CN107423586A - Method for protecting software and software protecting equipment - Google Patents
Method for protecting software and software protecting equipment Download PDFInfo
- Publication number
- CN107423586A CN107423586A CN201710639745.6A CN201710639745A CN107423586A CN 107423586 A CN107423586 A CN 107423586A CN 201710639745 A CN201710639745 A CN 201710639745A CN 107423586 A CN107423586 A CN 107423586A
- Authority
- CN
- China
- Prior art keywords
- net
- content
- code
- metadata catalog
- executable programs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012545 processing Methods 0.000 claims description 20
- 238000011084 recovery Methods 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 9
- 230000001960 triggered effect Effects 0.000 claims description 7
- 230000003068 static effect Effects 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 12
- 230000008859 change Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000014616 translation Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a kind of method for protecting software, and this method includes:.NET executable programs are parsed, identify the metadata catalog in .NET executable programs;Content in metadata catalog is hidden with predetermined way;The program entry of .NET executable programs is modified to point to predetermined code, obtains shielded .NET executable programs, the predetermined code is used to recover metadata catalog.The disclosure additionally provides software protecting equipment and is stored with the computer-readable recording medium of instruction.By the method for protecting software and device of the present invention, static analysis can be resisted, realizes the purpose for preferably protecting .NET programs.
Description
Technical field
The present invention relates to field of software protection, more particularly to a kind of method for protecting software and a kind of software protecting equipment.
Background technology
.NET framework is while providing abnormal convenient, there is also it is one very big the defects of, i.e. .NET programs are held very much
Easily by decompiling.For using the executable program under the .NET frameworks of language compilation's generation such as C#, using specific anti-
Compilation tool can instruct its direct decompiling IL (intermediate language), or even decompile into C# codes, therefore security is very poor.
Common decompiling instrument is included such as dnSpy, ILSpy.Decompiling can regard the inverse process of compiling as, that is, will be with
The generation of the assembler language form of target code translations Cheng Yuqi function equivalences or high level language version existing for machine language form
The process of code.Due to the logic of original code can be obtained after decompiling has been carried out, cause holding under corresponding .NET frameworks
The version of line program is highly susceptible to encroach on.
Guard method more of the prior art for .NET programs includes, and bag is chosen from compiled .NET programs
The binary code section of the instructions of IL containing .NET;Line translation is entered to the binary code section, and deletes from .NET programs this and two enters
Code segment processed;Binary code section after conversion is write in the shell of .NET programs, and shell is called
In instruction write-in .NET programs;When .NET programs run to shell call instruction, shell calls .NET virtual machines,
Then the binary code section by the operation of .NET virtual machines after transformed.However, what this method only chose is referred to comprising .NET IL
The binary code section of order, and need to call .NET virtual machines, on the one hand, this conversion institute to binary code section can be real
Existing security is not strong, it is impossible to resists the static analysis of decompiling instrument well, on the other hand, calls the increase of .NET virtual machines
Memory cost.
At present, in the method for executable program simpler, flexibly and under effective manner protection .NET frameworks
There is urgent demand with device.
The content of the invention
It is an object of the invention to provide can strengthen the method protected to the executable program under .NET frameworks and dress
Put.
It can be protected it is a further object of the present invention to provide a kind of in a manner of simple, safe and efficient under .NET frameworks
The method and apparatus of executable program.
According to an aspect of the present invention, there is provided a kind of method for protecting software, this method can include:Parsing .NET can perform
Program, identify the metadata catalog in .NET executable programs;Content in metadata catalog is hidden with predetermined way;Will
.NET the program entry of executable program is modified to point to predetermined code, obtains shielded .NET executable programs, and this is predetermined
Code is used to recover metadata catalog.
Preferably, the content predetermined way in metadata catalog is hidden to include, in metadata catalog
Appearance is encrypted with predetermined cryptographic algorithm.
Preferably, the content predetermined way in metadata catalog is hidden to include, in metadata catalog
After holding encryption, encrypted content is stored to the precalculated position in .NET executable programs, and remove the content in metadata catalog.
Preferably, the program entry of .NET executable programs is modified to point into predetermined code includes:Modification .NET can be held
The entry address of line program is new entry address;Predetermined code is inserted after new entry address.
Preferably, predetermined code includes:The code recovered to the content in hiding metadata catalog;For weight
Build the local file of .NET executable programs and the code of memory mapping;When .NET executable code operating system access,
Trigger the code of hook program.
Preferably, the program that hook program is configured to notify operating system currently to perform is the member after .NET programs and recovery
The position of the storage catalogue of data.
Especially preferably, above-mentioned predetermined code can be shell (ShellCode).
According to another aspect of the present invention, there is provided a kind of software protecting equipment, the software protecting equipment can include storage
At least one processor for having the memory of instruction and being coupled with processor, when instruction is loaded and performed by least one processor
When make to operate below at least one computing device:.NET executable programs are parsed, identify first number in .NET executable programs
According to catalogue;Content in metadata catalog is hidden with predetermined way;The program entry of .NET executable programs is revised as referring to
To predetermined code, shielded .NET executable programs are obtained, predetermined code can be used for recovering metadata catalog.
Preferably, the content predetermined way in metadata catalog is hidden to include, in metadata catalog
Appearance is encrypted with predetermined cryptographic algorithm.
Preferably, the content predetermined way in metadata catalog is hidden to include, in metadata catalog
After holding encryption, encrypted content is stored to the precalculated position in .NET executable programs, and remove the content in metadata catalog.
Preferably, the program entry of .NET executable programs is modified to point into predetermined code includes:Modification .NET can be held
The entry address of line program is new entry address;The predetermined code is inserted after the new entry address.
Preferably, can include in the predetermined code:The generation recovered to the content in hiding metadata catalog
Code;For rebuilding the local file of .NET executable programs and the code of memory mapping;It is when .NET executable codes operate
When system accesses, the code of hook program is triggered..
Preferably, the program that hook program is configured to notify operating system currently to perform is the member after .NET programs and recovery
The position of the storage catalogue of data.
By technical scheme, static analysis of the resistance decompiling instrument to .NET programs is realized, can be with
Stronger security more effectively protects the executable program under .NET frameworks.
Brief description of the drawings
The various examples of principles described herein have been illustrated, and have been the parts of this specification.Accompanying drawing should be with
Example and unrestricted mode understand, wherein:
Fig. 1 is the flow chart for being used to protect the method for .NET programs provided according to one embodiment of the disclosure;
Fig. 2 is the flow chart for being used to protect the method for .NET programs provided according to another embodiment of the present disclosure;
Fig. 3 is the flow chart for being used to protect the method for .NET programs provided according to another embodiment of the present disclosure;
Fig. 4 is the structural representation of the device for protecting .NET programs provided in accordance with an embodiment of the present disclosure.
Fig. 5 is the screenshot capture for illustrating the metadata catalog in .NET PE executable programs.
Fig. 6 is for illustrating the metadata in the .NET PE executable programs after processing according to embodiments of the present invention
The screenshot capture of catalogue.
Embodiment
It will be apparent, however, that concrete details is elaborated to provide the understanding of the present invention.
It will be apparent, however, to one skilled in the art, that the present invention can be realized in the case of without these details.In addition, this
Art personnel are it will be recognized that the embodiment of invention described below can be realized in many ways, such as process, dress
Put, the method on system, equipment or tangible computer-readable recording medium.In order to more clearly describe the purpose of the disclosure,
Various embodiments of the present invention are described in detail by scheme and advantage below in conjunction with the accompanying drawings.
In addition, it is to be noted however that term " coupling ", " connection " and " communicative couplings " should be understood to include directly connecting
Connect, by one or more intermediate equipments be indirectly connected with and wireless connection.
.NET one of basic factors of program operation are metadata, and metadata is the data for describing data, is described
Data just refer to the framework of code.Generally, metadata is a kind of binary message, for being stored in the executable text of portable
Part (PE) file or the program being stored in internal memory are described., will when program code is compiled as PE files by compiler
Metadata is inserted into the part of this document.
Specifically .NET is based on object-oriented, so the main contents of metadata description are exactly object-oriented
Basic element:Class, type, attribute, method, field, parameter, characteristic etc., mainly including following items:
●Define table, the type and information about firms defined in source code are described, is mainly included:TypeDef、
MehodDef, FieldDef, ModuleDef, PropertyDef etc..
●Reference list, the type quoted in source code and information about firms are described, it can be same program collection to quote element
Other modules or distinct program collection module, mainly include:AssemblyRef、TypeRef、ModuleRef、
MethodsRef etc..
●Pointer gauge, using pointer table reference unknown code, mainly include:MethodPtr、FieldPtr、ParamPtr
Deng.
●Heap, the information heap of preservation, mainly includes in the form of stream:#String, #Blob, #US, #GUIDe etc..
When performing code, metadata is loaded into internal memory by .NET run-time librarys, and quotes it to find pertinent code
Class, member, the information such as succession.
Fig. 5 is the screenshot capture for illustrating the metadata catalog in .NET PE executable programs..NET generated under framework
Executable program be one kind in the PE executable programs of standard, as shown in the screenshot capture in Fig. 5 .NET PE can perform
.NET MetaData Directory RVA and .NET MetaData Directory Size in data directory corresponding to program
Item is non-zero value, has pointed to the .NET catalogues required for .NET operations when program is run, wherein contain makes before compiling in program
The character string used, function information, function property information etc..Therefore the security extreme difference of .NET PE executable programs.
The present invention realizes the protection to .NET programs by protecting the content in metadata catalog, and the present invention enters one
Walk the structures of .NET executable programs is modified and using " shell " (ShellCode) with predetermined function come
Realize the purpose of protection .NET executable programs.Specifically, by the way that the content in metadata catalog is hidden into processing, from
And make it that .NET executable programs are only a local executable program to the eye.
Fig. 6 is for illustrating the metadata in the .NET PE executable programs after processing according to embodiments of the present invention
The screenshot capture of catalogue.As shown in Figure 6, the .NET PE executable programs after aforesaid way is handled are to the eye
It is local PE executable programs .NET MetaData Directory RVA and .NET MetaData Directory therein
Size items are 0 value, i.e. the content of metadata catalog is hidden.
By this processing mode for being hidden the content of metadata catalog .NET can be greatly enhanced and can perform
The security of program.
As shown in figure 1, the method for protecting .NET programs, this method bag are provided according to one embodiment of the disclosure
Include step S100-S106.In the step s 100 .NET executable programs are parsed, identify the metadata in .NET executable programs
Catalogue.In step s 102, the content in metadata catalog is hidden with predetermined way.At step 104 .NET can perform
The program entry of program is modified to point to predetermined code.In step 106, shielded .NET executable programs are obtained.According to
The embodiment, predetermined code can be used in recovering metadata catalog, to predetermined generation by taking ShellCode as an example in the embodiment of the present invention
Code illustrates.
In accordance with an embodiment of the present disclosure, hiding the mode of the content of metadata catalog can include pressing pre-defined rule or rule
The content of set pair metadata catalog carries out " upsetting " processing, or metadata catalog is carried out into logic by pre-defined rule or rule set
Conversion, and after these processing are carried out, by the relative virtual address in the corresponding data directory in .NET executable programs
(RVA) item and size (size) item are (for example .NET MetaData Directory RVA and .NET MetaData
Directory Size) it is set as zero (0) value.In addition, as long as the content of metadata catalog can be hidden, it can be used
Its any mode is hidden processing.So, seen on surface, the content of metadata catalog is sky.Again due to being substantially to carry out
Hiding processing, therefore, it is possible to resisting the static analysis of decompiling instrument.
So-called " shell " is exactly to add a shell to executable program.Because program entry points to ShellCode, so journey
The execution of sequence is actually since ShellCode.The mode being hidden to the content in metadata catalog be with
What ShellCode had made an appointment.The predetermined function being hereafter described in detail is had to write based on the mode made an appointment
ShellCode。
According to embodiment, the program entry of .NET executable programs is modified to point into predetermined code includes:Change .NET
The entry address of executable program is new entry address;Predetermined code is inserted after new entry address.
According to embodiment, above-mentioned predetermined code includes:Content in hiding metadata catalog is recovered
Code;For rebuilding the local file of .NET executable programs and the code of memory mapping;When .NET executable codes operate
When system accesses, the code of hook program is triggered.According to embodiment, hook program is configured to notify what operating system currently performed
Program is the position of the storage catalogue of the metadata after .NET programs and recovery, so that operating system can be read from relevant position
Metadata and configuration processor.
Fig. 2 is the flow chart for being used to protect the method for .NET programs provided according to one embodiment of the disclosure.Such as Fig. 1
Shown, the method that the embodiment provides includes step S200-S206.In step s 200 .NET executable programs are parsed first,
Identify the metadata catalog in .NET executable programs.In step S202, the content in metadata catalog is encrypted with predetermined
Algorithm for encryption.In step S204, the program entry of .NET executable programs is modified to point to predetermined code, i.e.,
ShellCode.Then, in step S206, a new shielded .NET executable program is obtained.
According to the embodiment, predetermined cryptographic algorithm can use any AES well known in the art, for example, symmetrical add
Close algorithm, such as advanced encryption standard, and rivest, shamir, adelman, such as RSA or elliptic curve cipher method.In addition, recover
Metadata catalog includes processing is decrypted to encrypted metadata catalog.Used by decryption processing depends on encryption
AES.
According to embodiment, the program entry of .NET executable programs is modified to point into predetermined code includes:Change .NET
The entry address of executable program is new entry address;Predetermined code is inserted after new entry address.
According to embodiment, above-mentioned predetermined code includes:Content in the metadata catalog of encryption is recovered
Code;For rebuilding the local file of .NET executable programs and the code of memory mapping;When .NET executable codes operate
When system accesses, the code of hook program is triggered.According to embodiment, hook program is configured to notify what operating system currently performed
Program is the position of the storage catalogue of the metadata after .NET programs and recovery, so that operating system can be read from relevant position
Metadata and configuration processor.
Fig. 3 is the flow chart for being used to protect the method for .NET programs provided according to another embodiment of the present disclosure.Such as Fig. 3
Shown, the method that the embodiment provides includes step S300-S308.In step S300 .NET executable programs are parsed first,
Identify the metadata catalog in .NET executable programs.In step s 302, by after the content-encrypt in metadata catalog, will add
Content after close is stored to the precalculated position in .NET executable programs.In step s 304, remove interior in metadata catalog
Hold.In step S306, the program entry of .NET executable programs is modified to point to predetermined code, i.e. ShellCode.So
Afterwards, in step S308, a new shielded .NET executable program is obtained.
Similar to above-described embodiment, encryption can use any AES well known in the art, for example, symmetrical add
Close algorithm, such as advanced encryption standard, and rivest, shamir, adelman, such as RSA or elliptic curve cipher method.Recover metadata
Catalogue includes processing is decrypted to encrypted metadata catalog.Encryption is calculated used by decryption processing depends on encryption
Method.
According to embodiment, the program entry of .NET executable programs is modified to point into predetermined code includes:Change .NET
The entry address of executable program is new entry address;Predetermined code is inserted after new entry address.
According to embodiment, above-mentioned predetermined code includes:Content in the metadata catalog of encryption is recovered
Code;For rebuilding the local file of .NET executable programs and the code of memory mapping;When .NET executable codes operate
When system accesses, the code of hook program is triggered.According to embodiment, hook program is configured to notify what operating system currently performed
Program is the position of the storage catalogue of the metadata after .NET programs and recovery, so that operating system can be read from relevant position
Metadata and configuration processor.
According to the embodiment, above-mentioned precalculated position can be other positions in addition to the original position where metadata catalog
Put, and remove the content in metadata catalog refer to remove metadata catalog where situ content.Removing member
After the content of situ where data directory, the relative virtual in corresponding data directory in .NET executable programs
Address (RVA) item and size (size) item are (for example .NET MetaData Directory RVA and .NET MetaData
Directory Size) actually become zero (0) value.As shown in fig. 6, by the amended .NET journeys of present invention method
Sequence is stored in the form of local file, when it is performed, the predetermined code added is performed from amended porch, by performing
State predetermined code to recover the content in the metadata catalog of encryption, rebuild the local file of .NET executable programs and interior
Deposit the code of image and when .NET executable code operating system access, trigger hook program, the hook program leads to
Know that the program that operating system currently performs is the position of .NET programs and the storage catalogue of the metadata after recovery, so as to operate system
System can read metadata and configuration processor from relevant position.
Fig. 4 is the structural representation of the device for protecting .NET programs provided in accordance with an embodiment of the present disclosure.Should
.NET programmed protection device can be computing device 40.According to the embodiment, the computing device 40 includes memory 401, center
Processor (CPU) 402 and keyboard, mouse, touch-screen and/or video display etc. input/output (I/O) component 403.
Computer executable instructions can be stored with memory 401.Memory 401 and I/O components 403 can be logical with CPU 402
Letter coupling.
Can storage program area (OS) and multiple program modules and data file in memory 401.Program module can be with
It is such as I/O managers, other utility programs and various application programs.Computing device 40 can include but is not limited to desk-top calculating
Machine, notebook computer, tablet device, mobile computing device and any kind of terminal device.
According to one embodiment, when 402 execute instructions of CPU, include the operation that CPU 402 is realized:Parsing .NET can
Configuration processor, identify the metadata catalog in .NET executable programs;By the content predetermined cryptographic algorithm in metadata catalog
Encryption;The program entry of .NET executable programs is modified to point to predetermined code, such as ShellCode;Obtain one it is new
Shielded .NET executable programs.
According to a preferred embodiment, when 402 execute instructions of CPU, include the operation that CPU 402 is realized:Parsing
.NET executable program, the metadata catalog in .NET executable programs is identified;, will after the content-encrypt in metadata catalog
Encrypted content is stored to the precalculated position in .NET executable programs;Remove the content in metadata catalog;.NET can perform
The program entry of program is modified to point to predetermined code, such as ShellCode;A new shielded .NET is obtained to can perform
Program.
According to embodiment, the program entry of .NET executable programs is modified to point into predetermined code includes:Change .NET
The entry address of executable program is new entry address;Predetermined code is inserted after new entry address.It is above-mentioned according to embodiment
Predetermined code include:The code recovered to the content in the metadata catalog of encryption;It can perform for rebuilding .NET
The local file of program and the code of memory mapping;When .NET executable code operating system access, hook program is triggered
Code.According to embodiment, hook program is configured to after notifying the program that currently performs of operating system for .NET programs and recovering
Metadata storage catalogue position so that operating system can read metadata and configuration processor from relevant position.
According to another embodiment of the present disclosure, there is provided a kind of computer-readable recording medium, computer-readable recording medium
In be stored with instruction, when instruction loaded and performed by least one processor when operate below at least one computing device:
.NET executable programs are parsed, identify the metadata catalog in .NET executable programs;By the content in metadata catalog with advance
Determine mode to hide;The program entry of .NET executable programs is modified to point to predetermined code, such as ShellCode, obtain by
The .NET executable programs of protection, ShellCode are used to recover metadata catalog.
Below, it is the function and shielded achieved by the ShellCode with specific function to predetermined code
.NET the implementation procedure of executable program is described in detail.The program entry of .NET executable programs by above-mentioned processing is repaiied
It is changed to point to ShellCode.So, ShellCode can be performed in the entrance of .NET executable programs.Performing
After ShellCode .NET run-time library entrances are called .NET run-time librarys can be to the file on the file and disk in internal memory
Verified, including the checking of the content to encrypted metadata catalog.Call the mode of .NET run-time library entrances
As shown in following code sample section:
In accordance with an embodiment of the present disclosure, the predetermined function that above-mentioned ShellCode is realized includes the following aspects.
First, the content of encrypted metadata catalog is recovered, the recovery is included in encrypted metadata catalog
Appearance is decrypted, and decryption processing depends on method used by encryption.Recovery process can for example include being protected to what is generated
The program image in internal memory for protecting .NET executable programs recovers metadata catalog, make .NET executable programs in internal memory into
For can be by .NET PE executable programs that .NET run-time librarys are verified.So .NET run-time librarys are made in internal memory is verified
.NET PE executable programs when can get correct parameter.
In addition, when shielded .NET executable programs are run, held in the pre-entry address of .NET executable programs
Row predetermined code, the predetermined code include:Metadata catalog after positioning is hiding and the content in the metadata catalog to hiding
The code recovered;Rebuild the local file of .NET executable programs and the code of memory mapping;When detecting operating system
The code of hook program is performed when performing .NET executable programs.According to the present embodiment, above-mentioned hook program is configured to notify
The program that operating system currently performs is the position of the storage catalogue of the metadata after .NET programs and recovery.
As described above, when shielded .NET executable programs are run, responsible pair of predetermined code (such as ShellCode)
The file operation application programming interfaces (API) of current process are linked up with (HOOK) (also referred to as hook) processing, file operation API
Mainly include:CreateFileW, GetFileSize, CreateFileMappingW, CloseHandle etc., these only show
Example., can be with by it as it is known in the art, HOOK is very important a kind of system interface in Windows operating system
The message transmitted between other applications is easily intercepted and captured and handled, and is difficult to it is possible thereby to complete some common applications
The specific function of realization.By linking up with reading of the processing adapter to local file in the embodiment of the present invention, to be run by .NET
Verifications of the Shi Ku to local file.
Above-mentioned function is realized by ShellCode, when shielded .NET PE executable programs are carried in computing device
When being run on 40, its program image can in internal memory normal operation as common .NET PE executable programs.Also
It is to say, according to each embodiment of the disclosure, had both realized the protection to .NET programs, and do not interfered with its normal load and fortune again
OK.
By the contemplated scheme of the above-mentioned disclosure, due to the content in metadata catalog being encrypted, protected
The security of the .NET executable programs of shield is largely increased, and can be reasonably resistant to the static analysis of decompiling instrument.
Flow chart shown in this article provides the example of the sequence of various processing actions.Although in a particular order or sequentially
Show, unless otherwise indicated, the order of action can be changed.Therefore, the merely illustrative purpose of shown embodiment and provide,
Processing can be executed in a different order, and some processing can be performed in parallel.In addition, it can save in various embodiments
Slightly one or more steps.
Embodiment described herein software can be via the computer-readable recording medium for being wherein stored with software content
Or any product provides to provide, or via communication interface.Computer-readable recording medium can be retouched machine execution
The function of stating or operation, including storage program module or any mechanism of data content in the form of computing device can access, example
Such as, read-only storage, random access memory, magnetic disk storage medium, optical disk medium, flash memory device etc..Communication interface bag
Include with any one of the medium such as hardwired, wireless, optics interface with any mechanism with another equipment communication, such as store
Device EBI, processor bus interface, Internet connection, Magnetic Disk Controler etc..
Mention in the description " one embodiment ", " preferred embodiment ", " embodiment " and " each embodiment " mean with
Specific feature, structure, characteristic or the function that the embodiment is combined description are included at least one embodiment of the disclosure
And it may be embodied in more than one embodiment.Moreover, specification occur everywhere above-mentioned wording be not necessarily all referring to it is same
Embodiment.
, can be without departing from the scope of the invention to disclosed reality in addition to content described herein
Apply example and carry out various modifications.Therefore, explanation and example here is interpreted as illustrative and not restrictive.The present invention's
Spirit and scope should be considered solely by reference to claim and its equivalents.
Claims (12)
1. a kind of method for protecting software, including:
.NET executable programs are parsed, identify the metadata catalog in the .NET executable programs;
Content in the metadata catalog is hidden with predetermined way;
The program entry of the .NET executable programs is modified to point to predetermined code, shielded .NET is obtained and can perform journey
Sequence, the predetermined code are used to recover the metadata catalog.
2. according to the method for claim 1, wherein, the content in the metadata catalog is hidden into bag with predetermined way
Include, the content in the metadata catalog is encrypted with predetermined cryptographic algorithm.
3. according to the method for claim 1, wherein, the content in the metadata catalog is hidden into bag with predetermined way
Include, after the content-encrypt in the metadata catalog, encrypted content is stored predetermined into the .NET executable programs
Position, and remove the content in the metadata catalog.
4. according to the method for claim 1, wherein, the program entry of the .NET executable programs is modified to point to pre-
Determining code includes:The entry address for changing the .NET executable programs is new entry address;After the new entry address
Insert the predetermined code.
5. according to the method for claim 1, wherein, the predetermined code includes:To in hiding metadata catalog
The code that content is recovered;For rebuilding the local file of the .NET executable programs and the code of memory mapping;Work as institute
When stating .NET executable code operating system access, the code of hook program is triggered.
6. according to the method for claim 5, wherein, the hook program is configured to notify the journey that operating system currently performs
Sequence is the position of the storage catalogue of the metadata after .NET programs and recovery.
7. a kind of software protecting equipment, including it is stored with the memory of instruction and at least one processing coupled with the processor
Device, grasp below at least one computing device when the instruction is loaded and performed by least one processor
Make:
.NET executable programs are parsed, identify the metadata catalog in the .NET executable programs;
Content in the metadata catalog is hidden with predetermined way;
The program entry of the .NET executable programs is modified to point to predetermined code, shielded .NET is obtained and can perform journey
Sequence, the predetermined code are used to recover the metadata catalog.
8. device according to claim 7, wherein, the content in the metadata catalog is hidden into bag with predetermined way
Include, the content in the metadata catalog is encrypted with predetermined cryptographic algorithm.
9. device according to claim 7, wherein, the content in the metadata catalog is hidden into bag with predetermined way
Include, after the content-encrypt in the metadata catalog, encrypted content is stored predetermined into the .NET executable programs
Position, and remove the content in the metadata catalog.
10. device according to claim 7, wherein, the program entry of the .NET executable programs is modified to point to
Predetermined code includes:The entry address for changing the .NET executable programs is new entry address;The new entry address it
After insert the predetermined code.
11. device according to claim 7, wherein, the predetermined code includes:To in hiding metadata catalog
The code that content is recovered;For rebuilding the local file of the .NET executable programs and the code of memory mapping;Work as institute
When stating .NET executable code operating system access, the code of hook program is triggered.
12. device according to claim 11, wherein, the hook program is configured to notify what operating system currently performed
Program is the position of the storage catalogue of the metadata after .NET programs and recovery.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710639745.6A CN107423586B (en) | 2017-07-31 | 2017-07-31 | Method for protecting software and software protecting equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710639745.6A CN107423586B (en) | 2017-07-31 | 2017-07-31 | Method for protecting software and software protecting equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107423586A true CN107423586A (en) | 2017-12-01 |
| CN107423586B CN107423586B (en) | 2018-11-20 |
Family
ID=60431540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710639745.6A Active CN107423586B (en) | 2017-07-31 | 2017-07-31 | Method for protecting software and software protecting equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107423586B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110472425A (en) * | 2019-07-18 | 2019-11-19 | 福建天晴在线互动科技有限公司 | Unity plug-in unit encryption method based on Mono, storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098613A1 (en) * | 2002-11-19 | 2004-05-20 | Schiavoni Juan Jose | Software protection system and method |
| CN101158911A (en) * | 2007-11-22 | 2008-04-09 | 北京飞天诚信科技有限公司 | .Net program protection method and device |
| US7426734B2 (en) * | 2003-10-24 | 2008-09-16 | Microsoft Corporation | Facilitating presentation functionality through a programming interface media namespace |
| CN101377737A (en) * | 2007-08-28 | 2009-03-04 | 上海宝信软件股份有限公司 | Resource management apparatus of application system |
| CN101964040A (en) * | 2010-09-10 | 2011-02-02 | 西安理工大学 | PE loader-based software packing protection method |
| CN101980160A (en) * | 2010-10-28 | 2011-02-23 | 北京飞天诚信科技有限公司 | Implementing method for encrypted .NET program |
| CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Shell technology based software protection method |
| CN103955635A (en) * | 2014-04-04 | 2014-07-30 | 北京深思数盾科技有限公司 | Method and system for protecting .NET executable program |
| CN104866312A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | ASP.NET-based pseudo static page implementation method |
| CN105205539A (en) * | 2015-08-25 | 2015-12-30 | 携程计算机技术(上海)有限公司 | OTA website hotel room management method and system |
| CN106295257A (en) * | 2015-06-29 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of authentication method being reinforced software and device |
| CN106650340A (en) * | 2016-11-16 | 2017-05-10 | 中国人民解放军国防科学技术大学 | Binary software protection method by means of dynamic fine-grained code hiding and obfuscating technology |
-
2017
- 2017-07-31 CN CN201710639745.6A patent/CN107423586B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098613A1 (en) * | 2002-11-19 | 2004-05-20 | Schiavoni Juan Jose | Software protection system and method |
| US7426734B2 (en) * | 2003-10-24 | 2008-09-16 | Microsoft Corporation | Facilitating presentation functionality through a programming interface media namespace |
| CN101377737A (en) * | 2007-08-28 | 2009-03-04 | 上海宝信软件股份有限公司 | Resource management apparatus of application system |
| CN101158911A (en) * | 2007-11-22 | 2008-04-09 | 北京飞天诚信科技有限公司 | .Net program protection method and device |
| CN101964040A (en) * | 2010-09-10 | 2011-02-02 | 西安理工大学 | PE loader-based software packing protection method |
| CN101980160A (en) * | 2010-10-28 | 2011-02-23 | 北京飞天诚信科技有限公司 | Implementing method for encrypted .NET program |
| CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Shell technology based software protection method |
| CN103955635A (en) * | 2014-04-04 | 2014-07-30 | 北京深思数盾科技有限公司 | Method and system for protecting .NET executable program |
| CN104866312A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | ASP.NET-based pseudo static page implementation method |
| CN106295257A (en) * | 2015-06-29 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of authentication method being reinforced software and device |
| CN105205539A (en) * | 2015-08-25 | 2015-12-30 | 携程计算机技术(上海)有限公司 | OTA website hotel room management method and system |
| CN106650340A (en) * | 2016-11-16 | 2017-05-10 | 中国人民解放军国防科学技术大学 | Binary software protection method by means of dynamic fine-grained code hiding and obfuscating technology |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110472425A (en) * | 2019-07-18 | 2019-11-19 | 福建天晴在线互动科技有限公司 | Unity plug-in unit encryption method based on Mono, storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107423586B (en) | 2018-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bichsel et al. | Statistical deobfuscation of android applications | |
| EP3807797B1 (en) | Pointer authentication and dynamic switching between pointer authentication regimes | |
| US8090959B2 (en) | Method and apparatus for protecting .net programs | |
| US20160203087A1 (en) | Method for providing security for common intermediate language-based program | |
| JP5346386B2 (en) | Software separation execution method, apparatus, and computer-readable recording medium | |
| CN106203006A (en) | Android application reinforcement means based on dex Yu so file Dynamic Execution | |
| WO2016078130A1 (en) | Dynamic loading method for preventing reverse of apk file | |
| CN106126981A (en) | The software security means of defence replaced based on virtual function table | |
| CN101807239A (en) | Method for preventing source code from decompiling | |
| CN103310151A (en) | Detecting malicious computer code in an executing program module | |
| JP2022009556A (en) | Method for securing software codes | |
| JP2016525760A (en) | Identify irrelevant code | |
| CN103413074B (en) | A kind of method and apparatus being realized software protection by API | |
| CN112052433B (en) | Virtual protection method, terminal and storage medium for Jar file | |
| CN110309631A (en) | A kind of programming language structure obscures processing method, intelligent terminal and storage medium | |
| US10691791B2 (en) | Automatic unpacking of executables | |
| Lin et al. | Solsee: a source-level symbolic execution engine for solidity | |
| CN110633073A (en) | Unity code obfuscation method based on Il2cpp compilation | |
| CN107423586B (en) | Method for protecting software and software protecting equipment | |
| CN112965736A (en) | Code processing method and device, electronic equipment and medium | |
| CN104765986B (en) | A kind of code protection and restoring method based on Steganography | |
| CN107066886A (en) | A kind of Android reinforces the detection method of shelling | |
| CN104680043A (en) | Method and device for protecting executable file | |
| CN109614773B (en) | Code self-modifying method and device and electronic equipment | |
| CN104615935A (en) | Hiding method geared to Xen virtualization platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |