CN101964040A - PE loader-based software packing protection method - Google Patents
PE loader-based software packing protection method Download PDFInfo
- Publication number
- CN101964040A CN101964040A CN 201010280090 CN201010280090A CN101964040A CN 101964040 A CN101964040 A CN 101964040A CN 201010280090 CN201010280090 CN 201010280090 CN 201010280090 A CN201010280090 A CN 201010280090A CN 101964040 A CN101964040 A CN 101964040A
- Authority
- CN
- China
- Prior art keywords
- software
- shell
- shell template
- protected
- template
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a PE loader-based software packing protection method. The method comprises the following steps of: mapping a shell template into an internal memory, repositioning the base address of the shell template by simulating a PE loader of Windows and calculating a relative virtual address (RVA) of a segment where the entry point of the shell template is positioned and the size of the segment, wherein the calculated RVA value of the segment and the size value of the segment are taken as parameters and a hash value calculated by a secure hash algorithm (SHA) is taken as a key of an advanced encryption standard (AES) encryption algorithm; mapping protected software into the internal memory and encrypting the protected software by the AES encryption algorithm by using calculated key; adding encrypted data into a Reloc segment of the shell template; processing a special resource in the software to be protected and extracting additional data of the special resource, attaching the special resource and the additional data to the end of a shell template file respectively and modifying a corresponding data item related to the special resource in the PE structure of the shell template; and repeating the modified shell template from the internal memory to a disc so as to obtain protected software. The method remarkably enhances the safety of the software.
Description
Technical field
The invention belongs to computer software programs resist technology field, illegally distorted and crack problem, be specifically related to a kind of software and add the shell guard method based on PE Loader at software.
Background technology
Software protection is very important link in the software development, owing to will add the steps necessary that one deck containment vessel has almost become protection software will for the software of issue in the face of numerous conversed analysis personnel's research after the software development.The existing shell resist technology that adds generally is the shellcode that the entrance (Entry Point) of executable file (the PE file that mainly refers to the Win32 platform here) is pointed to shell; and original executable file compression or encryption; then the shellcode of shell is added as new section of target program; shell shellcode at first carries out during operation; deciphering or decompress(ion) in internal memory; jump to the original entrance (OEP) of protected program after deciphering or decompress(ion) are finished, carry out protected program.Therefore; under existing traditional shell protection; the assailant is easy to find the original entrance (OEP) of protected program; at this moment shell decompresses protected program; deciphering; the assailant just can analyze even the restore target program, thereby reach reverse purpose by the clear data in the internal memory.
Summary of the invention
The purpose of this invention is to provide a kind of software and add the shell guard method, solve the software that tradition of the prior art adds after the shell protection and be easy to the problem that victim cracks and illegally distorts based on PE Loader.
The technical solution adopted in the present invention is, a kind of software based on PE Loader adds the shell guard method, and this method is implemented according to following steps:
Step 1, the shell template is mapped in the internal memory, the PE loader of simulation Windows carries out the plot reorientation to the shell template, calculate the size of RVA He this section of place, shell template entrance section, as parameter, the hashed value that goes out by the SHA algorithm computation is as the key of AES cryptographic algorithm with the sizes values of the RVA of the section that calculates and this section;
Step 2, protected software is mapped in the internal memory and utilizes go up the key that the step calculates, protected software is encrypted with the AES cryptographic algorithm;
Step 3, the data of encrypting are added in the Reloc section of shell template;
Step 4, handle the special resource will protect in the software with and additional data extract, append to ending place of shell template file respectively, and revise in the PE structure of shell template corresponding data item about special resource;
Step 5, amended shell template is dumped to from internal memory on the disk, as the software after protected.
Software based on PE Loader of the present invention adds the shell guard method, and its feature also is: in the described step 4, protect in the software special resource with and additional data extract, select the reposition and the size of special resource for use.
The invention has the beneficial effects as follows; with the software protection framework of protected program infector to the encryption shell; encrypt shell and have the PEloader function; protected software is loaded in internal memory and carries out; the structure of this encryption software containment vessel has increased the assailant greatly in the difficulty that cracks or illegally distort software; even can't find the entrance of real program, can prevent effectively that the conversed analysis personnel from cracking and illegally distorting the dis-assembling of software, increased the security of software greatly.
Description of drawings
Fig. 1 is the PE file operation window synoptic diagram that does not add any protection;
Fig. 2 puts into action pane synoptic diagram after the Reloc section of shell template with the PE file encryption of protection.
Embodiment
The present invention is described in detail below in conjunction with the drawings and specific embodiments.
