Summary of the invention
In view of this, the invention provides a kind of method of protecting data in software.Can effectively protection critical data or code; software is in operation do not load the driver of software protecting equipment; or the driver of loading software protecting equipment, but do not link up with in the situation of page exception, can't normally obtain critical data or code at all.The operation that recovers critical data also completes in driving, concerning piracy or cracker, improved the threshold of trace debug, thereby the more efficiently software of having protected has improved security.The present invention is not only applicable to windows operating system, also is applicable to other operating systems such as Linux.
According to an aspect of the present invention, provide a kind of method of protecting data in software by software protecting equipment, comprise the steps:
Step 1, move into the data that need protection in protected software in the driver of described software protecting equipment;
Step 2, before the described data that need protection of described protected software application, load the described driver of described software protecting equipment, makes it to link up with page exception;
Step 3, when described protected software needs reading and writing or carries out the described data that need protection, write back to the described data that need protection in described protected software.
According to an aspect of the present invention, in step 1, after the data that need protection in extracting protected software, record its address and length, by its clear 0 or insert random number.
According to an aspect of the present invention, the described data that need protection are encrypted in the driver of the described software protecting equipment of rear immigration.
According to an aspect of the present invention, before described protected software needs reading and writing or carries out the described data that need protection, by the driver of the described software protecting equipment of described protected Bootload.
According to an aspect of the present invention, by described driver, linked up with the page exception function of operating system.
According to an aspect of the present invention, when described protected software read-write, while carrying out the described data that need protection, CPU can trigger the page exception function, and judges,
If judged result is page fault, and when lacking the page and belonging to the scope of the data address needed protection of described protected software process, after being kept at the described data deciphering needed protection in described driver, recover, then return for described protected software application;
If it is abnormal that judged result is page protection, or lack the page and do not belong to the data address scope needed protection, be left intact, carry out the former page exception function of described operating system.
According to an aspect of the present invention, when the described data that need protection that will take out write described driver, the data that need protection of taking out are write with array form or the mode that deposits file in.
According to an aspect of the present invention, the encryption and decryption mode adopted adopts symmetry or asymmetric arithmetic.
The present invention writes critical data or code the driver of software protecting equipment; while being written into; the page exception function hook of the driver of software protecting equipment and system; when the software read-write, while carrying out critical data; according to judgement; by after the critical data deciphering be kept in the driver of software protecting equipment, recovering, return for protected software and carry out.By method provided by the invention, operations such as recovering data is placed in the driver of software protecting equipment and carries out, improved the threshold that software track is debugged, can more effective protection software.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The invention provides a kind of method of protecting software data, concrete steps comprise:
Step 1. extracts critical data or the code (code is a kind of more special data) in software, and after recording its address and length, by its clear 0 or insert random number; According to one embodiment of present invention, critical data or code are the codes of an enciphered data, or enciphered data code data used, can be also the codes of a critical function;
Step 2. writes the data of taking-up in the driver of software protecting equipment, deposits after can encrypting, and according to one embodiment of present invention, both can leave in memory device, also can directly leave in the driver of software protecting equipment;
Step 3. is before software needs read-write, execution critical data or code; need to be by the driver of this Bootload software protecting equipment; the page exception function of driver hook system (falling clearly place page PTE (Page Table Entry) and TLB(Translation Lookaside Buffers) entrance, to guarantee that CPU can trigger page exception).
Step 4: when the software read-write, while carrying out critical data, CPU can trigger the page exception function, and judge, if being page fault, judged result (also can be called the page of makeing mistakes, after page fault occurs, judge in this page of makeing mistakes the data or the code that whether have comprised protection, if comprise, will special processing, because the page is sequenced, the data of the corresponding 4K continuous storage of each sequence number, 64 bit CPUs are 8K), and when lacking the page and belonging to the scope of critical data address of this software process, after being kept at the critical data deciphering in the software protecting equipment driver, recover, then return for software application, if it is abnormal that judged result is page protection, or lack the page and do not belong to the critical data address realm and just be left intact, the former page exception function of executive system.
