CN103413071A - Method for protecting data in software - Google Patents
Method for protecting data in software Download PDFInfo
- Publication number
- CN103413071A CN103413071A CN2013102843248A CN201310284324A CN103413071A CN 103413071 A CN103413071 A CN 103413071A CN 2013102843248 A CN2013102843248 A CN 2013102843248A CN 201310284324 A CN201310284324 A CN 201310284324A CN 103413071 A CN103413071 A CN 103413071A
- Authority
- CN
- China
- Prior art keywords
- data
- software
- page
- driver
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method for protecting data in software. According to the method, in Windows, Linux and other operating systems, the data needing to be protected in the software are moved to a drive program of a software protecting device to be stored, the drive program is loaded before the data are used, page anomaly (pagefault) in memory management is linked, the data are loaded or processed, and accordingly the safety of the data is guaranteed effectively.
Description
Technical field
The present invention relates to a kind of software protection field, particularly a kind of method of protecting data in software.
Background technology
Software, as a kind of special product, due to the feature of its pure digi-tal, just suffers pirate puzzlement always from appearance.Pirate existence has not only caused huge loss to the software developer, has also greatly hindered the development of whole Software Industry.Therefore, nearly all software has all taked corresponding technical measures to avoid software to be cracked and piracy, and wherein protecting data important in software or code is the problem that the software developer payes attention to the most.
In current guard method; to be encrypted at client layer mostly; the threshold that requires for the cracker compares the end; also the most easily be subject to illegal tracking; after running software; no matter whether used critical data or code; they all can be in the client layer internal memory; can obtain easily; no matter all lower on cryptographic means and Cipher Strength; and the most popular virtual machine resist technology also just has good protection effect to code now, have no idea fully to be protected for the data for read-write.
In prior art, software protecting equipment is the Main Means of realizing software protection and copyright protection.Software protecting equipment refers in particular to a kind of upper high strength intelligent card chip and advanced cryptological technique, hardware system with certain computing and storage capacity of adopting of computer interface (as USB interface, serial ports, parallel port etc.) that be attached to.
Driver in software protecting equipment is that a kind of special independently driver and software carry out alternately; for software is protected; during use; by software, trigger (such as choice menus) according to certain specific condition; activate driver and go to recover critical data; protect important code, or carry out the code hook, thereby data or the code of protection specific software are not maliciously rewritten.
Summary of the invention
In view of this, the invention provides a kind of method of protecting data in software.Can effectively protection critical data or code; software is in operation do not load the driver of software protecting equipment; or the driver of loading software protecting equipment, but do not link up with in the situation of page exception, can't normally obtain critical data or code at all.The operation that recovers critical data also completes in driving, concerning piracy or cracker, improved the threshold of trace debug, thereby the more efficiently software of having protected has improved security.The present invention is not only applicable to windows operating system, also is applicable to other operating systems such as Linux.
According to an aspect of the present invention, provide a kind of method of protecting data in software by software protecting equipment, comprise the steps:
Step 1, move into the data that need protection in protected software in the driver of described software protecting equipment;
Step 2, before the described data that need protection of described protected software application, load the described driver of described software protecting equipment, makes it to link up with page exception;
Step 3, when described protected software needs reading and writing or carries out the described data that need protection, write back to the described data that need protection in described protected software.
According to an aspect of the present invention, in step 1, after the data that need protection in extracting protected software, record its address and length, by its clear 0 or insert random number.
According to an aspect of the present invention, the described data that need protection are encrypted in the driver of the described software protecting equipment of rear immigration.
According to an aspect of the present invention, before described protected software needs reading and writing or carries out the described data that need protection, by the driver of the described software protecting equipment of described protected Bootload.
According to an aspect of the present invention, by described driver, linked up with the page exception function of operating system.
According to an aspect of the present invention, when described protected software read-write, while carrying out the described data that need protection, CPU can trigger the page exception function, and judges,
If judged result is page fault, and when lacking the page and belonging to the scope of the data address needed protection of described protected software process, after being kept at the described data deciphering needed protection in described driver, recover, then return for described protected software application;
If it is abnormal that judged result is page protection, or lack the page and do not belong to the data address scope needed protection, be left intact, carry out the former page exception function of described operating system.