Method of the present invention; the software that will add the shell protection is encrypted through AES earlier; content after encrypting is put into the Reloc section of outer field shell template; obtaining of encrypted secret key is by dynamically obtaining by the SHA algorithm according to the code segment data in the shell template; if the conversed analysis personnel debug or have revised shell template code segment data; then cause program deciphering failure, can not normally carry out, thereby effectively reach the purpose of protecting software.
The inventive method is implemented according to following steps:
Step 1, the shell template is mapped in the internal memory, the PE loader of simulation Windows carries out the plot reorientation to the shell template, calculate the RVA (Relative Virtual Addresses) of place, shell template entrance section and the size of this section, as parameter, the hashed value that goes out by the SHA algorithm computation is as the key of AES cryptographic algorithm with size (two) value of the RVA and the section of the section that calculates;
Step 2, protected software is mapped in the internal memory and utilizes the key that calculates, protected software is encrypted with the AES cryptographic algorithm;
Step 3, the data of encrypting are added in the Reloc section of shell template, as shown in Figure 2;
Step 4, handle the special resource will protect in the software with and additional data extract, reposition and size as special resource append to ending place of shell template file respectively, and revise in the PE structure of shell template the corresponding data item about special resource;
Step 5, amended shell template is dumped to from internal memory on the disk,, thereby finish the protection of software as the software after protected.
Execution implementation step for containment vessel after the above-mentioned processing comprises: 1) the shell template goes out cryptographic hash as key according to the RVA of the section at own place, entrance in internal memory and the size of section by the SHA algorithm computation, deciphers the Reloc section of oneself.2) plaintext (being protected software) after will deciphering by the PE Loarder of shell template with its loading and execution.
Feasibility of the present invention and helpfulness effect analysis, by a program is added containment vessel, operation result carried out the correctness analysis before and after contrast added containment vessel, and experimental result shows that operation was normal before and after program added shell.
Fig. 1 is the PE file operation window synoptic diagram that does not add any protection.Containment vessel technology commonly used is to write Finish Code on the basis of protected software; the initialized site environment of shell (value of each register) must be identical in the site environment of original program like this; so between shell and original protected software OEP place, just have an obvious limit; this boundary makes that shell and protected program still are all significantly separated on the logic function from the space, and the cracker tends to find this boundary to attack.Fig. 2 puts into action pane synoptic diagram after the Reloc section of shell template with the PE file encryption of protection.With reference to Fig. 2; with protected program infector to the shell template in this boundary is no longer existed; utilize the PE Loarder function of shell template to come the protected software of load and execution; more hidden and the safety of this method can also add a large amount of flower instruction and anti-debugging technique again in shell and intermediate structure.By method for protecting software of the present invention, can make cracker's attack consume a large amount of time, cracker's the work of being done is uneconomic, has then reached useful effect.
Below by contrasting common containment vessel and this method containment vessel is analyzed beneficial effect, promptly added the defence program of ASPACK (is representative with the ASPACK shell) and analyzed beneficial effect through the inventive method defence program by performance analysis.
At first open the program of protecting through ASPACK, can see that the protected program of loading is broken in article one instruction place with OllyDbg, article one of shell instruction just, in the disassembly window of OllyDbg, can see that first three bar instruction is respectively:
pushad
call?0045700A
jmp?45A274F7
Analyze this first three bar instruction; can draw the ASPACK shell by pushad and preserve current environment; corresponding shell side preface is being carried out in two call in back and jmp instruction; because writing of common containment vessel software all is to observe the storehouse equilibrium principle; that is to say before shell is carried out and at first will preserve the current environment (value of each register; mainly be the value of important registers such as ESP and EBP); usually preserve current environment by pushad/pushfd order or indirect other modes of passing through, find the instruction that jumps to OEP so can or add the tracking of internal memory breakpoint according to popad/popfd.Add ending place that the internal memory breakpoint traces into shell according to the storehouse equilibrium principle:
popad
jnz?short?004573BA
mov?eax,1
retn?0C
push?0040CD6B
retn
By top instruction as can be seen, the retn instruction will jump to OEP after the popad reducing environment, and this moment, the content ESP of current stack pointed to 0040CD6B, so the OEP of original program is the CD6B plot is 00400000, execute retn, jump to the 0040CD6B place and carry out, assembly instruction is herein:
push?ebp
mov?ebp,esp
push-1
push?0042D100
In order to contrast is OEP herein; with do not add the overprotection shell program debug and with the contrast of the assembly instruction at 0040CD6B place; through relatively finding; the instruction at instruction that begins execution place and 0040CD6B place of program that does not add the overprotection shell is identical; illustrate that the 0040CD6B place is the OEP that adds the program that shell protected through ASPACK, if the cracker herein the dump data in EMS memory then successfully take off containment vessel and carry out next step and crack.
As a comparison, with method of the present invention the software that will protect is added containment vessel and analysis, load the software of protecting through method of the present invention with Ollydbg, the first five bar assembly instruction is as follows:
push?ebp
mov?ebp,esp
sub?esp,134
push?ebx
push?esi
In above assembly instruction, do not preserve the instruction of current environment and the instruction that other modes are preserved current environment; but carrying out independent shell masterplate program; the shell template is independent and protected program; therefore shell template and do not meet the storehouse equilibrium law; the shell template is that the process of simulated operating system loading PE file loads and carry out protected software; the shell masterplate is by the protected program of deciphering; handle the reorientation of protected program; revise the operations such as importing table of protected program; finally carry out the entrance of protected program; carry out protected software again; the shell template is not carried out shellcode according to the storehouse balance, but a program independently.
The inventive method is as a kind of new software protection shell; difference and the thinking that the shell code is write protected software in the past; this method has been equivalent to simulate the PE Loarder function of operating system; software cracker's workload increases greatly; use this method can also in the shell template, add a large amount of flower instructions; anti-debugging technique and anti-dump technology, cracker's workload and difficulty also will increase greatly like this.
Claims (2)
1. the software based on PE Loader adds the shell guard method, it is characterized in that: this method is implemented according to following steps:
Step 1, the shell template is mapped in the internal memory, the PE loader of simulation Windows carries out the plot reorientation to the shell template, calculate the size of RVA He this section of place, shell template entrance section, as parameter, the hashed value that goes out by the SHA algorithm computation is as the key of AES cryptographic algorithm with the sizes values of the RVA of the section that calculates and this section;
Step 2, protected software is mapped in the internal memory and utilizes go up the key that the step calculates, protected software is encrypted with the AES cryptographic algorithm;
Step 3, the data of encrypting are added in the Reloc section of shell template;
Step 4, handle the special resource will protect in the software with and additional data extract, append to ending place of shell template file respectively, and revise in the PE structure of shell template corresponding data item about special resource;
Step 5, amended shell template is dumped to from internal memory on the disk, as the software after protected.
2. the software based on PE Loader according to claim 1 adds the shell guard method, it is characterized in that: in the described step 4, protect in the software special resource with and additional data extract, select the reposition and the size of special resource for use.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010280090 CN101964040B (en) | 2010-09-10 | 2010-09-10 | PE loader-based software packing protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010280090 CN101964040B (en) | 2010-09-10 | 2010-09-10 | PE loader-based software packing protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101964040A true CN101964040A (en) | 2011-02-02 |
| CN101964040B CN101964040B (en) | 2012-07-04 |
Family
ID=43516907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010280090 Expired - Fee Related CN101964040B (en) | 2010-09-10 | 2010-09-10 | PE loader-based software packing protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101964040B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136053A (en) * | 2011-03-14 | 2011-07-27 | 中兴通讯股份有限公司 | Method and device for protecting source code of executable file |
| CN102184363A (en) * | 2011-05-21 | 2011-09-14 | 电子科技大学 | Automatic software packer shelling method based on comprehensive processing |
| CN102930204A (en) * | 2012-09-20 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Software shelling method based on software protection device, software shelling system and software protection method |
| CN104102860A (en) * | 2014-08-11 | 2014-10-15 | 北京奇虎科技有限公司 | Protecting method and running method and device and system for Android platform application program |
| CN107423586A (en) * | 2017-07-31 | 2017-12-01 | 北京深思数盾科技股份有限公司 | Method for protecting software and software protecting equipment |
| CN108171020A (en) * | 2017-12-26 | 2018-06-15 | 哈尔滨安天科技股份有限公司 | A kind of compression shell recognition methods, system and storage medium based on file structure |
| CN110210190A (en) * | 2019-05-30 | 2019-09-06 | 中国科学院信息工程研究所 | A kind of Code obfuscation method based on secondary compilation |
| CN112347490A (en) * | 2020-06-11 | 2021-02-09 | 广州锦行网络科技有限公司 | Application program shell adding method |
| CN112434293A (en) * | 2020-11-13 | 2021-03-02 | 北京鸿腾智能科技有限公司 | File feature extraction method, equipment, storage medium and device |
| CN112632536A (en) * | 2020-12-22 | 2021-04-09 | 四川大学 | Memory loading method based on PE file transformation |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1749915A (en) * | 2005-10-19 | 2006-03-22 | 北京飞天诚信科技有限公司 | Software copy right protecting method for extracting partial code to enciphed device from software |
-
2010
- 2010-09-10 CN CN 201010280090 patent/CN101964040B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1749915A (en) * | 2005-10-19 | 2006-03-22 | 北京飞天诚信科技有限公司 | Software copy right protecting method for extracting partial code to enciphed device from software |
Non-Patent Citations (2)
| Title |
|---|
| 《CNKI-中国优秀硕士论文全文数据库 》 20060825 刘晓东 软件加壳技术的研究与实现 1-2 , 2 * |
| 《网络安全技术与应用》 20060930 任海翔、吴茵 软件安全保护:加壳与脱壳 1-2 , 2 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136053B (en) * | 2011-03-14 | 2014-12-10 | 中兴通讯股份有限公司 | Method and device for protecting source code of executable file |
| CN102136053A (en) * | 2011-03-14 | 2011-07-27 | 中兴通讯股份有限公司 | Method and device for protecting source code of executable file |
| CN102184363A (en) * | 2011-05-21 | 2011-09-14 | 电子科技大学 | Automatic software packer shelling method based on comprehensive processing |
| CN102184363B (en) * | 2011-05-21 | 2013-09-25 | 电子科技大学 | Automatic software packer shelling method based on comprehensive processing |
| CN102930204B (en) * | 2012-09-20 | 2016-12-21 | 北京深思数盾科技股份有限公司 | Software shelling method based on software protecting equipment, system and method for protecting software |
| CN102930204A (en) * | 2012-09-20 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Software shelling method based on software protection device, software shelling system and software protection method |
| CN104102860A (en) * | 2014-08-11 | 2014-10-15 | 北京奇虎科技有限公司 | Protecting method and running method and device and system for Android platform application program |
| CN107423586A (en) * | 2017-07-31 | 2017-12-01 | 北京深思数盾科技股份有限公司 | Method for protecting software and software protecting equipment |
| CN108171020A (en) * | 2017-12-26 | 2018-06-15 | 哈尔滨安天科技股份有限公司 | A kind of compression shell recognition methods, system and storage medium based on file structure |
| CN110210190A (en) * | 2019-05-30 | 2019-09-06 | 中国科学院信息工程研究所 | A kind of Code obfuscation method based on secondary compilation |
| CN112347490A (en) * | 2020-06-11 | 2021-02-09 | 广州锦行网络科技有限公司 | Application program shell adding method |
| CN112434293A (en) * | 2020-11-13 | 2021-03-02 | 北京鸿腾智能科技有限公司 | File feature extraction method, equipment, storage medium and device |
| CN112632536A (en) * | 2020-12-22 | 2021-04-09 | 四川大学 | Memory loading method based on PE file transformation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101964040B (en) | 2012-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101964040B (en) | PE loader-based software packing protection method | |
| Gao et al. | Survey on malware anti-analysis | |
| CN105184118A (en) | Code fragmentization based Android application program packing protection method and apparatus | |
| CN105787305A (en) | Software protection method capable of resisting symbolic execution and taint analysis | |
| CN104268444A (en) | Cloud OS Java source code protection method | |
| CN103324481A (en) | Compiling method and compiling system for obfuscating codes by means of assembly | |
| CN103077333B (en) | A kind of software code protection method under Linux system | |
| CN103679060A (en) | Encryption method and encryption device | |
| US20220414209A1 (en) | Iterative memory analysis for malware detection | |
| Suk et al. | UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program | |
| Xue et al. | Exploiting code diversity to enhance code virtualization protection | |
| CN112527457A (en) | Virtual machine implementation method for universal Unicorn simulation instruction execution | |
| CN106055934B (en) | A kind of code protection method and device based on VEH | |
| CN104639313A (en) | Cryptographic algorithm detection method | |
| US20190121968A1 (en) | Key generation source identification device, key generation source identification method, and computer readable medium | |
| WO2016188134A1 (en) | Application reinforcing implementation method and apparatus | |
| Wang et al. | Leveraging WebAssembly for numerical JavaScript code virtualization | |
| EP2674892B1 (en) | A method, a device and a computer program support for execution of encrypted computer code | |
| Cazalas et al. | Probing the limits of virtualized software protection | |
| Chenke et al. | Anti-reverse-engineering tool of executable files on the windows platform | |
| Vidyarthi et al. | Identifying ransomware-specific properties using static analysis of executables | |
| Wang et al. | Hardware-assisted monitoring for code security in embedded system | |
| Wang et al. | RICB: integer overflow vulnerability dynamic analysis via buffer overflow | |
| Zhou et al. | HardStack: Prevent Stack Buffer Overflow Attack with LBR | |
| Fu et al. | An instruction-set randomization using length-preserving permutation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120704 Termination date: 20150910 |
|
| EXPY | Termination of patent right or utility model |