Summary of the invention
For solving software in the process of implementation by corresponding platform application programming interface interface obviously called to the potential safety hazard produced; increase the difficulty that the cracker analyzes, debugs, the invention provides a kind of method that realizes software protection by application programming interface.The code of all or part of application programming interface that the present invention is used by software is transplanted in encryption lock and is carried out; protected software receives the result that encryption lock returns; argument structure is organized; then calling system sysenter(sysenter is an assembly instruction under the WINDOWS platform; for entering the system kernel state; belong to prior art; specifically can be referring to Inter cpu instruction set) carry out operation accordingly; after complete; execution result is returned to encryption lock; after encryption lock is processed, return to protected software.The present invention, without the code of transplanting software, by transplanting and the processing of application programs DLL (dynamic link library), can effectively improve software security.
According to the present invention, provide a kind of and realize method for protecting software by software protecting equipment, described software protecting equipment is connected with main frame, and described method comprises:
Step 1: protected software is carried out to required application programming interface and be transplanted in described software protecting equipment;
Step 2: be the code that calls described software protecting equipment by the code revision of calling described application programming interface in protected software;
Step 3: protected running software when calling described application programming interface, calls described software protecting equipment;
Step 4: described software protecting equipment receives call request, carries out corresponding computing according to call request, after completing, operation result is returned to protected software;
Step 5: protected software is accepted described operation result, carries out corresponding operation system function;
Step 6: complete, return to execution result to protected software, protected software is sequentially carried out follow-up code.
According to an aspect of the present invention, application programs DLL (dynamic link library) function or parameter etc. are encrypted.
According to an aspect of the present invention; be transplanted to the form storage that the application programming interface in described software protecting equipment indexes with the application programming interface list, or with the list of application programming interface function name or the storage of application programming interface code snippet form.
According to an aspect of the present invention, call described software protecting equipment, transport function title and parameter, or delivery applications programming interface index.
According to an aspect of the present invention, described software protecting equipment internal arithmetic comprises according to index functions, function parameter searches function list, finds corresponding application programming interface.
According to an aspect of the present invention, described software protecting equipment internal searching, after respective function, is processed parameter.
According to an aspect of the present invention, parameter is processed and comprised character code conversion, numerical value conversion.
According to an aspect of the present invention, step 3,4 is carried out repeatedly.
According to an aspect of the present invention, the assembly instruction call operation system that in step 5, protected software transfer enters system kernel.
According to another aspect of the present invention, provide a kind of software protecting equipment of realizing software protection, described software protecting equipment is connected with main frame, also comprises in described software protecting equipment:
Memory module, for the application programming interface list information of storage migration to described software protecting equipment;
Communication module, for communicating by letter between protected software and described software protecting equipment;
Computing module, for the execution calculating operation of described software protecting equipment inside;
Wherein, the required application programming interface of protected software execution is transplanted in the memory module of described software protecting equipment;
When protected running software, when calling described application programming interface, call described software protecting equipment;
Described software protecting equipment receives call request by described communication module, by computing module, carries out corresponding computing according to call request, after completing, by communication module, described operation result is returned to described protected software.
According to another aspect of the present invention, memory module is also stored the key that enciphering and deciphering algorithm is used, and/or the partial code fragment.
According to another aspect of the present invention, comprise the arithmetic operations such as encryption and decryption, character code conversion.
According to another aspect of the present invention; be transplanted to the form storage that the application programming interface in described software protecting equipment indexes with the application programming interface list, or with the list of application programming interface function name or the storage of application programming interface code snippet form.
By method provided by the present invention, application programming interface is transplanted in encryption lock and is carried out, solved software in the process of implementation by corresponding platform application programming interface interface obviously called to the potential safety hazard produced, increase the difficulty that the cracker analyzes and debugs, improve the security of software, substantially do not affect the travelling speed of software simultaneously.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
According to an embodiment of the invention, a kind of method that realizes software protection is provided, concrete steps comprise:
1. protected software being carried out to needed all or part of WINDOWS application programming interface is transplanted in encryption lock.
2. invokes application DLL (dynamic link library) in protected software partly is revised as and calls the encryption lock code.
3. protected running software, to invokes application DLL (dynamic link library) part, calls encryption lock.
4. inner execution of encryption lock processed, and finishes dealing with, and returns results to protected software.
5. protected software reception encryption lock returns results, and calls sysenter and obtains result, and order is carried out the follow-up code of protected software.
According to an embodiment of the invention, step 3-4 carries out repeatedly.
According to an embodiment of the invention, in step 4, the inner execution of encryption lock is processed and is comprised character code conversion, numerical value conversion, encryption and decryption or search the required application programming interface function of execution according to index or function name.Described application programming interface includes but not limited to CreateEventA, CreateMutexA etc.
According to an embodiment of the invention, in step 5, sysenter is the assembly instruction that enters system kernel.
According to an embodiment of the invention, a kind of device of realizing software protection is provided, but referring to inside, described device has the encryption device of execution environment, as encryption lock, described device specifically comprises:
Memory module, for the application programming interface list information of storage migration to encryption lock, can also store the key that enciphering and deciphering algorithm is used, and the partial code fragment.
Communication module, for communicating by letter between protected software and encryption lock.
Computing module, the performance of budget operation for encryption lock inside, comprise encryption and decryption, character code conversion etc.
As shown in Figure 2, provide a kind of method for protecting software, concrete steps comprise:
1. protected software being carried out to required all or part of WINDOWS API is transplanted in encryption lock;
2. by the code revision of calling the API part in protected software, be the code that calls encryption lock;
3. protected running software when calling the API part, calls encryption lock;
4. encryption lock receives call request, searches corresponding API or carries out corresponding computing according to call request, after completing, returns results to protected software;
5. protected software is accepted to return results, and calls sysenter and carries out corresponding operation system function;
6. complete, return results to protected software, protected software is sequentially carried out follow-up code.
According to an aspect of the present invention, be transplanted to the form that the WINDOWS API in encryption lock can index with the API list, can also api function name list or the storage of API code snippet form.
According to an aspect of the present invention, when in step 3, software transfer is encrypted, can transport function title and parameter (namely directly searching respective function by function name in encryption lock) or API index.
According to an aspect of the present invention, in step 4, the encryption lock internal arithmetic comprises according to index functions (and function parameter) and searches function list, finds corresponding A PI, returns to protected software.
According to an aspect of the present invention, the encryption lock internal searching, after respective function, can be processed parameter, comprises character code conversion, numerical value conversion etc.
According to an aspect of the present invention, for improving security, can adopt encryption policy, api function or parameter etc. is encrypted.
According to an aspect of the present invention; in step 4, can the execution character code conversion operate; according to protected software transfer request, character conversion is carried out in inside, and (as ANSI, turn Unicode, (there are numerical value conversion list or transfer algorithm in encryption lock inside in the numerical value conversion; according to the numerical value imported into; return to result after computing, such as 1, convert 40 to; 2 convert 41 to), after converting, return to protected software.
According to an aspect of the present invention, step 3-4 carries out repeatedly.
According to an aspect of the present invention, in step 5, sysenter is the assembly instruction that enters system kernel.
According to an aspect of the present invention, after in step 5, software reception encryption lock returns results, can organize the function parameter structure.Be exactly below simplified example, example and false code explanation are hereinafter arranged.
According to an aspect of the present invention, the function parameter structure is organized, specifically such as WINDOWS API Fun1(a, b) call Fun2(a, b, c), wherein Fun1, Fun2 are expressed as respectively two functions, and c is preset parameter 400, and Fun2 calls sysenter needs parameter a ', b ' c, finally complete whole function.At first, by Fun1, the code of Fun2 is implanted in encryption lock, then passes through sysenter a ' the most at last, b ', and the parameter value of c returns to protected software, and protected software is pressed into parameter a ', b ', c, then call the complete whole process of sysenter.
As shown in Figure 1, provide a kind of device of realizing software protection, specifically comprise:
Memory module, for the WINDOWS API list information of storage migration to encryption lock.According to one embodiment of present invention, list can be document form, such as CreateEventA.bin.In addition, memory module can also be stored the key that enciphering and deciphering algorithm is used, and the partial code fragment.
Communication module, for communicating by letter between protected software and encryption lock.