According to an aspect of the present invention, when described data by taking-up write driver, the data of taking out are write with array form or other forms (if data deposited in to the mode such as file).
According to an aspect of the present invention, the encryption and decryption mode that adopts of the critical data in driver can adopt and comprise symmetry (as AES, DES etc.) or asymmetric arithmetic (as RSA, ECC etc.).
Described hook system page exception refers to can use CPU privileged instruction sidt.In addition, according to another implementation of the invention, when applicable linux operating system, its corresponding CPU privileged instruction is as follows:
// obtain the address idtr of IDTR
unsigned?char?idtr[6];
asm?("sidt?%0"?:?"=m"?(idtr));
base?=?*((unsigned?long?*)?&idtr[2]);
Clearly, IDT belongs to the CPU framework, and under different system, difference is little.
IDT=Interrupt Descriptor Table Interrupt Descriptor Table
With WINDOWS X86 (according to an embodiment of the invention, the operating system of 32 of only take is example, and other operating system can be carried out similar processing), be example herein:
IDT is a linear table that 256 entrances are arranged, and the entrance of each IDT is the descriptor of 8 bytes, so the size of whole IDT table is 256*8=2048 bytes, each interrupt vector association one interrupt processing procedure.So-called interrupt vector is exactly each interruption or extremely by the numeral of a 0-255, identifies.Intel claims this numeral to be vector (vector).
For Interrupt Descriptor Table, operating system records idt position and size with the IDTR register.
The IDTR register is 48 bit registers, be used to preserving idt information.Wherein hang down 16 sizes that represent IDT, size is 7FFH, high 32 base address that represent IDT.Can utilize instruction sidt to read the information in the IDTR register, thereby find the position of IDT in internal memory.It is hereinafter the exemplary description of IDTR.Those skilled in the art can both understand easily for this description, also can carry out similar conversion, modification, replacement, increase and decrease, and it all belongs to scope of the present invention.
//?IDTR
#pragma?packet(1)
typedef?struct?_IDTR
{
USHORT?limit;
USHORT?LowBase;
USHORT?HighBase;
}IDTR,*PIDTR;
#pragma?packet()
// IDT enters oral thermometer
#pragma?packet(1)
typedef?struct?_IDT_ENTRY
{
USHORT?offset_low;
USHORT?selector;
UCHAR?reserved;
UCHAR?type:4;
UCHAR?always0:1;
UCHAR?dpl:2;
UCHAR?present:1;
USHORT?offset_high;
}IDT_ENTRY,*PIDT_ENTRY;
#pragma?packet()
Obtain the address of IDT, IDT integral body is a structural array, wherein 0xE structure is exactly the page exception message structure, two of the insides member OffsetLow and OffsetHigh form an address, be exactly the abnormality processing function of system, all page exception in its disposal system, replace into self-defining page exception filter function address, also the address of the original page exception function of system to be kept in driving, in order to use during restoring operation.Multi-core CPU need to all be processed the IDT of each CPU.As an example, the following exemplary codes that idt processes example of carrying out that provides multinuclear cpu.For a person skilled in the art, following code is only as example, and it is not construed as limiting the invention.Those skilled in the art is according to following code, and other various forms or the mode that design, write, generate, within all belonging to the present invention's scope required for protection.
// each of multi-core CPU is linked up with to page fault process
CpuCount?=?*KeNumberProcessors;
while(?CpuCount?>?0)
{
KeSetAffinityThread (KeGetCurrentThread (), CpuCount); // binding CPU
// hook page fault is processed
CpuCount--;
}
Referring to Fig. 1, it is running software flow process overall schematic.
In step 101, the data that need protection in protected software are moved in the driver of software protecting equipment;
In step 102, before protected software application data, load the driver of software protecting equipment, make it to link up with page exception;
In step 103, when protected software needs reading and writing or carries out protected data, more former data are write back.
Referring to Fig. 2, Fig. 2 is the overall flow schematic diagram of the preferred embodiment according to a kind of method of protecting software data of the present invention.
The present embodiment hypothesis, under Windows x86 platform, has a software A, wherein has one section critical data D(only need to read), software just needs reading key data D when the operation of response menu bar.
1. first the critical data D in software A is taken out; encryption put into the software protection protective device driver B (wherein, the data after encryption, can as one group of continuous deposit data in driver B; as data, use), then by the critical data D in software A clear 0.
2. at software A, call the place that starts that responds the menu bar operation and be written into driver B, then driver B hook _ KiTrap0E(annotates: this function is that under the WINDOWS system, page fault is processed function (according to one embodiment of present invention, this function name _ KiTrap0E, only for the WINDOWS system.At LINUX, be other name, but focus of the present invention does not lie in the difference between operating system, is omitted at this.) (can get capable IDT by privileged instruction sidt, 0x0E is exactly _ the KiTrap0E first address).
3. after software A operation, click menu item, driver B loads, and it is invalid that the page PTE that calculates critical data D place in driver B is set to; Those skilled in the art can both understand easily for this description, also can carry out similar conversion, modification, replacement, increase and decrease, and it all belongs to scope of the present invention.
// obtain the PTE (feature summary of this function) of place, the address page
PPTE?GetPteAddress(?PVOID?VirtualAddress?)
{
PPTE?pPTE?=?0;
__asm
{
Cli //disable interrupts disabled interrupt
pushad
mov?esi,?PROCESS_PAGE_DIR_BASE
mov?edx,?VirtualAddress
mov?eax,?edx
shr?eax,?22
Lea eax, [esi+eax*4] //pointer to page directory entry points to the pointer of page directory entry
Test [eax], 0x80 //is is it a large page the large page?
Jnz Is_Large_Page //is it's a large page the large page?
mov?esi,?PROCESS_PAGE_TABLE_BASE
shr?edx,?12
Lea eax, [esi+edx*4] //pointer to page table entry (PTE) points to the pointer of page table entries
mov?pPTE,?eax
jmp?Done
//NOTE:?There?is?not?a?page?table?for?large?pages?because
, because in page directory, there is the phys frame, there is not page table in //the phys frames are contained in the page directory. in the large page
Is_Large_Page:
mov?pPTE,?eax
Done:
popad
Sti //reenable interrupts enables to interrupt again
}//end?asm
return?pPTE;
}//end?GetPteAddress
It is invalid that the PTE of // critical data D is set to
The address of push eax // critical data D
call?GetPteAddress
mov?ebx,?eax //ebx?=?pPte
And dword ptr [ebx], 0xFFFFFFFE //mark page not present, there is not the page in mark
4. use assembler directive invlpg to fall clearly the TLB entrance, to guarantee can trigger while reading page exception (" triggering page exception " in Fig. 2), then software A reading key data D(now the content of software A Central Plains critical data D be all 0), when reading, trigger page exception, the filter function that at first can enter hook _ KiTrap0E filters that (after triggering page exception, system can enter _ the KiTrap0E function, but the present invention has linked up with this function before, so can first enter _ KiTrap0E_Filter, after processing if not following these conditions, calling system _ KiTrap0E function more just, otherwise after just deciphering restoring data, directly return), use the error code Rule of judgment
A. mistake skips leaf
B. whether be software A process
While c. reading, make mistakes
D. abnormal under user model
E. and the address cr2(register read) be in the address realm of the critical data D in software A.
When meeting above condition, the critical data deciphering by being kept in driver B, directly copy on the raw address in software A.Now, critical data D recovers fully, and software A can read critical data D smoothly.
For security consideration, can be when not using critical data D, should zone clear 0, notice driver B, make the page exception hook invalid, so just can protect to greatest extent the security of critical data D.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.