:
Remove and comprise in described destination addresses that obtain all control stream jump classes instructions, but the address in the non-executive address scope;
The identical address of destination address of the then described control stream jump class instruction of searching and obtaining, specifically comprise: search and the identical address of destination address of controlling the instruction of stream jump class, the destination address of described control stream jump class instruction is for the destination address that jump class instructs is flowed in the control of removing address in the non-executive address scope.
3. method according to claim 1 is characterized in that, but described non-executive address scope comprises at least: the null pointer zone, kernel area, perhaps the address of reserved state wherein each.
4. method according to claim 1, it is characterized in that, described obtaining after destination addresses of all control stream jump classes instructions and the content that described destination address points to, before the identical address of the destination address of the described control stream jump class instruction of searching and obtaining, described method also comprises:
Obtain the maximal value in all destination addresses of controlling the instruction of stream jump classes, from described maximal value,, stop when empty greater than described peaked direction search to the address when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
And/or, obtain minimum value in all destination addresses of controlling the instruction of stream jump classes, from described minimum value, the direction search to the address less than described minimum value, stop when empty when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
The identical address of destination address of the described control stream jump class instruction of searching and obtaining specifically comprises: search the address identical with the destination address of the control stream jump class instruction of obtaining and, investigate and prosecute the address identical with the address that searches.
5. method according to claim 1, it is characterized in that, described method also comprises: the destination address that instructs when control stream jump class is: in described dynamic link library information list, when not finding the identical address of destination address with the instruction of described control stream jump class, the content that the destination address that described control stream jump class is instructed points to, carry out dis-assembling, obtain the code after the dis-assembling;
Whether judge in the code after the described dis-assembling has application programming interfaces to call; If have, obtain the address that described application programming interfaces call;
Then, address according to the derivative function that comprises in the lookup result, all information of the address of described derivative function correspondence in described dynamic link library information list, the address that described application programming interfaces call, the address of calling with described application programming interfaces corresponding all information in described dynamic link library information list are set up the input table of described target cryptor.
6. one kind is obtained executable file input meter apparatus, it is characterized in that, comprising:
Dynamic link library (DLL) information acquisition unit, be used to obtain all dynamic link libraries that the target cryptor is loaded, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
The dis-assembling unit is used for the code of described target cryptor is carried out dis-assembling;
Address location is obtained in the instruction of control stream jump class, is used for from the dis-assembling code that described dis-assembling unit is exported, and obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
The effective address acquiring unit is used for comprising at described dynamic link library information list, in the address of derivative function, searches the destination address identical address with the control stream jump class instruction of obtaining in each dynamic link library that described target cryptor loads;
Input table reconfiguration unit; The address that is used for the address of the derivative function that comprises according to lookup result and described derivative function corresponding all information in described dynamic link library information list are set up the input table of described target cryptor; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
7. device according to claim 6 is characterized in that, described device also comprises:
The screening unit is used for removing that described destination addresses that obtain all control stream jump classes instructions comprise, but the address in the non-executive address scope;
Then described effective address acquiring unit, specifically be used for comprising at described dynamic link library information list, in each dynamic link library that described target cryptor loads in the address of derivative function, search and the identical address of destination address of controlling the instruction of stream jump class, the destination address of described control stream jump class instruction is for the destination address that jump class instructs is flowed in the control of removing address in the non-executive address scope.
8. device according to claim 6 is characterized in that, described device also comprises:
Search unit, be used for obtaining the maximal value that the destination address of jump classes instruction is flowed in all controls, from described maximal value, to the address greater than described peaked direction search, stop when empty when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
And/or, obtain minimum value in all destination addresses of controlling the instruction of stream jump classes, from described minimum value, the direction search to the address less than described minimum value, stop when empty when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
Effective address acquiring unit then, specifically be used for comprising at described dynamic link library information list, in each dynamic link library that described target cryptor loads in the address of derivative function, the identical address of destination address of the control stream jump class instruction of searching and obtaining, with, investigate and prosecute the address identical with the address that searches.