Computing module, the performance of budget operation for encryption lock inside, comprise the arithmetic operations such as encryption and decryption, character code conversion.
In the present invention, at first that protected software is required all or part of WINDOWS API is transplanted in the memory module of encryption lock.
Then, the API in memory module, transplanting come stores by forms such as list, list+index or code snippets.According to one embodiment of present invention, the form of list, index can be document form, such as CreateEventA.bin, thereby can directly carry out by title.
Then, by the code revision of calling API part in protected software code, be the code that calls encryption lock, when protected running software, when calling the API part, call encryption lock, to encryption lock, send call request.According to one embodiment of present invention, in call request, can comprise API index or API Name.
Encryption lock is searched corresponding WINDOWS API according to API index or API Name after receiving request, then carries out corresponding operation.According to one embodiment of present invention, such as can directly returning to WINDOWS API to protected software, or the api function parameter is processed to (character, numeric coding conversion etc.), then return to protected software.
Software receives the result that encryption lock returns; as required argument structure is organized to (being mainly that the arrangement that parameter is carried out order is passed to sysenter); then call sysenter and carry out corresponding operation system function; after completing, return results to protected software, protected software is sequentially carried out follow-up code.
Embodiment 1
With this function of WINDOWS API CreateEventA(under WINDOWS 7 platforms, be a WINDOWS API relatively more commonly used, its effect is the event object that creates or open a name or there is no name) be example.According to one embodiment of present invention, in the present embodiment, only simply the character string conversion is put into to encryption lock.This embodiment, only as example, is not construed as limiting the invention.Those skilled in the art can essence according to the present invention modify or additions and deletions to this embodiment fully, and it can not depart from the scope of the present invention.Particularly, the implementation process of this embodiment is as follows:
(1) the WINDOWS API CreateEventA and other the required API that application program are needed are transplanted in the memory module of encryption device;
(2) encryption lock inside realizes that the ANSI character string is converted to Unicode character string function A; Wherein, the ANSI that simply writes an English turns Unicode demonstration code, and the demonstration code adds one 0 by each monocase back, then usings two 0 as finishing.The demonstration code sees below.The demonstration code is only a kind of embodiment, is not construed as limiting the invention.
(3) during the software transfer encryption lock, transport function (comprise function name and parameter, parameter is the ASNI form);
(4) encryption lock receives the request of calling the encryption lock inner function of being sent by the host side be attached thereto, in described request with function name, parameter.Encryption lock is searched the corresponding WINDOWS API CreateEventA stored in encryption lock according to function name, the function A called in encryption lock in above-mentioned steps carries out character conversion to the function parameter in request, returns to the Unicode character string.
(5) (this structure has been specified the attribute of object handle to this API of software application InitializeObjectAttributes(, uses the InitializeObjectAttributes deinitialization for the following POBJECT_ATTRIBUTES structure of initialization.It draws 6000 help from WDK, and WDK refers to Windows Driver Kit, be a kind of fully-integrated Driver Development system, it comprises Windows Driver Device Kit (DDK), be used to testing the reliability and stability of Windows driver.)
(6) API is to provide to this structure of POBJECT_ATTRIBUTES(that (this function is the realization certainly to existing function to the ZwCreateEvent function, code sees below) one of the parameter used) carry out initialization, call and from the ZwCreateEvent that realizes (protected software realization), parameter is imported into to (ZwCreateEvent function inside realizes that content is that 0x40 function SEQ.XFER is put into to eax register, calling sysenter interrupts, it is a WINDOWS API after returning, to call RtlSetLastWin32Error(, for improper value is set, the LastError value, facilitate the user to check mistake).
In the present embodiment, WINDOWS API CreateEventA is deposited in encryption lock; character conversion is carried out to function parameter in inside; and protected software inhouse is from realizing ZwCreateEvent Transfer Parameters (in step 4); so; the cracker can not find api interface; can't debug and analyze, therefore increased the security of software.
Below the false code of calling of host side:
#include "WINDOWS.h"
typedef DWORD NTSTATUS;
#define DEF_FUNCTION_EX(RetType, FunName, FunID, RetN, ...) \
__declspec(naked) RetType __stdcall FunName(__VA_ARGS__) \
{ \
__asm mov eax, FunID \
__asm mov edx, SystemEnter \
__asm call edx \
__asm retn RetN \
}
__declspec(naked) void SystemEnter()
{
_asm
{
mov edx, esp
_emit 0x0F //sysenter
_emit 0x34
retn
}
}
// here from realizing ZwCreateEvent
DEF_FUNCTION_EX(NTSTATUS, ZwCreateEvent, 0x40, 0x14,
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN DWORD ObjectAttributes OPTIONAL,
IN DWORD EventType,
IN BOOLEAN InitialState)
void AnsiStringToUnicodeString (char* pcInMutiBytes, UINT uiBytesCount,
unsigned char* pucWideChar, UINT uiWideCharCount, UINT* puiRetBytes)
{
// with encryption device, communicate by letter here, such as we use function name as filename CreateEventA.bin
// transmit CreateEventA, parameter p cInMutiBytes, uiBytesCount is to encryption lock
// encryption lock converts character string to return, and result store is at pucWideChar, in puiRetBytes
}
HANDLE WINAPI _CreateEvent(
__in LPSECURITY_ATTRIBUTES lpEventAttributes,
__in BOOL bManualReset,
__in BOOL bInitialState,
__in LPCTSTR lpName
)
{
UINT uiRet = 0;
unsigned char* pucEventName = NULL;
UINT uiLen, uiRetLen;
HANDLE hEvent;
UINT uiLastErrorCode = 0;
if (lpName != NULL)
{
// apply for possibly some internal memories here
// call encryption device to generate the Unicode character string
AnsiStringToUnicodeString (lpName, uiLen, pucEventName, (uiLen + 1) * 2, &uiRetLen);
// initialization POBJECT_ATTRIBUTES is used InitializeObjectAttributes
}
// according to following parameter, pass to the ZwCreateEvent that we realize
/*
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
*/
uiRet = ZwCreateEvent(&hEvent, 0x001F0003, 0, 1, 0);
// LastError is set
if ((int)uiRet < 0)
{
uiLastErrorCode = RtlNtStatusToDosError(uiRet);
}
else
{
switch (uiRet)
{
case 0x40000000:
uiLastErrorCode = 0x0B7;
break;
default:
uiLastErrorCode = 0;
}
}
RtlSetWin32LastError(uiLastErrorCode);
if (lpName != NULL)
{
// to discharge the internal memory of application here
}
return hEvent;
}
It is below bin file in encryption device.CreateEventA.bin internal code (the c code is simply two bytes by a byte expansion)
for(i = 0, j=0; i < len; j+=2, i++)
{
pucUnicode[j] = pucAnsi[i];
pucUnicode[j+1] = 0;
}
if (pucAnsi[len-1] != 0)
{
pucUnicode[j] = 0;
pucUnicode[j+1] = 0;
len++;
}
Embodiment 2
With this function of WINDOWS API CreateMutexA(under WINDOWS 7 platforms, be a WINDOWS API relatively more commonly used, its effect is the Mutex object that creates or open a name or do not name) be example, this embodiment, only as example, is not construed as limiting the invention.Those skilled in the art can essence according to the present invention modify or additions and deletions to this embodiment fully, and it can not depart from the scope of the present invention.Particularly, the implementation process of this embodiment is as follows:
(1) just the WINDOWS API CreateMutexA of application program needs is transplanted in the memory module of encryption device;
(2), in encryption device, realize that the ANSI character string is converted to Unicode character string function A;
(3) application program that will call CreateMutextA is communicated by letter with encryption lock, calls the function A in encryption device, returns to the Unicode character string.
(4) use this API of InitializeObjectAttributes(for the following POBJECT_ATTRIBUTES structure of initialization) API is to provide one of parameter of using to the ZwCreateEvent function to this structure of POBJECT_ATTRIBUTES() carry out initialization, call the function that needs the programming personnel to realize from the ZwCreateMutant(realized, function of the same name is also arranged in system, this function is the function of the more deep layer of CreateMutexA), parameter is imported into and (0x4A function SEQ.XFER is put into to eax register, call interruption), after returning, call RtlSetLastWin32Error(be used to improper value is set, facilitate the user to check mistake) the LastError value is set.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.