According to an aspect of the present invention, when the described data that need protection that will take out write described driver, the data that need protection of taking out are write with array form or the mode that deposits file in.
According to an aspect of the present invention, the encryption and decryption mode adopted adopts symmetry or asymmetric arithmetic.
The present invention writes critical data or code the driver of software protecting equipment; while being written into; the page exception function hook of the driver of software protecting equipment and system; when the software read-write, while carrying out critical data; according to judgement; by after the critical data deciphering be kept in the driver of software protecting equipment, recovering, return for protected software and carry out.By method provided by the invention, operations such as recovering data is placed in the driver of software protecting equipment and carries out, improved the threshold that software track is debugged, can more effective protection software.
The accompanying drawing explanation
Fig. 1 is according to a kind of schematic flow sheet of protecting the method for software data of the present invention.
Fig. 2 is the overall flow schematic diagram of the preferred embodiment according to a kind of method of protecting software data of the present invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The invention provides a kind of method of protecting software data, concrete steps comprise:
Step 1. extracts critical data or the code (code is a kind of more special data) in software, and after recording its address and length, by its clear 0 or insert random number; According to one embodiment of present invention, critical data or code are the codes of an enciphered data, or enciphered data code data used, can be also the codes of a critical function;
Step 2. writes the data of taking-up in the driver of software protecting equipment, deposits after can encrypting, and according to one embodiment of present invention, both can leave in memory device, also can directly leave in the driver of software protecting equipment;
Step 3. is before software needs read-write, execution critical data or code; need to be by the driver of this Bootload software protecting equipment; the page exception function of driver hook system (falling clearly place page PTE (Page Table Entry) and TLB(Translation Lookaside Buffers) entrance, to guarantee that CPU can trigger page exception).
Step 4: when the software read-write, while carrying out critical data, CPU can trigger the page exception function, and judge, if being page fault, judged result (also can be called the page of makeing mistakes, after page fault occurs, judge in this page of makeing mistakes the data or the code that whether have comprised protection, if comprise, will special processing, because the page is sequenced, the data of the corresponding 4K continuous storage of each sequence number, 64 bit CPUs are 8K), and when lacking the page and belonging to the scope of critical data address of this software process, after being kept at the critical data deciphering in the software protecting equipment driver, recover, then return for software application, if it is abnormal that judged result is page protection, or lack the page and do not belong to the critical data address realm and just be left intact, the former page exception function of executive system.
According to an aspect of the present invention, when described data by taking-up write driver, the data of taking out are write with array form or other forms (if data deposited in to the mode such as file).
According to an aspect of the present invention, the encryption and decryption mode that adopts of the critical data in driver can adopt and comprise symmetry (as AES, DES etc.) or asymmetric arithmetic (as RSA, ECC etc.).
Described hook system page exception refers to can use CPU privileged instruction sidt.In addition, according to another implementation of the invention, when applicable linux operating system, its corresponding CPU privileged instruction is as follows:
// obtain the address idtr of IDTR
unsigned?char?idtr[6];
asm?("sidt?%0"?:?"=m"?(idtr));
base?=?*((unsigned?long?*)?&idtr[2]);
Clearly, IDT belongs to the CPU framework, and under different system, difference is little.
IDT=Interrupt Descriptor Table Interrupt Descriptor Table
With WINDOWS X86 (according to an embodiment of the invention, the operating system of 32 of only take is example, and other operating system can be carried out similar processing), be example herein:
IDT is a linear table that 256 entrances are arranged, and the entrance of each IDT is the descriptor of 8 bytes, so the size of whole IDT table is 256*8=2048 bytes, each interrupt vector association one interrupt processing procedure.So-called interrupt vector is exactly each interruption or extremely by the numeral of a 0-255, identifies.Intel claims this numeral to be vector (vector).
For Interrupt Descriptor Table, operating system records idt position and size with the IDTR register.
The IDTR register is 48 bit registers, be used to preserving idt information.Wherein hang down 16 sizes that represent IDT, size is 7FFH, high 32 base address that represent IDT.Can utilize instruction sidt to read the information in the IDTR register, thereby find the position of IDT in internal memory.It is hereinafter the exemplary description of IDTR.Those skilled in the art can both understand easily for this description, also can carry out similar conversion, modification, replacement, increase and decrease, and it all belongs to scope of the present invention.
//?IDTR
#pragma?packet(1)
typedef?struct?_IDTR
{
USHORT?limit;
USHORT?LowBase;
USHORT?HighBase;
}IDTR,*PIDTR;
#pragma?packet()
// IDT enters oral thermometer
#pragma?packet(1)
typedef?struct?_IDT_ENTRY
{
USHORT?offset_low;
USHORT?selector;
UCHAR?reserved;
UCHAR?type:4;
UCHAR?always0:1;
UCHAR?dpl:2;
UCHAR?present:1;
USHORT?offset_high;
}IDT_ENTRY,*PIDT_ENTRY;
#pragma?packet()
Obtain the address of IDT, IDT integral body is a structural array, wherein 0xE structure is exactly the page exception message structure, two of the insides member OffsetLow and OffsetHigh form an address, be exactly the abnormality processing function of system, all page exception in its disposal system, replace into self-defining page exception filter function address, also the address of the original page exception function of system to be kept in driving, in order to use during restoring operation.Multi-core CPU need to all be processed the IDT of each CPU.As an example, the following exemplary codes that idt processes example of carrying out that provides multinuclear cpu.For a person skilled in the art, following code is only as example, and it is not construed as limiting the invention.Those skilled in the art is according to following code, and other various forms or the mode that design, write, generate, within all belonging to the present invention's scope required for protection.
// each of multi-core CPU is linked up with to page fault process
CpuCount?=?*KeNumberProcessors;
while(?CpuCount?>?0)
{
KeSetAffinityThread (KeGetCurrentThread (), CpuCount); // binding CPU
// hook page fault is processed
CpuCount--;
}
Referring to Fig. 1, it is running software flow process overall schematic.
In step 101, the data that need protection in protected software are moved in the driver of software protecting equipment;
In step 102, before protected software application data, load the driver of software protecting equipment, make it to link up with page exception;
In step 103, when protected software needs reading and writing or carries out protected data, more former data are write back.
Referring to Fig. 2, Fig. 2 is the overall flow schematic diagram of the preferred embodiment according to a kind of method of protecting software data of the present invention.
The present embodiment hypothesis, under Windows x86 platform, has a software A, wherein has one section critical data D(only need to read), software just needs reading key data D when the operation of response menu bar.
1. first the critical data D in software A is taken out; encryption put into the software protection protective device driver B (wherein, the data after encryption, can as one group of continuous deposit data in driver B; as data, use), then by the critical data D in software A clear 0.
2. at software A, call the place that starts that responds the menu bar operation and be written into driver B, then driver B hook _ KiTrap0E(annotates: this function is that under the WINDOWS system, page fault is processed function (according to one embodiment of present invention, this function name _ KiTrap0E, only for the WINDOWS system.At LINUX, be other name, but focus of the present invention does not lie in the difference between operating system, is omitted at this.) (can get capable IDT by privileged instruction sidt, 0x0E is exactly _ the KiTrap0E first address).
3. after software A operation, click menu item, driver B loads, and it is invalid that the page PTE that calculates critical data D place in driver B is set to; Those skilled in the art can both understand easily for this description, also can carry out similar conversion, modification, replacement, increase and decrease, and it all belongs to scope of the present invention.
// obtain the PTE (feature summary of this function) of place, the address page
PPTE?GetPteAddress(?PVOID?VirtualAddress?)
{
PPTE?pPTE?=?0;
__asm
{
Cli //disable interrupts disabled interrupt
pushad
mov?esi,?PROCESS_PAGE_DIR_BASE
mov?edx,?VirtualAddress
mov?eax,?edx
shr?eax,?22
Lea eax, [esi+eax*4] //pointer to page directory entry points to the pointer of page directory entry
Test [eax], 0x80 //is is it a large page the large page?
Jnz Is_Large_Page //is it's a large page the large page?
mov?esi,?PROCESS_PAGE_TABLE_BASE
shr?edx,?12
Lea eax, [esi+edx*4] //pointer to page table entry (PTE) points to the pointer of page table entries
mov?pPTE,?eax
jmp?Done
//NOTE:?There?is?not?a?page?table?for?large?pages?because
, because in page directory, there is the phys frame, there is not page table in //the phys frames are contained in the page directory. in the large page
Is_Large_Page:
mov?pPTE,?eax
Done:
popad
Sti //reenable interrupts enables to interrupt again
}//end?asm
return?pPTE;
}//end?GetPteAddress
It is invalid that the PTE of // critical data D is set to
The address of push eax // critical data D
call?GetPteAddress
mov?ebx,?eax //ebx?=?pPte
And dword ptr [ebx], 0xFFFFFFFE //mark page not present, there is not the page in mark
4. use assembler directive invlpg to fall clearly the TLB entrance, to guarantee can trigger while reading page exception (" triggering page exception " in Fig. 2), then software A reading key data D(now the content of software A Central Plains critical data D be all 0), when reading, trigger page exception, the filter function that at first can enter hook _ KiTrap0E filters that (after triggering page exception, system can enter _ the KiTrap0E function, but the present invention has linked up with this function before, so can first enter _ KiTrap0E_Filter, after processing if not following these conditions, calling system _ KiTrap0E function more just, otherwise after just deciphering restoring data, directly return), use the error code Rule of judgment
A. mistake skips leaf
B. whether be software A process
While c. reading, make mistakes
D. abnormal under user model
E. and the address cr2(register read) be in the address realm of the critical data D in software A.
When meeting above condition, the critical data deciphering by being kept in driver B, directly copy on the raw address in software A.Now, critical data D recovers fully, and software A can read critical data D smoothly.
For security consideration, can be when not using critical data D, should zone clear 0, notice driver B, make the page exception hook invalid, so just can protect to greatest extent the security of critical data D.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (8)
1. a method of protecting data in software by software protecting equipment, is characterized in that, comprises the steps:
Step 1, move into the data that need protection in protected software in the driver of described software protecting equipment;
Step 2, before the described data that need protection of described protected software application, load the described driver of described software protecting equipment, makes it to link up with page exception;
Step 3, when described protected software needs reading and writing or carries out the described data that need protection, write back to the described data that need protection in described protected software.
2. method according to claim 1, is characterized in that, in step 1, after the data that need protection in extracting protected software, records its address and length, by its clear 0 or insert random number.
3. method according to claim 1, is characterized in that, the described data that need protection are encrypted in the driver of the described software protecting equipment of rear immigration.
4. method according to claim 1, is characterized in that, before described protected software needs reading and writing or carries out the described data that need protection, by the driver of the described software protecting equipment of described protected Bootload.
5. method according to claim 4, is characterized in that, by the page exception function of described driver hook operating system.
6. method according to claim 4, is characterized in that, when described protected software read-write, while carrying out the described data that need protection, CPU can trigger the page exception function, and judges,
If judged result is page fault, and when lacking the page and belonging to the scope of the data address needed protection of described protected software process, after being kept at the described data deciphering needed protection in described driver, recover, then return for described protected software application;
If it is abnormal that judged result is page protection, or lack the page and do not belong to the data address scope needed protection, be left intact, carry out the former page exception function of described operating system.
7. according to the described method of claim 1-6, it is characterized in that, when the described data that need protection that will take out write described driver, the data that need protection of taking out are write with array form or the mode that deposits file in.
8. according to the described method of claim 1-6, it is characterized in that, the encryption and decryption mode adopted adopts symmetry or asymmetric arithmetic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310284324.8A CN103413071B (en) | 2013-07-09 | 2013-07-09 | A kind of method of data in protection software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310284324.8A CN103413071B (en) | 2013-07-09 | 2013-07-09 | A kind of method of data in protection software |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103413071A true CN103413071A (en) | 2013-11-27 |
| CN103413071B CN103413071B (en) | 2016-03-23 |
Family
ID=49606082
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310284324.8A Active CN103413071B (en) | 2013-07-09 | 2013-07-09 | A kind of method of data in protection software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103413071B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203093A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Process protection method and device and terminal |
| CN107341373A (en) * | 2017-06-30 | 2017-11-10 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable program and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102004884A (en) * | 2009-08-28 | 2011-04-06 | 华为技术有限公司 | Method and device capable of acquiring executable file input table |
| US20110191593A1 (en) * | 2009-10-12 | 2011-08-04 | Safenet, Inc. | Software License Embedded In Shell Code |
| CN102609284A (en) * | 2012-02-01 | 2012-07-25 | 上海游安网络科技有限公司 | Method for safely loading executable file |
| CN102890758A (en) * | 2012-10-11 | 2013-01-23 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting executable file |
| CN102938035A (en) * | 2012-11-08 | 2013-02-20 | 西安交通大学 | Driving separation system inside virtual machine and method |
-
2013
- 2013-07-09 CN CN201310284324.8A patent/CN103413071B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102004884A (en) * | 2009-08-28 | 2011-04-06 | 华为技术有限公司 | Method and device capable of acquiring executable file input table |
| US20110191593A1 (en) * | 2009-10-12 | 2011-08-04 | Safenet, Inc. | Software License Embedded In Shell Code |
| CN102609284A (en) * | 2012-02-01 | 2012-07-25 | 上海游安网络科技有限公司 | Method for safely loading executable file |
| CN102890758A (en) * | 2012-10-11 | 2013-01-23 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting executable file |
| CN102938035A (en) * | 2012-11-08 | 2013-02-20 | 西安交通大学 | Driving separation system inside virtual machine and method |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203093A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Process protection method and device and terminal |
| CN107341373A (en) * | 2017-06-30 | 2017-11-10 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable program and device |
| CN107341373B (en) * | 2017-06-30 | 2018-12-18 | 北京深思数盾科技股份有限公司 | A kind of guard method of executable program and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103413071B (en) | 2016-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gionta et al. | HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities | |
| CN101533443B (en) | Microprocessor device for providing secure execution environment and method for executing secure code thereof | |
| US20090049309A1 (en) | Method and Apparatus for Verifying Integrity of Computer System Vital Data Components | |
| US20080016127A1 (en) | Utilizing software for backing up and recovering data | |
| KR20130020880A (en) | Secure environment management during switches between different modes of multicore systems | |
| CN106095525A (en) | Virtual machine dynamic migration safety protection method | |
| KR20150101811A (en) | Method of unpacking protection with code separation and apparatus thereof | |
| CN106951790B (en) | USB storage medium transparent encryption method | |
| CN102609644A (en) | File protection process | |
| Wang et al. | Mimosaftl: adding secure and practical ransomware defense strategy to flash translation layer | |
| CN103413071B (en) | A kind of method of data in protection software | |
| CN101101622A (en) | Method for constructing transparent coding environment | |
| CN103186746A (en) | Protection method and system of executable file | |
| JP4733323B2 (en) | Data batch protection system | |
| KR20180011847A (en) | Protection of state information for virtual machines | |
| CN207099110U (en) | A kind of Intelligent terminal data encrypted backup system | |
| CN105162765A (en) | Cloud data security realizing method based on tail-cutoff survival | |
| CN106952659B (en) | CD multistage imprinting encryption method based on XTS encryption mode | |
| Fleming et al. | Data Tethers: Preventing information leakage by enforcing environmental data access policies | |
| CN102880818A (en) | Software protection method | |
| CN101403985A (en) | Software permission backup method for software protection apparatus | |
| CN104951407B (en) | One kind can encrypted U disk and its encryption method | |
| Chenke et al. | Anti-reverse-engineering tool of executable files on the windows platform | |
| Ma et al. | Travelling the hypervisor and ssd: A tag-based approach against crypto ransomware with fine-grained data recovery | |
| Li et al. | Application of clipboard monitoring technology in graphic and document information security protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 100193 Beijing, Haidian District, East West Road, No. 10, East Hospital, building No. 5, floor 5, layer 510 Patentee after: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. Address before: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Patentee before: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |