CN106096338A - A kind of have the virtualization software guard method that data stream is obscured - Google Patents
A kind of have the virtualization software guard method that data stream is obscured Download PDFInfo
- Publication number
- CN106096338A CN106096338A CN201610399231.3A CN201610399231A CN106096338A CN 106096338 A CN106096338 A CN 106096338A CN 201610399231 A CN201610399231 A CN 201610399231A CN 106096338 A CN106096338 A CN 106096338A
- Authority
- CN
- China
- Prior art keywords
- handler
- instruction
- data stream
- virtual machine
- obscured
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 230000008569 process Effects 0.000 claims abstract description 48
- 238000013461 design Methods 0.000 claims abstract description 8
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 238000009792 diffusion process Methods 0.000 claims description 3
- 239000012634 fragment Substances 0.000 claims description 3
- 239000000203 mixture Substances 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 14
- 230000000694 effects Effects 0.000 description 7
- 238000002372 labelling Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000004061 bleaching Methods 0.000 description 3
- 239000004615 ingredient Substances 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011109 contamination Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 208000027534 Emotional disease Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000002425 crystallisation Methods 0.000 description 1
- 230000008025 crystallization Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002845 discoloration Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009919 sequestration Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses and a kind of have the virtualization software guard method that data stream is obscured, step includes: step 1, and PE file detects;Step 2, positions critical code section;Step 3, by instruction morphing for this locality x86 for fictitious order;Step 4, carries out coding and generates corresponding byte code instruction fictitious order;Step 5, carries out two process design to the scheduling structure of virtual machine;Step 6, carries out data stream to the Handler in virtual machine and obscures;The predicate information of script in step 7 concealing program, and add the execution flow branching that new predicate information structure is false;Step 8, file destination reconstructs;The method utilizes computer system, and the performed binary code file under windows system carries out virtualization protection, and protection intensity is high, be prone to extension.
Description
Technical field
The present invention relates to computer security technique field, be specifically related to a kind of there is the virtualization software that data stream obscures to protect
Maintaining method.
Background technology
Along with the development of information science technology, nowadays to have become as people daily for the various softwares of computer and mobile terminal
A part indispensable in life.Software the most always refers to the program run on computers, and it is software developer's intelligence
Intelligent crystallization, its R&D process can consume substantial amounts of manpower and financial resources.But software will be by various after once issuing
The threat of various kinds, assailant, by the means such as code conversed, to distort, steals the core algorithm in software, confidential information, Jin Er
Obtaining wrongful advantage in the competition of product, this brings serious loss, serious harm to enterprise and software developer
The sound development of software industry.
The most common method for protecting software 1. software shelling, makes software be compressed by shell adding or encrypts;2. rubbish
Code insertion, makes dis-assembling mistake occur by adding rubbish code in code;3. Code obfuscation, as variable replacement, etc.
Valency instruction replacement, control flow transformation etc., these guard methods prevent the conversed analysis difficulty of assailant to a certain extent, but
Being that they yet suffer from the limitation of self, first such as software shelling, can shell software performs when (decompress or decipher),
Assailant is it is seen that presumptive instruction;It is based on Dynamic Execution soft that rubbish code insertion can only stop static analysis not stop
Part is analyzed;Code obfuscation, based on semantic equivalence, is all that the effect to conversed analysis is limited by simple map function
's.
Software virtual machine protection is the most emerging a kind of method for protecting software, it is possible to provide powerful guarantor for software
Protect.Compared to traditional guard method, the advantage of virtual machine protection is that it substantially increases the generation of assailant's conversed analysis
Valency.
Traditional method attacking the program after virtual machine is protected the most inversely goes out virtual interpreter, then according to virtual solution
Release device read bytecode one by one and call the process that Handler performs and obtain the function of every byte code instruction, finally by right
The function of byte code sequence carries out simplifying and analyzing thus restores the function of original program.This traditional attack method needs
It is familiar with the structure of virtual machine protection, attack method based on virtual Machine Architecture can be referred to as.Above to virtual machine protection
Various reinforcement means can increase the safety of virtual machine, improves above-mentioned traditional attack method based on virtual Machine Architecture
Defensive ability/resistance ability.
Except traditional attack method based on virtual Machine Architecture, research worker also been proposed and attacked based on semantic in recent years
Hit method.Coogan et al. proposes a kind of method for identifying and system calls relevant instruction, it is possible to extract one
It is similar to the original job sequence not obscuring program.This method is for analyzing the effect ratio of the rogue program after virtual machine is protected
Preferably, if because rogue program to realize certain significant malicious operation, the most inevitably calling generation with system
Alternately, and those for and system call interact instruction by the identified critical behavior for analyzing program.