9. device according to claim 6 is characterized in that, described effective address acquiring unit specifically comprises:
First judging unit is used to judge whether find the destination address of described control stream jump class instruction of obtaining, if notify first to fill in the unit in described dynamic link library information list;
First fills in the unit, is used for what find at described dynamic link library information list, and the identical address of destination address with the instruction of described control stream jump class is filled up in second Import Address Table;
Then described input table reconfiguration unit specifically is used for setting up the input table of described target cryptor according to described second Import Address Table and dynamic link library information list.
10. device according to claim 9 is characterized in that, described effective address acquiring unit also comprises:
The second dis-assembling unit, be used for going out when described first judgment unit judges, the destination address of control stream jump class instruction is: in described dynamic link library information list, when not finding the identical address of destination address with the instruction of described control stream jump class, the content that the destination address that described control stream jump class is instructed points to, carry out dis-assembling, obtain the code after the dis-assembling;
Second judging unit is used for judging whether the code after the described dis-assembling has application programming interfaces to call, if having, notifies second to fill in the unit;
Second fills in the unit, is used for address that described application programming interfaces are called, is filled up to described second Import Address Table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910171415 CN102004884B (en) | 2009-08-28 | 2009-08-28 | Method and device capable of acquiring executable file input table |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910171415 CN102004884B (en) | 2009-08-28 | 2009-08-28 | Method and device capable of acquiring executable file input table |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102004884A true CN102004884A (en) | 2011-04-06 |
| CN102004884B CN102004884B (en) | 2013-04-17 |
Family
ID=43812239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910171415 Expired - Fee Related CN102004884B (en) | 2009-08-28 | 2009-08-28 | Method and device capable of acquiring executable file input table |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102004884B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102184103A (en) * | 2011-05-12 | 2011-09-14 | 电子科技大学 | Shell characteristic extracting method of software protection shell |
| CN102184363A (en) * | 2011-05-21 | 2011-09-14 | 电子科技大学 | Automatic software packer shelling method based on comprehensive processing |
| CN102890758A (en) * | 2012-10-11 | 2013-01-23 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting executable file |
| CN103019828A (en) * | 2012-12-28 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Auxiliary shelling method and device based on shell adding program |
| CN103019740A (en) * | 2012-12-28 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for obtaining import table and relocation table |
| CN103077029A (en) * | 2012-12-28 | 2013-05-01 | 北京神州绿盟信息安全科技股份有限公司 | Import table repairing method and device |
| CN103093142A (en) * | 2012-12-26 | 2013-05-08 | 飞天诚信科技股份有限公司 | Java card object access control method |
| CN103177222A (en) * | 2011-12-23 | 2013-06-26 | 腾讯科技(深圳)有限公司 | Processing method for file shell adding and shell removing and device thereof |
| CN103413071A (en) * | 2013-07-09 | 2013-11-27 | 北京深思数盾科技有限公司 | Method for protecting data in software |
| CN103886042A (en) * | 2014-03-10 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for recognizing dynamic link library |
| CN104504310A (en) * | 2015-01-15 | 2015-04-08 | 深圳市东信时代信息技术有限公司 | Method and device for software protection based on shell technology |
| CN105117644A (en) * | 2015-08-26 | 2015-12-02 | 福建天晴数码有限公司 | Method and system for acquiring Android plug-in program |
| CN105528220A (en) * | 2014-09-28 | 2016-04-27 | 腾讯科技(深圳)有限公司 | Method and apparatus for loading dynamic shared object |
| CN105814577A (en) * | 2013-12-27 | 2016-07-27 | 迈克菲公司 | Segregating executable files exhibiting network activity |
| CN106021096A (en) * | 2016-05-09 | 2016-10-12 | 北京金山安全软件有限公司 | Abnormal function searching method and device |
| CN106325927A (en) * | 2016-08-19 | 2017-01-11 | 北京金山安全管理***技术有限公司 | Interception method and device applied to dynamic library API (Application Program Interface) in Linux system |
| CN107784204A (en) * | 2016-08-31 | 2018-03-09 | 百度在线网络技术(北京)有限公司 | Using hulling method and device |
| CN108108617A (en) * | 2017-12-21 | 2018-06-01 | 中国人民解放军战略支援部队信息工程大学 | Importing table restorative procedure and device based on the tracking of static instruction stream |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101154258A (en) * | 2007-08-14 | 2008-04-02 | 电子科技大学 | Automatic analyzing system and method for dynamic action of malicious program |
| CN101154259A (en) * | 2007-08-27 | 2008-04-02 | 电子科技大学 | General automated shelling engine and method |
-
2009
- 2009-08-28 CN CN 200910171415 patent/CN102004884B/en not_active Expired - Fee Related
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102184103A (en) * | 2011-05-12 | 2011-09-14 | 电子科技大学 | Shell characteristic extracting method of software protection shell |
| CN102184363A (en) * | 2011-05-21 | 2011-09-14 | 电子科技大学 | Automatic software packer shelling method based on comprehensive processing |
| CN102184363B (en) * | 2011-05-21 | 2013-09-25 | 电子科技大学 | Automatic software packer shelling method based on comprehensive processing |
| CN103177222B (en) * | 2011-12-23 | 2015-08-12 | 腾讯科技(深圳)有限公司 | A kind of file adds shell, the disposal route of shelling and equipment thereof |
| US9100170B2 (en) | 2011-12-23 | 2015-08-04 | Tencent Technology (Shenzhen) Company Limited | File packing and unpacking method, and device thereof |
| CN103177222A (en) * | 2011-12-23 | 2013-06-26 | 腾讯科技(深圳)有限公司 | Processing method for file shell adding and shell removing and device thereof |
| WO2013091452A1 (en) * | 2011-12-23 | 2013-06-27 | 腾讯科技(深圳)有限公司 | File packing and unpacking method, and device thereof |
| CN102890758B (en) * | 2012-10-11 | 2014-12-17 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting executable file |
| CN102890758A (en) * | 2012-10-11 | 2013-01-23 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting executable file |
| CN103093142A (en) * | 2012-12-26 | 2013-05-08 | 飞天诚信科技股份有限公司 | Java card object access control method |
| CN103093142B (en) * | 2012-12-26 | 2015-07-22 | 飞天诚信科技股份有限公司 | Java card object access control method |
| CN103019740B (en) * | 2012-12-28 | 2015-08-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device obtaining importing table and relocation table |
| CN103077029B (en) * | 2012-12-28 | 2016-07-13 | 北京神州绿盟信息安全科技股份有限公司 | A kind of restorative procedure importing table and device |
| CN103019828B (en) * | 2012-12-28 | 2015-06-17 | 北京神州绿盟信息安全科技股份有限公司 | Auxiliary shelling method and device based on shell adding program |
| CN103077029A (en) * | 2012-12-28 | 2013-05-01 | 北京神州绿盟信息安全科技股份有限公司 | Import table repairing method and device |
| CN103019740A (en) * | 2012-12-28 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for obtaining import table and relocation table |
| CN103019828A (en) * | 2012-12-28 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Auxiliary shelling method and device based on shell adding program |
| CN103413071B (en) * | 2013-07-09 | 2016-03-23 | 北京深思数盾科技有限公司 | A kind of method of data in protection software |
| CN103413071A (en) * | 2013-07-09 | 2013-11-27 | 北京深思数盾科技有限公司 | Method for protecting data in software |
| US10083300B2 (en) | 2013-12-27 | 2018-09-25 | Mcafee, Llc | Segregating executable files exhibiting network activity |
| CN105814577A (en) * | 2013-12-27 | 2016-07-27 | 迈克菲公司 | Segregating executable files exhibiting network activity |
| CN105814577B (en) * | 2013-12-27 | 2020-07-14 | 迈克菲有限责任公司 | Isolating executable files representing network activities |
| US10599846B2 (en) | 2013-12-27 | 2020-03-24 | Mcafee, Llc | Segregating executable files exhibiting network activity |
| CN103886042A (en) * | 2014-03-10 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for recognizing dynamic link library |
| CN103886042B (en) * | 2014-03-10 | 2017-07-21 | 珠海市君天电子科技有限公司 | A kind of method and device for recognizing dynamic link library |
| CN105528220A (en) * | 2014-09-28 | 2016-04-27 | 腾讯科技(深圳)有限公司 | Method and apparatus for loading dynamic shared object |
| CN105528220B (en) * | 2014-09-28 | 2020-12-01 | 腾讯科技(深圳)有限公司 | Method and device for loading dynamic shared object |
| CN104504310A (en) * | 2015-01-15 | 2015-04-08 | 深圳市东信时代信息技术有限公司 | Method and device for software protection based on shell technology |
| CN105117644A (en) * | 2015-08-26 | 2015-12-02 | 福建天晴数码有限公司 | Method and system for acquiring Android plug-in program |
| CN105117644B (en) * | 2015-08-26 | 2018-08-28 | 福建天晴数码有限公司 | Acquire Android plug-in program method and system |
| CN106021096A (en) * | 2016-05-09 | 2016-10-12 | 北京金山安全软件有限公司 | Abnormal function searching method and device |
| CN106021096B (en) * | 2016-05-09 | 2018-12-21 | 珠海豹趣科技有限公司 | A kind of abnormal function lookup method and device |
| CN106325927B (en) * | 2016-08-19 | 2019-12-17 | 北京金山安全管理***技术有限公司 | interception method and device applied to dynamic library API in linux system |
| CN106325927A (en) * | 2016-08-19 | 2017-01-11 | 北京金山安全管理***技术有限公司 | Interception method and device applied to dynamic library API (Application Program Interface) in Linux system |
| CN107784204B (en) * | 2016-08-31 | 2021-10-22 | 百度在线网络技术(北京)有限公司 | Application shelling method and device |
| CN107784204A (en) * | 2016-08-31 | 2018-03-09 | 百度在线网络技术(北京)有限公司 | Using hulling method and device |
| CN108108617A (en) * | 2017-12-21 | 2018-06-01 | 中国人民解放军战略支援部队信息工程大学 | Importing table restorative procedure and device based on the tracking of static instruction stream |
| CN108108617B (en) * | 2017-12-21 | 2019-10-08 | 中国人民解放军战略支援部队信息工程大学 | Importing table restorative procedure and device based on the tracking of static instruction stream |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102004884B (en) | 2013-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102004884B (en) | Method and device capable of acquiring executable file input table | |
| US10698668B1 (en) | Custom code transformations during compilation process | |
| EP2897074B1 (en) | Application code obfuscation device based on self-conversion and method therefor | |
| EP2553570B1 (en) | Method for linking and loading to protect applications | |
| US20170372068A1 (en) | Method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
| CN103413075B (en) | A kind of method and apparatus of protecting JAVA executable program by virtual machine | |
| US20160203087A1 (en) | Method for providing security for common intermediate language-based program | |
| KR101861341B1 (en) | Deobfuscation apparatus of application code and method of deobfuscating application code using the same | |
| US20050108562A1 (en) | Technique for detecting executable malicious code using a combination of static and dynamic analyses | |
| CN108536451B (en) | Method and device for embedding embedded point of application program | |
| US20200342100A1 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
| CN104239757A (en) | Application program reversing-preventing method and device and operation method and terminal | |
| US7725879B2 (en) | Method and apparatus for executing instructions of java virtual machine and transforming bytecode | |
| CN103914637A (en) | Android platform executable program encrypting method | |
| CN103778373A (en) | Virus detection method and device | |
| CN113568680B (en) | Dynamic link library protection method, device, equipment and medium for application program | |
| CN109614772B (en) | Code conversion method and device based on application installation package file | |
| Padaryan et al. | Automated exploit generation for stack buffer overflow vulnerabilities | |
| CN106933642B (en) | Application program processing method and processing device | |
| CN115390945A (en) | Application program running method and device, electronic equipment and readable storage medium | |
| CN102831343B (en) | Target program processing method, processing device and cloud service equipment | |
| CN103677746B (en) | Instruction recombination method and device | |
| CN113626773A (en) | Code protection method based on intermediate language | |
| KR100876637B1 (en) | Apparatus and method for detecting software attacks on linux | |
| US11061998B2 (en) | Apparatus and method for providing security and apparatus and method for executing security to protect code of shared object |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130417 Termination date: 20190828 |