CN106529224A - Binary obfuscation method based on ROP (Return Oriented Programming) attack feature - Google Patents
Binary obfuscation method based on ROP (Return Oriented Programming) attack feature Download PDFInfo
- Publication number
- CN106529224A CN106529224A CN201610930442.5A CN201610930442A CN106529224A CN 106529224 A CN106529224 A CN 106529224A CN 201610930442 A CN201610930442 A CN 201610930442A CN 106529224 A CN106529224 A CN 106529224A
- Authority
- CN
- China
- Prior art keywords
- code
- executable file
- rop
- gadget
- sections
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 229910002056 binary alloy Inorganic materials 0.000 claims description 12
- 230000003068 static effect Effects 0.000 claims description 12
- 238000012986 modification Methods 0.000 claims description 2
- 230000004048 modification Effects 0.000 claims description 2
- 230000001276 controlling effect Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000012634 fragment Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 201000006549 dyspepsia Diseases 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention provides a binary obfuscation method based on a ROP (Return Oriented Programming) attack feature. The method comprises the steps of disassembling an original binary file and dividing basic blocks; carrying out ROP form instrumentation on the basic blocks, thereby obtaining gadget form assembly code ended by a ret instruction; and refactoring recompiled new code and the original binary file, and generating a finally obfuscated executable file. According to the method, through application of a mode of converting a code segment of the binary file into a gadget form, an obfuscation purpose is achieved. The software obfuscation performance loss is low. The deployable performance is high. The dependence on a feature of a special hardware processor is removed.
Description
Technical field
The invention belongs to field of computer technology, especially system and software security field.The invention provides a kind of profit
With the software obfuscation method of Return Oriented Programming (ROP) attack technology features, for protection using soft
Part.
Background technology
Piracy to software, distort and reverse-engineering makes the safety of software receive serious threat.Therefore, software is protected to exist
Normally run under circumstances not known, prevent the attack of reverse-engineering and static analysis, become a major issue of software protection.Generation
Code obscures mode a kind of as software protection, is widely accepted.It is that a kind of code reuse is attacked that ROP is attacked, used as a kind of software
Attack technology, it is possible to use the series characteristics of gadget carry out the controlling stream of executable file and obscure during its attack.
Reverse-engineering:Conversed analysis are carried out to target software, binary machine code is translated into by dis-assembling and is easy to reason
The assembly code of solution, the analytic function functional module on the basis of assembly code extract controlling stream graph, data flow diagram, so as to obtain
The code for taking software is realized.Reverse-engineering is mainly used in software binary code to the reverse of the upper layer software (applications) meaning of one's words.
Executable file:The popular executable file format of PC platforms is mainly the PE (Portable under Windows
Executable the ELF (Executable Linkable Format)) and under Linux, they are all COFF (Common
File format) form mutation.By taking ELF format as an example, executable file mainly includes following content:1) ELF file headers
(ELF Header), it contains the base attribute for describing whole file, and such as ELF version numbers, target machine model, program enter
Port address;2) code segment (txt sections), comprising programmed instruction, data segment (data sections), comprising the data that program is used, and
Other sections of various functions;3) segment table (Section Header Table), the table describes all sections of letters that ELF files are included
Breath, the section name of such as each section, the length of section, other attributes of skew, access limit and section hereof.
Code obfuscation:Code obfuscation refers to that the application program to sending out cloth carries out keeping semantic conversion so that after conversion
Program and original program it is functionally identical, but be more difficult to be attacked by static analysis and reverse-engineering.According to obscuring
The difference of principle and object, Code Obfuscation Security Technology is divided into that profile is obscured, controlling stream is obscured again, data obfuscation etc. is several.Profile is mixed
Modification, the deletion confused mainly for program variable title and function name;Controlling stream is obscured, and original program controlling stream is carried out
Change so that program flow becomes complex and indigestion;Data obfuscation then it is used to program to data enter line translation,
Encryption.
Existing controlling stream obscure method include it is following several:
1) upset static disassembly.This kind of method inserts some rubbish bytes (junk bytes) in binary code, with
This is upsetting dis-assembling of the disassembler to binary code.These junk bytes are inserted in the road that code is never performed
On footpath, without interference with the correct operation of program, when dis-assembling is carried out to which, disassembler cannot correctly recognize the junk of insertion
The dis-assembling junk bytes of bytes or mistake, reach the process for upsetting static disassembly with this.Upset static disassembly
Method is excessively simple, is easily cracked.
2) obfuscating control flow based on signal processing.This kind of method is converted to the controlling stream of program, by program control flow
Among being hidden in signal processing so that reverse-engineering cannot obtain the logical structure of program.The method is due to frequently using signal
Process, it is serious for software performance loss, and do not support multi-thread environment.
3) obscuring based on Itanium Processor characteristic.This kind of method is using the exclusive information trace of Itanium Processor
(information tracking) feature, by program control flow be hidden in exception handler (exception handle) it
In.It is this kind of to obscure method dependence ardware feature, only it is suitable for par-ticular processor.
Code reuse is attacked:Attacker is by existing code in direct multiplexing procedure rather than injecting codes are realizing attacking
Hit.Representative code reuse is attacked ROP (Return-Oriented Programming), JOP (Jump-
Oriented Programming), Ret-into-Libc;These are attacked
Code snippet, not to injecting codes in the process address space.
ROP is attacked:ROP attacks the one kind attacked as code reuse, instructs fragment present in its multiplexing procedure.These
Instruction fragment (generally 3~5 instructions) is ended up with ret instructions, referred to as gadget.Gadget is carried out each other by ret instructions
Between control stream link.Attacker by the address of these gadget, according to being necessarily sequentially injected in stack, then when one
When gadget goes to ret instructions, next gadget addresses will be taken in stack top, jump to next gadget and perform.
The content of the invention
On the basis of work on hand, it is an object of the invention to:Proposition is a kind of new to enter based on the two of ROP attack characteristics
System obscures method, solves being easily cracked in existing software obfuscation method, performance loss is serious, rely on specific hardware processor etc.
Problem.
The technical scheme is that:Method is obscured based on the binary system of ROP attack characteristics, it is characterized in that static binary
Dis-assembling, division basic block, ROP pitching piles, gadget forms assembly code are recompilated, executable file reconstruct;So as to true
Guarantor's program carries out binary system on the premise of correctly running and obscures, and reaches protection software purpose.
The present invention specifically includes following steps:
1) static binary dis-assembling, division basic block;
2) ROP pitching piles are carried out to basic block, obtains gadget;
3) gadget is recompilated, generates new executable file;
4) former executable file is reconstructed, generate it is new obscured after executable file.
Further:
Step 1) in, dis-assembling is carried out to former executable file, the compilation for obtaining executable file code segment is represented, is being converged
On the basis of compiling code, according to the principle for dividing basic block, code is divided into into basic block one by one.Basic block refers to journey
The statement sequence that one order of sequence is performed, its only one of which entrance and one outlet, entrance is wherein first sentence, outlet
It is wherein last sentence, for a basic block, enters from its entrance during execution, exit from its outlet;
Step 2) in, with step 1) basic block that obtains, as input, according to ROP pitching pile principles, carries out pitching pile to basic block,
So that the basic block after pitching pile is changed into instructing the gadget of ending with ret.After carrying out ROP pitching piles, the code section of program
Gadget is changed into from basic block by becoming, code is finally present in executable file with gadget forms, when executable file quilt
After reverse, the gadget forms of code are also can only see, as gadget passes through stack string in dynamic by the ret instructions at end
Connection, attacker are difficult to analyze the logical communication link between these gadget in static state, it is impossible to the logical structure of code analysis, it is impossible to take out
Take upper strata semantic, reach and obscure purpose;
Step 3) in, by step 2) based on the assembly code of gadget forms that obtains, add extra code and
Necessary data.Data include payload data segments and maptable address mapping table, and wherein payload data segments are used for transporting
Regulate and control gadget execution sequences during row, maptable is used for the destination address reorientation of indirect jump class instruction;Extra code
Including the binary chop function FindNext for searching maptable mapping tables.The compilation text for generating .asm forms is arranged by more than
Part, recompilates, and generates new executable file.As gadget links controlling stream with ret instructions, thus it is literary in the asm for generating
In part, arrangement just can arbitrarily be upset in the position of gadget so that code seems chaotic, has no logical relation.New holds
Code segment after obscuring for the information a) that next step is reconstructed comprising three parts in style of writing part;B) it is used for regulating and controlling gadget operations
When control stream link payload data segments;C) it is used for the maptable data segments of address of cache.This three partial information will be by
Copy in the executable file for ultimately generating.
Step 4) in, former executable file is reconstructed, the final executable file obscured is generated.First can by original
The code segment performed in file is replaced, and replaces with the instructions of the nop without practical significance, and the purpose of do so is to prevent original code
Section exposure control stream information;Then, a newly-built code segment in former executable file:Newtxt sections, by step 3) in it is new
Code segment content in executable file is copied in newtxt sections, and other data segments in former executable file keep constant,
New code segment is still multiplexed original data segment;Secondly, increase the data segment of entitled payload in former executable file, will
Step 3) in the payload section contents of new executable file copy in this data segment, to regulate and control during operation gadget it
Between series relationship, it is ensured that program correctly can be run;Increase the data segment of entitled maptable in former executable file, will step
It is rapid 3) in the maptable section contents of new executable file copy in this data segment, this data segment physical meaning is fresh code
Section and the address mapping relation of original code section, the destination address reorientation instructed for the indirect jump class of program of this mapping table,
Guarantee program is correctly run;Finally, adaptation is done to executable file file header, segment table, and what generation was finally obscured holds
Style of writing part.
By using above technical scheme, the present invention has advantages below:
1. the suitability is extensive:The present invention is only input using binary executable, with after finally obscuring can
File is performed for exporting, program source code in transformation process, is not needed, the business software suitability to being reluctant open source code is extensive.
2. deployable is strong:Obfuscation mechanisms of the present invention are to do the gadget conversion of semanteme of equal value, period to original program code
Any hardware processor characteristic is independent of, can be deployed on most hardware processor frameworks, deployable is strong.
3. program feature loss is low:The present invention is avoided using the time-consuming method as signal processing routine, static
It is disposable to do gadget conversion to code segment so that it is very low that original program performs speed loss.
Description of the drawings
Fig. 1 is schemed the step of obscuring method based on the binary system of ROP attack characteristics for the embodiment of the present invention.
Fig. 2 is the flow chart of dis-assembling basic block division part in Fig. 1.
Fig. 3 is the flow chart of ROP pitching piles part in Fig. 1.
Fig. 4 is the flow chart of compilation & compilings part in Fig. 1.
Fig. 5 is the flow chart of reconstruct part in Fig. 1.
Specific embodiment
The inventive method carries out dis-assembling to ELF binary files first, obtains assembly code, then assembly code is divided
Basic block;After obtaining basic block, ROP pitching piles are carried out to basic block so that basic block is converted to and ending is instructed with ret
Gadget, the code of these gadget forms are the code of defrobulated form;Assembly code with gadget forms is as base afterwards
Plinth, increases FindNext binary chop function codes, increases payload data segments and maptable data segments, generates asm forms
Assembling file, recompilates, and generates new executable file;Finally, former executable file is reconstructed, is wrapped original code section
Fills be nop instructions, increase the code after the storage of fresh code section newtxt section is obscured, increase new data segment
Payload sections increase new data segment maptable sections intersegmental to new and old code to regulate and control the series connection between gadget
Address of cache, processes the reorientation of indirect jump target addresses.By the code segment txt sections in newly-generated executable file, number
Newtxt sections newly-built in former executable file, payload is copied to respectively according to section payload section, data segment maptable sections
Section, maptable sections;Finally, executable file file header, segment table is changed, is added in the file header and segment table of former executable file
Plus the section attribute information of three newly-generated sections, change entrance (entry point), generate final executable file.
With reference to the present invention related description figure be embodied as:It is based on Intel-x86 frameworks and linux system
The binary system of ROP attack characteristics is obscured the realization of method and is described further.
The first step:Dis-assembling is carried out to ELF binary files using instrument objdump, the compilation of binary file is obtained
Code is represented;On the basis of assembly code, basic block division is carried out.Basic block division principle is specific as follows:
1) jmp, jcc, call, ret instruction shows the ending of a basic block;
2) next of jmp, jcc, call, ret instruction instructs the entrance for showing a basic block;
3) destination address of jmp, jcc, call instruction shows the entrance of a basic block;
4) indirect jmp instructions, indirect jcc instructions, the destination address entrance of indirect call instructions are ignored.
When dividing basic block, it is a basic block to initialize all codes, then starts sequential scan from first instruction.
When encountering jmp, jcc, call, ret and instructing, according to specific instruction type, according to above-mentioned rule, entrance to basic block and
Outlet is recorded.When scanning is instructed to the last item, all of entrance and exit is it has been determined that basic block division is completed.
As the destination address that indirect jmp is instructed, indirect jcc is instructed, indirect call is instructed is operationally just it was determined that when static not
Control stream information can be exposed, therefore when basic block is divided, the destination address of this kind of instruction can be ignored.
Second step:The basic block obtained to the first step carries out ROP pitching piles, is converted to basic block according to ROP pitching piles rule
Gadget forms so that program code is present with gadget forms, are operationally controlled stream chain each other by ret instructions
Connect, purpose is obscured so as to reach.It is different according to the instruction of basic EOB, it is also different to the pitching pile of basic block, it is a kind of feasible
Pitching pile rule following (but being not limited to a kind of this pitching pile rule):
3rd step:Based on the assembly code of the gadget forms for obtaining, add binary chop function FindNext functions
Code, adds payload, maptable data segment.Wherein payload data segments preserve the first address of each gadget, are used for
Regulate and control gadget execution sequences during operation, maptable preserves mapping of the gadget first address in former txt sections and newtxt sections
Relation, for the destination address reorientation of indirect jump class instruction;Simultaneously gadget orders are upset, the remittance of asm forms is generated
File is compiled, it is ELF format file destination to recompilate using instrument nasm, links using linker ld and generates new executable text
Part.As we are in the reconstruct of next step executable file, need to abandon original code segment, go to new code segment, therefore newly
Obscure after code do not use original address, in new executable file, code section start address is arranged to
0x7f00000。
4th step:Former executable file is reconstructed.Increase new code segment newtxt sections in former executable file
The data segment payload section new with two and maptable sections.Corresponding three in the new executable file that will be obtained in 3rd step
Individual section content, is copied in former executable file respectively using instrument objcopy, adjusts former executable file file header and section
Table, changes entry point, and the content of the old code segment in former executable file is replaced with nop instructions, and generation is finally obscured
Code segment afterwards;Specific implementation process is as follows:
1) using objcopy instruments tri- sections of newly-increased newtxt, payload, maptable;
2) the section attribute of these three sections is set using objcopy instruments.Newtxt is set to READONLY, CODE,
Payload and maptable are set to READONLY, DATA;
3) objcopy instruments are utilized by the txt sections of newly-generated executable file, payload sections, maptable in the 3rd step
Section copy content is in the newly-increased newtxt sections of former executable file, payload sections, maptable sections;
4) using tri- section code section start address positions of objcopy instruments adjustment newtxt, payload, maptable;
5) the ELF Header and Section Header Table of former executable file are adjusted, adds three newly-increased sections
Section attribute;
6) change program entry point (entry point);
7) by the instruction in the code segment of former executable file, nop instructions are replaced with;
To sum up, the present invention can efficiently solve during existing controlling stream obscures method be easily cracked, performance loss is big, rely on
The defect of specific hardware.
Claims (6)
1. a kind of binary system based on ROP attack characteristics obscures method, it is characterised in that:Static binary dis-assembling, division base
This block, ROP pitching piles, gadget forms assembly code are recompilated, executable file reconstruct;So as to guarantee what program was correctly transported
Under the premise of carry out binary system and obscure, reach software protection purpose.
2. method is obscured based on the binary system of ROP attack characteristics according to claim 1, it is characterised in that including following step
Suddenly:
1) static binary dis-assembling, division basic block;
2) ROP pitching piles;
3) gadget forms assembly code is recompilated;
4) executable file reconstruct.
3. the binary system based on ROP attack characteristics according to claim 2 obscures method, it is characterized in that step 1) in, will
Executable file dis-assembling obtains the assembly code of code segment and represents, is divided into code substantially according to basic block rule is divided
Block;Wherein basic block division rule:
Jmp, jcc, call, ret instruction shows a basic EOB;Next instruction catalogue of jmp, jcc, call, ret instruction
Bright one basic block entrance;The destination address of jmp, jcc, call instruction shows a basic block entrance;Ignore indirect jmp to refer to
Make, indirect jcc is instructed, the destination address entrance of indirect call instructions.
4. the binary system based on ROP attack characteristics according to claim 2 obscures method, it is characterized in that step 2) in, it is right
The basic block obtained in claim 3 carries out ROP pitching piles, according to the type that basic EOB is instructed, replaces with corresponding instruction
Sequence, so that be converted to the gadget forms ended up with ret by basic block;The code controlling stream of gadget forms is instructed by ret
Hide, reached with this and obscure purpose.
5. the binary system based on ROP attack characteristics according to claim 2 obscures method, it is characterized in that step 3) in, it is right
The gadget form assembly codes obtained in claim 4, add binary chop function FindNext, addition payload and
Two data segments of maptable, generate asm files, then reassemble and obtain new binary executable.
6. the binary system based on ROP attack characteristics according to claim 2 obscures method, it is characterized in that step 4) in,
Add a new code segment newtxt section in former executable file, the code segment content of former executable file is replaced with into nop
Instruction, the content of the code segment (txt sections) in the new executable text obtained in claim 5 is copied in newtxt sections;Add
Plus two data segments:Payload sections and maptable sections, by the payload in the new executable file obtained in claim 5
The content of section and maptable sections copies to payload sections and maptable sections in former executable file;Modification is former executable
Document entry point (entry point);Generate the executable file after finally obscuring.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610930442.5A CN106529224A (en) | 2016-10-27 | 2016-10-27 | Binary obfuscation method based on ROP (Return Oriented Programming) attack feature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610930442.5A CN106529224A (en) | 2016-10-27 | 2016-10-27 | Binary obfuscation method based on ROP (Return Oriented Programming) attack feature |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106529224A true CN106529224A (en) | 2017-03-22 |
Family
ID=58292134
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610930442.5A Pending CN106529224A (en) | 2016-10-27 | 2016-10-27 | Binary obfuscation method based on ROP (Return Oriented Programming) attack feature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106529224A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107092518A (en) * | 2017-04-17 | 2017-08-25 | 上海红神信息技术有限公司 | A kind of Compilation Method for protecting mimicry system of defense software layer safe |
CN108629162A (en) * | 2017-03-23 | 2018-10-09 | 北京小唱科技有限公司 | A kind of source code means of defence and device |
CN108733990A (en) * | 2018-05-22 | 2018-11-02 | 深圳壹账通智能科技有限公司 | A kind of document protection method and terminal device based on block chain |
CN109284604A (en) * | 2018-09-10 | 2019-01-29 | 中国联合网络通信集团有限公司 | A kind of software action analysis method and system based on virtual machine |
CN109344576A (en) * | 2018-09-17 | 2019-02-15 | 北京奇虎科技有限公司 | A kind of applied program processing method, device, electronic equipment and readable storage medium storing program for executing |
CN110210190A (en) * | 2019-05-30 | 2019-09-06 | 中国科学院信息工程研究所 | A kind of Code obfuscation method based on secondary compilation |
CN110837372A (en) * | 2019-11-04 | 2020-02-25 | 贵阳动视云科技有限公司 | Method, apparatus, medium, and device for clearing confusion of assembly code |
CN110990797A (en) * | 2019-11-29 | 2020-04-10 | 珠海豹趣科技有限公司 | Data processing method and device and computer readable storage medium |
CN111475168A (en) * | 2020-04-14 | 2020-07-31 | 中国人民解放军战略支援部队信息工程大学 | Code compiling method and device |
CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102231109A (en) * | 2011-07-15 | 2011-11-02 | 南京大学 | Traceless manageable automatic source code instrumentation method |
CN103778355A (en) * | 2014-01-15 | 2014-05-07 | 西北大学 | Code morphing-based binary code obfuscation method |
CN105022956A (en) * | 2015-08-14 | 2015-11-04 | 中国科学院计算技术研究所 | Method for protecting against code reuse attack |
CN105224864A (en) * | 2015-11-04 | 2016-01-06 | 中国科学院计算技术研究所 | A kind of progress of work method of randomization and system resisting code reuse attack |
CN105488397A (en) * | 2015-12-02 | 2016-04-13 | 国网智能电网研究院 | Situation-based ROP attack detection system and method |
-
2016
- 2016-10-27 CN CN201610930442.5A patent/CN106529224A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102231109A (en) * | 2011-07-15 | 2011-11-02 | 南京大学 | Traceless manageable automatic source code instrumentation method |
CN103778355A (en) * | 2014-01-15 | 2014-05-07 | 西北大学 | Code morphing-based binary code obfuscation method |
CN105022956A (en) * | 2015-08-14 | 2015-11-04 | 中国科学院计算技术研究所 | Method for protecting against code reuse attack |
CN105224864A (en) * | 2015-11-04 | 2016-01-06 | 中国科学院计算技术研究所 | A kind of progress of work method of randomization and system resisting code reuse attack |
CN105488397A (en) * | 2015-12-02 | 2016-04-13 | 国网智能电网研究院 | Situation-based ROP attack detection system and method |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108629162B (en) * | 2017-03-23 | 2020-06-02 | 北京小唱科技有限公司 | Source code protection method and device |
CN108629162A (en) * | 2017-03-23 | 2018-10-09 | 北京小唱科技有限公司 | A kind of source code means of defence and device |
CN107092518A (en) * | 2017-04-17 | 2017-08-25 | 上海红神信息技术有限公司 | A kind of Compilation Method for protecting mimicry system of defense software layer safe |
CN108733990A (en) * | 2018-05-22 | 2018-11-02 | 深圳壹账通智能科技有限公司 | A kind of document protection method and terminal device based on block chain |
CN109284604A (en) * | 2018-09-10 | 2019-01-29 | 中国联合网络通信集团有限公司 | A kind of software action analysis method and system based on virtual machine |
CN109344576A (en) * | 2018-09-17 | 2019-02-15 | 北京奇虎科技有限公司 | A kind of applied program processing method, device, electronic equipment and readable storage medium storing program for executing |
CN109344576B (en) * | 2018-09-17 | 2023-04-25 | 三六零科技集团有限公司 | Application processing method and device, electronic equipment and readable storage medium |
CN110210190A (en) * | 2019-05-30 | 2019-09-06 | 中国科学院信息工程研究所 | A kind of Code obfuscation method based on secondary compilation |
CN110837372A (en) * | 2019-11-04 | 2020-02-25 | 贵阳动视云科技有限公司 | Method, apparatus, medium, and device for clearing confusion of assembly code |
CN110990797A (en) * | 2019-11-29 | 2020-04-10 | 珠海豹趣科技有限公司 | Data processing method and device and computer readable storage medium |
CN111475168A (en) * | 2020-04-14 | 2020-07-31 | 中国人民解放军战略支援部队信息工程大学 | Code compiling method and device |
CN111475168B (en) * | 2020-04-14 | 2023-05-05 | 中国人民解放军战略支援部队信息工程大学 | Code compiling method and device |
CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106529224A (en) | Binary obfuscation method based on ROP (Return Oriented Programming) attack feature | |
Meng et al. | Identifying multiple authors in a binary program | |
US7739737B2 (en) | Method and apparatus to detect malicious software | |
EP1936532B1 (en) | Obfuscating computer program code | |
CN108595921B (en) | Method and device for confusing character strings in source codes | |
KR101521765B1 (en) | Apparatus For Code Obfuscation Using Indistinguishable Identifier Conversion and Method Thereof | |
KR101861341B1 (en) | Deobfuscation apparatus of application code and method of deobfuscating application code using the same | |
CN104091100A (en) | Software protection method based on intermediate result compiling | |
CN105354449A (en) | Scrambling and obfuscating method for Lua language and decryption method | |
CN110096853A (en) | Unity Android application reinforcement means, storage medium based on Mono | |
CN108027748B (en) | Instruction set simulator and its simulator generation method | |
CN105787305A (en) | Software protection method capable of resisting symbolic execution and taint analysis | |
CN108197440A (en) | A kind of Code obfuscation method, equipment and computer readable storage medium | |
US20120204039A1 (en) | Counteracting memory tracing on computing systems by code obfuscation | |
Angelini et al. | Ropmate: Visually assisting the creation of rop-based exploits | |
Follner et al. | PSHAPE: automatically combining gadgets for arbitrary method execution | |
Meng et al. | Adversarial binaries for authorship identification | |
US20120096562A1 (en) | Method for protecting the source code of a computer program | |
Rahimian et al. | RESource: a framework for online matching of assembly with open source code | |
Cheers et al. | Spplagiarise: A tool for generating simulated semantics-preserving plagiarism of java source code | |
US20070150853A1 (en) | Method for processing assembly of data blocks using associated control application | |
CN104615935B (en) | A kind of hidden method towards Xen virtual platforms | |
Garfinkel et al. | Sharpening your tools: Updating bulk_extractor for the 2020s | |
US20100095376A1 (en) | Software watermarking | |
Brizendine et al. | Pre-built JOP chains with the JOP ROCKET: bypassing DEP without ROP |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170322 |