Sharif et al. is by Dynamic Execution program, and uses dynamic dataflow analysis and stain analysis to go to identify the interior of bytecode program
Hold and extract the semanteme of bytecode program, and then reconstruct execution route and the effect of original program.Yadegari et al. passes through
One execution route of collection procedure, then uses dynamic stain analysis and symbolic execution technique to carry out path accessibility point
Analysis, and then simplify the logical structure within the controlling stream graph of original program and program.Owing to these attack methods do not rely on
The structure of virtual machine protection, so versatility is relatively good.Above-mentioned various reinforcement means cannot be resisted based on semanteme well
Conversed analysis.
Summary of the invention
For above-mentioned problems of the prior art, it is an object of the invention to, it is provided that one has data stream and obscures
Virtualization software guard method, stop and based on semantic data stream analysis techniques, the software after virtualization protection attacked
Hit.
In order to realize above-mentioned task, the present invention by the following technical solutions:
A kind of have the virtualization software guard method that data stream is obscured, and comprises the following steps:
Step one, the file to be protected that checking is loaded into whether PE file, if it is carry out next step;
Step 2, specifies in the source code fragment of file to be protected and needs protected critical code section, to crucial generation
Code section carries out dis-assembling operation, obtains the x86 instruction set of critical code section;
Step 3, x86 instruction set step 2 obtained is converted into fictitious order;
Step 4, is mapped to fictitious order corresponding Handler sequence HAS, then the HAS mapped is encrypted place
Reason, obtains byte code instruction;
Step 5, carries out two process design to the scheduling structure of virtual machine, and two process refers to for performing normal procedure function
Subprocess and for debugging the parent process of subprocess, when Handler has performed when, produce an exception, pass through
Parent process captures described exception, searches abnormal address and the abnormal destination jumped in the interrupt address table of parent process
Location, when inquiring abnormal address with the abnormal destination address jumped to, the EIP of subprocess is pointed to destination by parent process
Location is also recovered subprocess and is continued executing with, if inquiry is less than, the then execution of terminator;
Step 6, carries out data stream to the Handler in virtual machine and obscures, and makes the data stream in program complicate;
Step 7, the predicate information of script in concealing program, and add the execution flow branching that new predicate information structure is false;
Step 8, to former PE file add a new joint, Handler, byte code instruction and virtual machine after obscuring its
His ingredient is embedded in new joint, fills critical code section with rubbish instruction, and refers at the initial address of critical code section
Order is revised as a jump instruction jumping to virtual machine entrance, regenerates the executable file after a protection.
Further, the process that Handler carries out in described step 6 data obfuscation includes:
Stain is bleached: choose Handler to be obscured, and analyzes the path of tainting in Handler, chooses on path
One depositor al, and increase a new depositor ebx;When program goes to depositor al, ebx is made constantly to perform+1 behaviour
Make, when the value in ebx is equal with the value in al, the numerical value in ebx is continued program circulation rearwards.
Further, Handler is carried out the process that data stream obscures by described step 6 also include:
Cross scale designation: choose Handler to be obscured, analyze the path of tainting in Handler, path is chosen
Needing the depositor used, by this depositor pop down, and data stain data used are transmitted or arithmetic operator diffusion of instructions
In other a depositor, the depositor used then will be needed to eject stack to recover stack environment.
Further, the detailed process of described step 7 includes:
Utilize random function that the jump instruction after part Handler in virtual machine is hidden, increase program and perform
The complexity of stream, adds some predicate information to constitute false branch in Handler simultaneously at random.
Further, the concrete grammar that the described jump instruction after Handler is hidden includes:
Structural anomaly instruction database, in exceptional instructions storehouse, storage has different exceptional instructions;
Setting up interrupt address information table, this table is by the current address of the exceptional instructions in exceptional instructions storehouse and exceptional instructions institute
Destination address at basic block forms;
Utilizing random function that the jump instruction after part Handler in virtual machine is revised as an exceptional instructions makes it produce
A raw aborted, after aborted is captured, search exceptional instructions in interrupt address information table current address and
The destination address of exceptional instructions place basic block, then carries out redirecting thus reaches original and redirect purpose.
The present invention compared with prior art has a techniques below feature:
1. protecting for binary code, unrelated with the programming language used, the suitability is wide;
The most traditional software virtual machine protection system cannot be resisted based on semantic antialiasing attack, based on semanteme well
Antialiasing basis be data-flow analysis and optimization, therefore, by using effective data stream to obscure method and can improve void
Plan machine protection system resists effect to what such was attacked.In order to reach the effect that preferable data stream is obscured, use and achieve
A kind of protect system based on the virtual machine with two process, redesigned virtual Machine Architecture, made software after virtual machine protection
The more complicated variation of execution process.
3., compared to the VM structure of single process, introduce two process structure when design so that virtual Machine Architecture has not
The structure determined, the program of performance performs stream and the more complicated variation of data stream, increases assailant's semantic analysis difficulty, double
It is that interactive communication cooperates the execution process jointly completing program between process, there is certain Message-based IPC and counter debug work
With.
4. utilize data stream metamorphic engines that virtual interpreter Handler is converted so that Handler can stop base
Analysis in data stream.
Accompanying drawing explanation
Fig. 1 is the flow process frame diagram of the present invention;
Fig. 2 is program execution after the virtual machine protection that the inventive method data stream is obscured;
Fig. 3 performs process for software after virtual machine protection before using the present invention;
Fig. 4 is that the present invention one simply hides predicate example;
Detailed description of the invention
The present invention proposes a kind of has the virtualization software guard method that data stream is obscured, and comprises the following steps:
Step one, the file to be protected that checking is loaded into whether PE file, if it is carry out next step;In the present invention
PE file refers to the executable file format of main flow on windows platform, such as: .exe file .dll file etc..
Step 2, specifies in the source code fragment of file to be protected and needs protected critical code section, to crucial generation
Code section carries out dis-assembling operation, obtains the x86 instruction set of critical code section;
Critical code section refers to the protected key code of needs that user specifies on source code, opens at critical code section
Embedding SDK start mark at beginning, embedding SDK end mark .SDK at end is DFO-VMP (A Virtual Software
Protection Method with Data Flow Obfuscation) define one group of starting and ending mark.Generate PE
After file, as long as finding SDK labelling just can obtain the starting and ending address of critical code section, thus navigate to key code
Section, then carry out dis-assembling, obtain the x86 instruction set of critical code section.
Step 3, on the premise of ensureing semantic equivalence, according to x86 instruction and the corresponding relation of fictitious order, by step
The x86 instruction set that two obtain is converted into fictitious order;
During protection, this locality instruction is changed into fictitious order, mainly has three steps to operate:
(1) " load " fictitious order.In the operand press-in stack that this locality is instructed;
(2) object run instruction.Performing the object run of this locality instruction, this fictitious order is without the concern for the class of operand
Type, directly obtains associative operation number from stack top, but needs to consider the size of operand;
(3) " store " fictitious order.The result that operation performs is stored in virtual environment.
Data transfer instruction virtualization process mainly use " load ", " store " instruction, as " mov ", " push " and
" pop " instructs;Count and the virtualization process of logic instruction realizes in strict accordance with three step operations above;Control skip
Instruction virtual process is realized by " load " instruction and " jmp " instruction combination.Table 1 gives some local instruction virtual
Example.
Some local instruction has the addressing system of complexity, can repeatedly use above-mentioned fictitious order during virtualized,
Such as " move eax, dword [esi+32] " instruction in table 1;Wherein, " 42a583h " in table 1 is in address
In " 4020a8h ", this locality of storage instructs the address of corresponding byte code instruction.
Table 1: local instruction and the example of corresponding fictitious order
Step 4, is mapped to fictitious order corresponding Handler sequence HAS, then the HAS mapped is encrypted place
Reason, obtains byte code instruction;
Fictitious order is finally to leave in the program after protection with the form of bytecode, the pseudo operation of fictitious order
Code, addressing system are different with operand, and the Handler sequence of correspondence also differs, wherein fictitious order be by one or
The multiple Handler of person explains, VI is mapped as corresponding Handler sequence HAS (Handler Sequence), and HAS by
Handler sequence number and Handler parameter composition, be then encrypted the HAS mapped, obtain byte code instruction
VMdata。
Fictitious order and local instruction are a kind of simple corresponding relations, and this programme takes a kind of simple coding rule,
The byte that will operate and describe operation object described in fictitious order separates.In the implementation, to each fictitious order
Specifying different ID, these ID spans are 0~255, and a byte can sufficiently encode all of ID, these ID and also may be used
To become operation code.As shown in table 2:
Table 2: the byte code instruction that fictitious order is corresponding
load_r 4 | 00 04 |
load_i 32 | 04 0x20 |
add32 | 42 |
Step 5, the redesign of scheduling virtual machine structure
In virtual machine, the process of tradition centralized scheduling structure is: after entering virtual machine, performs Dispatcher and takes
VMdata, deciphering obtains Handler sequence number and performs corresponding Handler, has performed to continue to return Dispatcher, before repetition
The process in face, until completing the function of critical code section.
This step carries out two process design to the scheduling structure of traditional virtual machine, and two process refers to for performing normal procedure
The subprocess of function and for debugging the parent process of subprocess, when Handler has performed when, produces an exception,
Described exception is captured by parent process;In parent process, be provided with interrupt address table, in table record have abnormal address with
And exception jump to destination address;
Abnormal address and the abnormal destination address jumped to is searched, when inquiring in the interrupt address table of parent process
When abnormal address and the abnormal destination address jumped to, the EIP of subprocess is pointed to destination address and recovers subprocess by parent process
Continue executing with, if inquiry is less than, the then execution of terminator.
When program performs, first parent process perform a paragraph assembly program for create a subprocess, the son of establishment enters
Journey is for performing the function of normal procedure, and parent process is used as debugging subprocess, creates an example of the assembly code of subprocess
As shown in table 3:
Table 3: create subprocess assembly code
Conventional virtual machine structure is redesigned, virtual Machine Architecture is distributed in two different processes, this
Structure has following feature: 1. be to increase when program performs and control stream and perform the complexity of stream so that the structure of program is more
The complexity added.2. the mechanism that is in communication with each other between process enable to program execution be monitored, be not hacked person and alter program
Execution stream.3. simultaneously work as the anti-purpose debugged, this is because single process can only be entered by debugger in Windows environment
Row debugging is followed the trail of.These features comprehensive make this structure can be good at playing a protective role.
Step 6, carries out data stream to the Handler in virtual machine and obscures, and makes the data stream in program complicate;
Obscure the complexity of data stream when purpose is to increase program execution to virtual machine introduces data stream, stop and attack
Person utilizes the analytical technology of data stream to be analyzed inversely to it, reaches to resist semantic analysis purpose, obscures introducing data stream
Time, multiple data stream obfuscation mechanisms can be used, mainly include the content of two aspects, 1. be stain bleaching, i.e. in program
Data stream in add the discoloration of stain.2. it is excess contamination, the contamination data in increase program the most as much as possible, this
The mechanism of kind makes assailant when carrying out stain and analyzing, it is impossible to isolate useful data message from substantial amounts of stain data,
From being unable to accurately instruction analysis.The most respectively the content of two aspects is illustrated.
1. stain bleaching
Table 4 is without the atom Handler obscured
It is a Handler obscured without data stream in virtual machine as shown in table 4, this atom Handler
The operation completed is to read (instruction 3 completes to read) bytecode from VMdata then (bytecode deciphering to be instructed 4-7 complete
Become deciphering), the address (instruction 8-9 completes to calculate) of a virtual register environment is calculated according to the bytecode decrypted, and
This address is pressed into stack.Wherein what depositor esi pointed to is the initial address of VMdata, and depositor edi points to VMcontext
First address.
This atom Handler is analyzed it is found that when assailant analyzes program, first give the defeated of a program
Enter value and be labeled as stain data (such as: the bytecode data in VMdata carry out stain labelling), when program goes to this
During Handler, perform instruction lods byte ptr ds:[esi] time, stain can be transmitted to depositor al, at meter subsequently
When calculating Virtual context environment address, stain can be transmitted always, and such assailant just can utilize data stream to analyze accurately
Go out the layout scenarios of register address in Virtual context environment, and then carry out follow-up analysis work again.
Bytecode in virtual machine is finally to be explained by the Handler of virtual machine design to perform, and therefore enters Handler
Row data stream obscure it is critical that, this obscure can effectively stop assailant use tainting technology to its analyze.
The table 5 atom Handler after obscuring
It is the atom Handler after data stream is obscured as shown in table 5, as can be seen from the table after obscuring
Handler blocks the propagation path of pollution by adding a new depositor ebx.As instruction lods byte ptr
Ds:[esi] read a bytecode after leave in depositor al, then utilize depositor ebx to carry out from adding computing, when
When the value of ebx and the al value read are equal, the value of ebx are passed to eax, such depositor eax and would not be contaminated, subsequently
Also propagation will not be contaminated when calculating memory address.The principle of this mode is to utilize cmp comparison operation to carry out data more
Newly, utilize this principle to deform and various ways, in order to reduce recycle ratio compared with number of times, as utilize round and complementation
Reduce number of comparisons.Utilize this method can effectively stop the propagation of pollution, stop the further analysis of assailant.
The detailed process of stain bleaching is: choose Handler to be obscured, and analyzes the path of tainting in Handler,
Path is chosen a depositor al, and increases a new depositor ebx;When program goes to depositor al, make ebx not
Disconnected execution+1 operation, when the value in ebx is equal with the value in al, continues program circulation rearwards by the numerical value in ebx.
2. cross scale designation
Same use table 4 Atom handler illustrates, and adds what some data streams were obscured in atom handler
Instruction, these instruction effects be as far as possible stain propagation expand so that assailant cannot be distinguished by needing the finger of labelling
Order, it is impossible to collect the information that performs accurately.
Table 6 is without the atom Handler obscured
Add stain as shown in table 6 in atom handle excessively propagates instruction, given when assailant analyzes program
One stain labelling al, this stain labelling will propagate to depositor bl, ebx, ecx, edx, the instruction number simultaneously collected
Originally do not carry out increasing much when data stream is obscured by ratio yet.It should be noted that original program is to be gone by multiple handler
The common function having performed original program, the propagation of the most final stain will become the hugest, it is possible to highly effective
Stop assailant analysis.
The detailed process crossing scale designation is: choose Handler to be obscured, and analyzes the path of tainting in Handler,
Path is chosen the depositor needing to use, in order to keep the balance of stack, needs this depositor pop down, and by stain data
In the data transmission used or other depositor of arithmetic operator diffusion of instructions to, such as: stain data are stored in al,
Using mov ebx, al, add ecx, al, move dx, al etc. operate and data al of the stain rate of exchange are traveled to depositing of other
In device, then the depositor used will be needed to eject stack to recover stack environment.
Step 7, the predicate information of script in concealing program, and add the execution flow branching that new predicate information structure is false;
It is that opposing semiology analysis is analyzed it is crucial that predicate information in concealing program, because assailant is utilizing semiology analysis
Go the predicate information being first intended to navigate in program during analysis program, then instruction is carried out symbolic formulation, and then enter again
Row accessibility reasoning, finally constructs the controlling stream graph information of program.
In the design of virtual machine, each Handler has performed to have a jump instruction to jump back to
Dispatcher carries out taking next bytecode and then deciphers execution, and circulation performs code fetch-decoding-execution, until all of word
Joint code has performed, then end loop.Based on this, the Handler in virtual machine is converted by we, utilizes random function
Make the jump instruction after part Handler be hidden, increase program and perform the complexity of stream, simultaneously random in Handler
Add some predicate information, constitute false branch, confuse assailant further, when assailant is analyzed, constructed
Controlling stream graph is incomplete or there is false branched structure information.
The concrete grammar that jump instruction is hidden includes:
Structural anomaly instruction database, in exceptional instructions storehouse, storage has different exceptional instructions;Being designed with of exceptional instructions
Being conventional x86 instruction, do so has certain sequestration, makes the assailant can not be easily when analyzing programmed instruction
Note abnormalities code.The first structural anomaly instruction database when design, randomly chooses exception when being replaced in exceptional instructions storehouse
Instruction is replaced, and abnormality code as shown in table 3 is some instructions of x86, and as except zero extremely, internal storage access is abnormal, interrupts different
Often etc..
Table 7 exceptional instructions type and illustration
Setting up interrupt address information table, this table is by the current address of the exceptional instructions in exceptional instructions storehouse and exceptional instructions institute
Destination address at basic block forms;The structure of interrupt address information table is as shown in table 8:
Table 8 interrupting information table
The current address of exceptional instructions | The destination address of exceptional instructions place basic block |
Predicate information in program is hidden by the method utilizing abnormal mechanism, as shown in Figure 4, utilizes random function to incite somebody to action
In virtual machine, jump instruction after part Handler is revised as an exceptional instructions and makes it produce an aborted, works as exception
After interrupting being captured, search current address and the mesh of exceptional instructions place basic block of exceptional instructions in interrupt address information table
Address, then carry out redirecting thus reach original and redirect purpose.
Step 8, adds a new joint, Handler after step 6 being obscured, the byte ultimately generated to former PE file
Code instruction and other ingredients of virtual machine (VMcontext, VMinit, Dispatcher, Handlers, VMexit) are embedded into
In new joint, fill critical code section with rubbish instruction, and instruction modification at the initial address of critical code section is one jumps to
The jump instruction of virtual machine entrance, regenerates the executable file after a protection.
Each ingredient of above-mentioned virtual machine and the new joint as PE file that combines of byte code sequence are added
After former PE file, and according to the size of the size modification new PE file of the PE file after with the addition of new section and sector number
Mesh.Critical code section original position in PE file is filled with a unconditional jump statement, and this skip instruction is used for pointing to
In new joint, virtual machine initializes at the code section start address of entrance (VMinit);Then the remainder of critical code section is used
Some random junk datas are filled.Upon execution, this section of code will not be performed, and does not interferes with program function, and can also
Play the effect of fascination assailant.
Claims (5)
1. one kind has the virtualization software guard method that data stream is obscured, it is characterised in that comprise the following steps:
Step one, the file to be protected that checking is loaded into whether PE file, if it is carry out next step;
Step 2, specifies in the source code fragment of file to be protected and needs protected critical code section, to critical code section
Carry out dis-assembling operation, obtain the x86 instruction set of critical code section;
Step 3, x86 instruction set step 2 obtained is converted into fictitious order;
Step 4, is mapped to fictitious order corresponding Handler sequence HAS, then the HAS mapped is encrypted,
Obtain byte code instruction;
Step 5, carries out two process design to the scheduling structure of virtual machine, and two process refers to the son for performing normal procedure function
Process and for debugging the parent process of subprocess, when Handler has performed when, is produced an exception, is entered by father
Journey captures described exception, searches abnormal address and the abnormal destination address jumped in the interrupt address table of parent process,
When inquiring abnormal address with the abnormal destination address jumped to, the EIP of subprocess is pointed to destination address by parent process
And recover subprocess and continue executing with, if inquiry is less than, the then execution of terminator;
Step 6, carries out data stream to the Handler in virtual machine and obscures, and makes the data stream in program complicate;
Step 7, the predicate information of script in concealing program, and add the execution flow branching that new predicate information structure is false;
Step 8, adds a new joint, other groups of Handler, byte code instruction and virtual machine after obscuring to former PE file
Become to be partially embedded in new joint, fill critical code section with rubbish instruction, and instruction at the initial address of critical code section is repaiied
Change a jump instruction jumping to virtual machine entrance into, regenerate the executable file after a protection.
There is virtualization software guard method that data stream is obscured the most as claimed in claim 1, it is characterised in that described step
The process that Handler carries out in rapid six data obfuscation includes:
Stain is bleached: choose Handler to be obscured, and analyzes the path of tainting in Handler, chooses one on path
Depositor al, and increase a new depositor ebx;When program goes to depositor al, ebx is made constantly to perform+1 operation, when
When value in ebx is equal with the value in al, the numerical value in ebx is continued program circulation rearwards.
There is virtualization software guard method that data stream is obscured the most as claimed in claim 2, it is characterised in that described step
Handler carries out in rapid six the process that data stream obscures also include:
Cross scale designation: choose Handler to be obscured, analyze the path of tainting in Handler, path is chosen needs
The depositor used, by this depositor pop down, and data stain data used transmit or arithmetic operator diffusion of instructions is to one
In other depositor individual, the depositor used then will be needed to eject stack to recover stack environment.
There is virtualization software guard method that data stream is obscured the most as claimed in claim 1, it is characterised in that described step
The detailed process of rapid seven includes:
Utilize random function that the jump instruction after part Handler in virtual machine is hidden, increase program and perform stream
Complexity, adds some predicate information to constitute false branch in Handler simultaneously at random.
There is virtualization software guard method that data stream is obscured the most as claimed in claim 4, it is characterised in that described
The concrete grammar that jump instruction after Handler is hidden includes:
Structural anomaly instruction database, in exceptional instructions storehouse, storage has different exceptional instructions;
Setting up interrupt address information table, this table is by the current address of the exceptional instructions in exceptional instructions storehouse and exceptional instructions place base
The destination address composition of this block;
Utilizing random function that the jump instruction after part Handler in virtual machine is revised as an exceptional instructions makes it produce one
Individual aborted, after aborted is captured, searches current address and the exception of exceptional instructions in interrupt address information table
The destination address of instruction place basic block, then carries out redirecting thus reaches original and redirect purpose.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610399231.3A CN106096338B (en) | 2016-06-07 | 2016-06-07 | A kind of virtualization software guard method obscured with data flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610399231.3A CN106096338B (en) | 2016-06-07 | 2016-06-07 | A kind of virtualization software guard method obscured with data flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106096338A true CN106096338A (en) | 2016-11-09 |
CN106096338B CN106096338B (en) | 2018-11-23 |
Family
ID=57228501
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610399231.3A Active CN106096338B (en) | 2016-06-07 | 2016-06-07 | A kind of virtualization software guard method obscured with data flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106096338B (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106529296A (en) * | 2016-11-16 | 2017-03-22 | 武汉工程大学 | Method for attacking software protection virtual machine based on fuzzy clustering |
CN106599627A (en) * | 2016-11-22 | 2017-04-26 | 江苏通付盾科技有限公司 | Method and apparatus for protecting application security based on virtual machine |
CN107092518A (en) * | 2017-04-17 | 2017-08-25 | 上海红神信息技术有限公司 | A kind of Compilation Method for protecting mimicry system of defense software layer safe |
CN107480476A (en) * | 2017-06-15 | 2017-12-15 | 西北大学 | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method |
CN108021790A (en) * | 2017-12-28 | 2018-05-11 | 江苏通付盾信息安全技术有限公司 | Document protection method, device, computing device and computer-readable storage medium |
CN108388778A (en) * | 2018-03-21 | 2018-08-10 | 北京理工大学 | The APP that Android platform merges multiple features demodulates method for testing |
CN108415709A (en) * | 2018-02-12 | 2018-08-17 | 北京梆梆安全科技有限公司 | A kind of method and device for reinforcing source code based on finite state machine |
CN108416191A (en) * | 2018-02-12 | 2018-08-17 | 北京梆梆安全科技有限公司 | The method and device of source code is reinforced based on opaque predicate and finite state machine |
CN108614960A (en) * | 2018-05-11 | 2018-10-02 | 西北大学 | A kind of JavaScript virtualization guard methods based on front end bytecode technology |
CN109145534A (en) * | 2018-07-24 | 2019-01-04 | 上海交通大学 | For the antialiasing system and method for software virtual machine protection |
CN109697339A (en) * | 2017-10-20 | 2019-04-30 | 南京理工大学 | A kind of Android application method for security protection based on dynamic virtual instruction map |
CN110457948A (en) * | 2019-08-13 | 2019-11-15 | 中科天御(苏州)科技有限公司 | A kind of dynamic data means of defence and system based on store instruction randomization |
CN112069466A (en) * | 2020-09-15 | 2020-12-11 | 常熟理工学院 | Code obfuscation information security control method, system and device based on mode switching |
CN112199667A (en) * | 2020-09-30 | 2021-01-08 | 常熟理工学院 | Software protection method, device, equipment and storage medium |
CN112394943A (en) * | 2021-01-18 | 2021-02-23 | 北京掌上云集科技发展有限公司 | Binary file virtualization protection method, device, medium and electronic equipment |
CN114707124A (en) * | 2022-03-22 | 2022-07-05 | 广东技术师范大学 | NET platform code protection method and system based on code virtualization |
CN115292764A (en) * | 2022-10-08 | 2022-11-04 | 山东云海国创云计算装备产业创新中心有限公司 | Bus safety protection method, device and medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130174147A1 (en) * | 2011-12-30 | 2013-07-04 | Ravi L. Sahita | Low Latency Virtual Machine Page Table Management |
CN103514027A (en) * | 2013-11-12 | 2014-01-15 | 北京深思数盾科技有限公司 | Method for enhancing usability of software protection |
CN103699820A (en) * | 2013-12-25 | 2014-04-02 | 北京深思数盾科技有限公司 | Obfuscating method for relative jump instruction |
CN105046117A (en) * | 2015-06-30 | 2015-11-11 | 西北大学 | Code virtualization software protection system realizing instruction set randomization |
CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
-
2016
- 2016-06-07 CN CN201610399231.3A patent/CN106096338B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130174147A1 (en) * | 2011-12-30 | 2013-07-04 | Ravi L. Sahita | Low Latency Virtual Machine Page Table Management |
CN103514027A (en) * | 2013-11-12 | 2014-01-15 | 北京深思数盾科技有限公司 | Method for enhancing usability of software protection |
CN103699820A (en) * | 2013-12-25 | 2014-04-02 | 北京深思数盾科技有限公司 | Obfuscating method for relative jump instruction |
CN105046117A (en) * | 2015-06-30 | 2015-11-11 | 西北大学 | Code virtualization software protection system realizing instruction set randomization |
CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106529296A (en) * | 2016-11-16 | 2017-03-22 | 武汉工程大学 | Method for attacking software protection virtual machine based on fuzzy clustering |
CN106599627A (en) * | 2016-11-22 | 2017-04-26 | 江苏通付盾科技有限公司 | Method and apparatus for protecting application security based on virtual machine |
CN107092518A (en) * | 2017-04-17 | 2017-08-25 | 上海红神信息技术有限公司 | A kind of Compilation Method for protecting mimicry system of defense software layer safe |
CN107480476A (en) * | 2017-06-15 | 2017-12-15 | 西北大学 | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method |
CN107480476B (en) * | 2017-06-15 | 2020-05-19 | 西北大学 | Android native layer instruction compiling virtualization shell adding method based on ELF infection |
CN109697339A (en) * | 2017-10-20 | 2019-04-30 | 南京理工大学 | A kind of Android application method for security protection based on dynamic virtual instruction map |
CN108021790A (en) * | 2017-12-28 | 2018-05-11 | 江苏通付盾信息安全技术有限公司 | Document protection method, device, computing device and computer-readable storage medium |
CN108021790B (en) * | 2017-12-28 | 2020-09-08 | 江苏通付盾信息安全技术有限公司 | File protection method and device, computing equipment and computer storage medium |
CN108415709A (en) * | 2018-02-12 | 2018-08-17 | 北京梆梆安全科技有限公司 | A kind of method and device for reinforcing source code based on finite state machine |
CN108416191A (en) * | 2018-02-12 | 2018-08-17 | 北京梆梆安全科技有限公司 | The method and device of source code is reinforced based on opaque predicate and finite state machine |
CN108416191B (en) * | 2018-02-12 | 2021-11-19 | 北京梆梆安全科技有限公司 | Method and device for reinforcing source code based on opaque predicate and finite state machine |
CN108415709B (en) * | 2018-02-12 | 2022-01-28 | 北京梆梆安全科技有限公司 | Method and device for reinforcing source code based on finite-state machine |
CN108388778A (en) * | 2018-03-21 | 2018-08-10 | 北京理工大学 | The APP that Android platform merges multiple features demodulates method for testing |
CN108388778B (en) * | 2018-03-21 | 2021-03-30 | 北京理工大学 | APP anti-debugging method with Android platform fused with multiple features |
CN108614960A (en) * | 2018-05-11 | 2018-10-02 | 西北大学 | A kind of JavaScript virtualization guard methods based on front end bytecode technology |
CN108614960B (en) * | 2018-05-11 | 2020-06-16 | 西北大学 | JavaScript virtualization protection method based on front-end byte code technology |
CN109145534A (en) * | 2018-07-24 | 2019-01-04 | 上海交通大学 | For the antialiasing system and method for software virtual machine protection |
CN110457948A (en) * | 2019-08-13 | 2019-11-15 | 中科天御(苏州)科技有限公司 | A kind of dynamic data means of defence and system based on store instruction randomization |
CN112069466B (en) * | 2020-09-15 | 2023-11-03 | 常熟理工学院 | Code confusion information safety control method, system and device based on mode switching |
CN112069466A (en) * | 2020-09-15 | 2020-12-11 | 常熟理工学院 | Code obfuscation information security control method, system and device based on mode switching |
CN112199667A (en) * | 2020-09-30 | 2021-01-08 | 常熟理工学院 | Software protection method, device, equipment and storage medium |
CN112394943A (en) * | 2021-01-18 | 2021-02-23 | 北京掌上云集科技发展有限公司 | Binary file virtualization protection method, device, medium and electronic equipment |
CN114707124B (en) * | 2022-03-22 | 2022-11-29 | 广东技术师范大学 | NET platform code protection method and system based on code virtualization |
CN114707124A (en) * | 2022-03-22 | 2022-07-05 | 广东技术师范大学 | NET platform code protection method and system based on code virtualization |
CN115292764A (en) * | 2022-10-08 | 2022-11-04 | 山东云海国创云计算装备产业创新中心有限公司 | Bus safety protection method, device and medium |
Also Published As
Publication number | Publication date |
---|---|
CN106096338B (en) | 2018-11-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106096338B (en) | A kind of virtualization software guard method obscured with data flow | |
CN108614960B (en) | JavaScript virtualization protection method based on front-end byte code technology | |
CN101393521B (en) | Extracting system for internal curing data of windows application program | |
CN105787305B (en) | A kind of method for protecting software for resisting semiology analysis and stain analysis | |
CN102789419B (en) | Software fault analysis method based on multi-sample difference comparison | |
CN103413075A (en) | Method and device for protecting JAVA executable program through virtual machine | |
CN104794401A (en) | Static-analysis-assisted symbolic execution vulnerability detection method | |
CN109918903A (en) | A kind of program non-control attack guarding method based on LLVM compiler | |
Sepp et al. | Precise static analysis of binaries by extracting relational information | |
CN105046117A (en) | Code virtualization software protection system realizing instruction set randomization | |
CN104364770A (en) | Controlling operation of a run-time instrumentation facility from a lesser-privileged state | |
CN105550594A (en) | Security detection method for android application file | |
Kuang et al. | Enhance virtual-machine-based code obfuscation security through dynamic bytecode scheduling | |
CN103413073A (en) | Method and equipment for protecting JAVA executable program | |
CN104364768A (en) | Determining the status of run-time-instrumentation controls | |
CN104364771A (en) | Modifying run-time-instrumentation controls from a lesser-privileged state | |
CN109145534B (en) | Anti-confusion system and method for software virtual machine protection | |
CN107577925B (en) | Based on the virtual Android application program guard method of dual ARM instruction | |
Padaryan et al. | Automated exploit generation for stack buffer overflow vulnerabilities | |
CN109697339A (en) | A kind of Android application method for security protection based on dynamic virtual instruction map | |
CN102184103A (en) | Shell characteristic extracting method of software protection shell | |
Gadelha et al. | SMT-based refutation of spurious bug reports in the clang static analyzer | |
CN103413074A (en) | Method and device for protecting software through API | |
Zhao et al. | Compile-time code virtualization for android applications | |
Lin et al. | A value set analysis refinement approach based on conditional merging and lazy constraint solving |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |