CN102004884B - Method and device capable of acquiring executable file input table - Google Patents

Method and device capable of acquiring executable file input table Download PDF

Info

Publication number
CN102004884B
CN102004884B CN 200910171415 CN200910171415A CN102004884B CN 102004884 B CN102004884 B CN 102004884B CN 200910171415 CN200910171415 CN 200910171415 CN 200910171415 A CN200910171415 A CN 200910171415A CN 102004884 B CN102004884 B CN 102004884B
Authority
CN
China
Prior art keywords
address
dynamic link
cryptor
link library
information list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200910171415
Other languages
Chinese (zh)
Other versions
CN102004884A (en
Inventor
刘丹
李毅超
余三超
贾范兵
杨晗
赵忠树
张大成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
University of Electronic Science and Technology of China
Original Assignee
Huawei Technologies Co Ltd
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, University of Electronic Science and Technology of China filed Critical Huawei Technologies Co Ltd
Priority to CN 200910171415 priority Critical patent/CN102004884B/en
Publication of CN102004884A publication Critical patent/CN102004884A/en
Application granted granted Critical
Publication of CN102004884B publication Critical patent/CN102004884B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses a method capable of acquiring an executable file input table. The embodiment of the invention also provides a corresponding device. The method comprises the following steps of: exporting an address of a function in each dynamic link library (DLL) loaded by a target packing program included in a created DLL information list, querying the address the same as the acquired destination address of a control stream jump instruction so as to acquire IAT_3; and creating the input table according to the DLL information list and the IAT_3. The method is applicable to any packing method. Compared with the prior art, the method is more universal, does not need manual intervention and has high automation degree.

Description

A kind of method and device that obtains the executable file input table
Technical field
The present invention relates to computing machine and communication technical field, be specifically related to a kind of method and device that obtains the executable file input table.
Background technology
Shell (Shell) is a kind of mapping mode of binary code, is a kind of being attached on the target program, is responsible for protection software and makes it be difficult to analyzed program.Because this defencive function is so be referred to as visually shell.Shell all is to carry out prior to program usually, gets access to control, then finishes the task of their protection target softwares.
Add shell and be widely used in software protection and malicious code reverse-examination survey field.To software shelling, generally include the content of three aspects:, the one, the binary code of target software is obscured conversion or encryption; The 2nd, the software configuration of target software is carried out conversion, system information is loaded interrupt or change, destroy the essential environment of running software, wherein, topmost means are exactly the input table of change executable file, hide the application programming interface (API, Application ProgrammingInterface) that running software institute must introducing; The 3rd, add antagonism, check code etc. to disturb debugging, shelling.
When the target software that will move after adding shell, just need to shell to target software.A kind of general hulling method is: direct reverse hulling method, namely specifically add the shell side method for certain, and analyze its realization, seek algorithm for inversion and shell.Direct reverse hulling method concrete operations comprise:
At first, be which kind of shell by the added shell of the features such as entrance code identification target software; Afterwards, its code encryption method of manual analysis and input table transform method get access to decryption method; After the deciphering, remove antagonism and check code, finish shelling; At last, with shell feature and hulling method warehouse-in, treat that next time, the match is successful, directly calls the method and shell.
In the research and practice process to prior art, present inventor's discovery, above-mentioned hulling method shells for the shell of specific targeted species.In case shell mutation, new shell occur, even the conversion of simple encryption in the encrypted code also can make the method thoroughly lose efficacy, therefore, above-mentioned hulling method of the prior art does not have general applicability.
And, its code encryption method of manual analysis and input table transform method, so that the method automaticity is not high, efficient is low.
Also having other hulling method in the prior art, mainly is for decrypted code how in the shelling process, can correctly reduce binary code by deciphering, removes antagonism, check code, is convenient to the conventional at present virus killing of condition code coupling and static conversed analysis.But only recover binary code, to input table reparation the program of shelling can't be reruned.
Summary of the invention
The embodiment of the invention provides a kind of executable file input table method and device of obtaining, provide a kind of generally applicable, do not need manual intervention, can obtain and the technical scheme of the input table of reconstruct target cryptor, so that target program can normally move after the shelling.
The embodiment of the invention provides a kind of executable file input table method of obtaining, and comprising:
Obtain all dynamic link libraries that the target cryptor loads, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
Code to described target cryptor carries out dis-assembling, obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
In described dynamic link library information list, the identical address of destination address of the control of Search and acquirement stream jump class instruction;
According to the address of the derivative function that comprises in the lookup result, with the address of described derivative function corresponding all information in described dynamic link library information list, set up the input table of described target cryptor; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
The embodiment of the invention also provides a kind of executable file input table device that obtains, and comprising:
Dynamic link library (DLL) information acquisition unit, be used for obtaining all dynamic link libraries that the target cryptor loads, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
The dis-assembling unit is used for the code of described target cryptor is carried out dis-assembling;
Address location is obtained in the instruction of control stream jump class, is used for from the dis-assembling code that described dis-assembling unit is exported, and obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
The effective address acquiring unit, for what comprise at described dynamic link library information list, in the address of derivative function, the identical address of destination address of jump class instruction is flowed in the control of Search and acquirement in each dynamic link library that described target cryptor loads;
The input table reconfiguration unit; The input table of described target cryptor is set up in the address that is used for the derivative function that comprises according to lookup result, and the address of described derivative function corresponding all information in described dynamic link library information list; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
The embodiment of the invention is by in the DLL information list of setting up, and in the address of derivative function, the identical address of destination address of jump class instruction is flowed in the control of Search and acquirement, thereby obtains IAT_3 among each DLL that the target cryptor that comprises loads; Set up input table according to DLL information list and IAT_3.The method all is suitable for for any shell side method that adds, and compared with prior art, the method is more general, and does not need artificial analysis, and automaticity is high.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is that the embodiment of the invention one provides a kind of executable file input table method flow sketch that obtains;
Fig. 2 is the gauge outfit schematic diagram of the DLL information list of a kind of establishment of providing in the embodiment of the invention one;
Fig. 3 is the tabulation schematic diagram that comprises the content that address and this address are pointed to that provides in the embodiment of the invention one;
Fig. 4 be provide in the embodiment of the invention one set up the input table schematic diagram;
Fig. 5 is that the embodiment of the invention two provides a kind of executable file input table method flow sketch that obtains;
Fig. 6 is that the embodiment of the invention three provides a kind of logical block schematic diagram that obtains executable file input table device.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The embodiment of the invention provides a kind of executable file input table method of obtaining, and the embodiment of the invention also provides corresponding actuating unit.Below be elaborated respectively.
The technical scheme that provides for the ease of understanding various embodiments of the present invention, need to prove, equipment elder generation loaded targets cryptor, finish place, the original entrance that namely presents (OEP, orignal entrypoint) in the code deciphering, breakpoint is set, the method of obtaining the executable file input table that the embodiment of the invention provides began to carry out from this moment, and the method by the embodiment of the invention provides finally gets access to input table from the target cryptor of encrypting.When this breakpoint is triggered, the target program that then has input table after the deciphering just can dynamic load DLL, thereby can the performance objective program.Below be elaborated respectively.
Embodiment one,
The embodiment of the invention provides a kind of executable file input table method of obtaining.Before the method that the present embodiment is provided explains, at first this concept of input table is explained, so that the understanding of the method that the embodiment of the invention is provided.
The target software that adds shell that moves is comprised of executable file, can call one or more than one dynamic link library (DLL in this executable file, Dynamic Link Library) dll file in, namely call code or the data of DLL, the code of the DLL that this calls or data are called input.The location of input function address is when executable file loads, and operating system determines by input table.Input table (Improt Table) is part indispensable in the executable file structure.When executable file need to call the alternative document function, need to search input table and carry out addressing.Content in the input table all is the address that alternative document can invoked function.Wherein, said can invoked function, namely refer to api function, it is not target executable file itself, but system provides, so target will be called it, must find the address of calling by input table.
Input table is the data structure that a plurality of arrays form, comprise: input description list (IID, IMAGE_IMPORT_DESCRIPTOR), input namelist (INT, Import Name Table), Import Address Table (IAT, Import Address Table) and input function name (IIN, IMAGE_IMPORT_BY_NAME).Operating system is introduced function address by IID, INT and IIN location, and the function address of introducing is write IAT, finishes DLL and loads.And the target software that adds shell is deleted IID, INT and IIN usually, fills voluntarily IAT by the target software that adds shell.Therefore, after the shelling, the code that IID, INT, the IIN of filling IAT is three is removed, and obviously can not be operated the normal identification of institute of system by the IAT that the target software that adds shell is filled voluntarily, causes target software to move in the prior art.
A kind of method of obtaining input table that the embodiment of the invention provides can be identified the Import Address Table (IAT) that executable file calls DLL code or data, repairs IAT, rebulids input table (ImportTable).Described referring to Fig. 1, the method comprises:
Step 1: obtain all dynamic link library (DLL)s that the target cryptor loads, set up the DLL information list according to the DLL that obtains, comprise in the following content any one in this DLL information list:
The title of all DLL that the target cryptor loads,
The plot of each DLL that the target cryptor loads,
The memory range that each DLL that the target cryptor loads takies,
Among each DLL that the target cryptor loads the address of derivative function wherein all, and
The title of derivative function among each DLL that the target cryptor loads, and
Among each DLL that the target cryptor loads the sequence number of derivative function wherein each.
As shown in Figure 2, be the gauge outfit of the DLL information list that creates, i.e. every title in the DLL information list.
Wherein, all dynamic link library (DLL)s that load according to the target cryptor that obtains in the step 1, set up specifically going out to operate and can comprising of DLL information list:
Steps A 1: obtain the title of all DLL that the target cryptor loads, the memory range that each DLL that the corresponding plot of each DLL title and target cryptor load takies;
Steps A 2: according to the title of obtaining all DLL that the target cryptor loads, the sequence number that gets access to derivative function among the title of the derivative function among each DLL that the target cryptor loads and each DLL that the target cryptor loads wherein each; Can also obtain the skew of the relative plot of each derivative function;
Steps A 3: according to the corresponding plot of DLL title that obtains in the steps A 1, and each derivative function that obtains in the steps A 2 is with respect to the skew of plot, the address that obtains derivative function among each DLL; Thereby set up the DLL information list.
Wherein, in this DLL information list, comprising:
The memory range that each DLL that the title of all DLL that the target cryptor that obtains in the steps A 1 loads, the corresponding plot of DLL title and target cryptor load takies; With
The title of the derivative function among each DLL that the target cryptor that obtains in the steps A 2 loads, the perhaps sequence number of derivative function among each DLL of loading of target cryptor; And
The address of derivative function among each DLL that obtains in this steps A 3.
Wherein, among each DLL that obtains in the steps A 3 address of derivative function for the side-play amount of the plot of the DLL at this derivative function place and the relative plot of this derivative function with.
By above-mentioned explanation to steps A 1 to A3, so that the relevant information of all dynamic link library (DLL)s that the target cryptor loads can be known in system, namely set up above-mentioned DLL information list.Wherein, the address of all functions that call in this target cryptor, finding in the address entries of derivative function that can be in this DLL information list.Therefore, this DLL information list plays a significant role in follow-up operation.
Step 2: target cryptor code is carried out dis-assembling, obtain the destination address of all control stream jump class instructions and the content that this destination address points to;
As shown in Figure 3, the gauge outfit of the tabulation that the content of pointing to for destination address and this destination address of the control of obtaining in the step 2 stream jump class instruction forms, namely should tabulation in every title.
Wherein, target cryptor code all is scale-of-two in step 2, what is for the ease of the instruction of understanding and identify in this target cryptor, need to carry out dis-assembling to target cryptor code; By dis-assembling, identify all the control stream jump class instructions in the target cryptor, thereby obtain the destination address of all control stream jump class instructions, the destination address of such instruction is generally the address of the function that will call, i.e. the destination address of control stream jump class instruction is generally the address of api function.The destination address of control stream jump class instruction also can be the address of non-executable file.
Wherein, the form of control stream jump class instruction can be: jmp[xxx], perhaps call[xxx], perhaps other form, concrete example should not be construed as the restriction to the embodiment of the invention herein.Wherein, xxx is the address (the perhaps address of api function) of function of being called.Said in the step 2 " content that this address is pointed to " can refer to this address sensing api function itself; If the destination address of control stream jump class instruction is the address of non-executable file, then " content that this address is pointed to " is other data.
Step 3: comprise in the DLL information list of in step 1, having set up, among each DLL that the target cryptor loads in the address of derivative function, search the address identical with the destination address of the control stream jump class instruction of obtaining in the step 2, the content that the address that finds and this address that finds are pointed to is as the 3rd Import Address Table (being IAT_3);
Be convenient to be understood that, the listings format of IAT_3 can be with reference to figure 3.
Wherein, in the destination address of all control stream jump class instructions, the address (being the address of API) that can comprise the system function that target program calls, by controlling the destination address of stream jump class instruction, the address of derivative function compares among each DLL that loads with the target cryptor that obtains in the step 1, find out identical address, these identical addresses so, it just should be the address (being the address of API) of system call function, if the destination address of the stream of the control in target cryptor jump class instruction is the API address, the target cryptor can be jumped to this API address, thereby the function among the calling system DLL (certainly as derivative function, the address of this derivative function is the address of this API to this function to DLL).
For the ease of understanding, here also need to prove, in the step 3, in the DLL information list, do not find the address identical with the destination address of the control stream jump class instruction of obtaining in the step 2, the corresponding derivative function of sort address can unify to be called the address of needs reparation, but before reparation, can also remove executive address (so because being that there is no need of carrying out repaired), to alleviate time loss.
Similar, in the destination address of the control stream jump class instruction of in step 2, obtaining, do not find the address identical with the address of the derivative function that comprises in the DLL information list in the step 1, the destination address of this class control stream jump class instruction is the address of non-executable file, or, the destination address that the jump class instruction is flowed in this class control needs to repair (concrete explanation of repairing can illustrate, not introduce first) herein in follow-up literal.The explanation understood just be convenient in this section literal, but not absolute, should not be construed the restriction to the embodiment of the invention.
Step 4: according to all addresses that comprise among the IAT_3 that obtains, the content that this address is pointed to, and in the DLL information list of having set up all information corresponding to this address, set up the input table of this target cryptor.
Wherein, in the step 4 derivative function address in address among the IAT_3 and the DLL information list is mated, address among the IAT_3 identical with the address of derivative function, according to the DLL name class in the DLL information list, address among the IAT_3 identical with the address that belongs to a derivative function in the DLL title, filled among the IAT in the input table, and according to address among the IAT_3, obtain corresponding information from the DLL information list, insert the IID of input table, INT, among IAT and the IIN, and, IID set up, INT, the pointer relation between IAT and the IIN.
Wherein, can be the corresponding input table of a certain DLL with reference to shown in Figure 4, the address of filling among the IAT in this input table be derivative function address among the DLL of same title in the DLL information list, and this derivative function address is included among the IAT_3 all.
Wherein, each DLL title correspondence is the identical input table of structure as shown in Figure 4, comprises a plurality of derivative functions among each DLL, therefore, in the input table of identical DLL title, comprises one or more than one call function address in IAT.
Because the address among the IAT_3 all is included in the DLL information list, then a kind of concrete method of filling in input table can be:
Step C1: derivative function address in address among the IAT_3 and the DLL information list is mated;
Step C2: judge whether to exist an input table, it is corresponding that the DLL name is called an above-mentioned address in this input table, and the DLL title in the DLL information list if do not have, then enters step C3; If have, then enter step C5;
Step C3: create an input table, this address is filled in the input table of establishment among the IAT, then, execution in step C4;
Step C4: the DLL title in the DLL information list that will obtain after will mating, the plot of this DLL and the shared memory range of this DLL all, insert among the IID in this input table; With the title of the derivative function that obtains or the sequence number of derivative function after the coupling, insert among the IIN in this input table and INT in; Set up IID, IIN, IAT and the INT pointer between all;
Wherein, the content of filling among IIN and the INT is identical, comprises the title of the derivative function that obtains after the coupling and/or the sequence number of derivative function.
Step C5: this address is filled in the input table of establishment among the IAT, the title of the derivative function that obtains after the coupling or the sequence number of derivative function, insert among the IIN in this input table and INT in; Set up IIN, the pointer of IAT and INT respective items.Wherein, above-mentioned understanding to step C5, also can be in conjunction with Fig. 4, namely there is an input table according to judging among the step C2, it is corresponding that the DLL name is called an above-mentioned address in this input table, the DLL title in the DLL information list, so, just in the IAT of input table tabulation, increase delegation, be used for this address of filling in IAT_3.
Wherein, set up IID, IIN, IAT and the INT pointer between all, the direction of arrow as shown in Figure 4 is the pointer direction.The concrete method of setting up IID in the input table, IIN, IAT and the INT pointer between all is prior art, does not describe in detail herein.
Step C6: above-mentioned steps C1 to C5 is carried out in each address among the IAT_3, then finish.
By above-mentioned explanation to step C1 to C6, can more clearly understand the step 4 in the embodiment of the invention.
By to the explanation of above-mentioned steps 1 to step 4, in the DLL information list of in step 1, having set up, among each DLL that the target cryptor that comprises loads in the address of derivative function, search the address identical with the destination address of the control stream jump class instruction of obtaining in the step 2, thereby obtain IAT_3; According to the DLL information list, and IAT_3, thereby input table set up.The method all is suitable for for any shell side method that adds, and compared with prior art, the method has more universality, and does not need manual intervention, and automaticity is high.
Embodiment two,
The embodiment of the invention provides a kind of method of obtaining the executable file input table, and the method is similar to the method that embodiment one provides, can be to getting access to the input table of target cryptor; And the method that the embodiment of the invention provides has increased certain operations on the basis of embodiment one, so that the input table that obtains is more accurate, and also can be so that this operating process efficient be higher.
The method that provides below in conjunction with 5 pairs of the present embodiment of accompanying drawing explains, and the method comprises:
Step 1 among step D1, step D2 and the embodiment one, step 2 are identical, please refer to explanation in step 1, the step 2;
Step D3: but the address in the non-executive address scope in the destination address of all control stream jump class instructions of obtaining among the removal step D2, but the content that the interior address of this non-executive address scope of reaching is pointed to; Thereby get access to IAT_1, comprise among this IAT_1: do not have the destination address of the control stream jump class instruction of removal, and be somebody's turn to do the content of the destination address sensing of the control stream jump class instruction that did not have removal.
Be convenient to be understood that, the listings format of IAT_1 can be with reference to figure 3.
Wherein, but the non-executive address scope described in the above-mentioned steps D3 comprises usually at least: null pointer zone, kernel area, perhaps other Off Limits addresses wherein each; But non-executive address scope also can comprise: the address that belongs to reserved state (unappropriated space).
Also need to prove, owing to having carried out step D3, so that among the subsequent step D7 to D9 during to the reparation operation of invalid address, reduce the number of times of repairing, improved the speed that method is carried out.
Step D4: the maximal value of obtaining the destination address of the control stream jump class instruction that does not have removal among the IAT_1, from this maximal value, search for greater than this peaked direction to the address, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that the address that searches and the address that searches are pointed to is filled up to IAT_1;
And/or, obtain the minimum value of the destination address of the control stream jump class instruction that does not have removal among the IAT_1, from this minimum value, direction to the address less than this minimum value is searched for, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that the address that searches and the address that searches are pointed to is filled up to IAT_1;
Wherein, compare with embodiment one, increase this step D4, owing to having carried out step D4, so that the scope of address among the IAT_1, scope than the destination address that just obtains all control stream jump class instructions among the step D2 is large, so that the input table that finally obtains approaches the input table of target program when not adding shell to the full extent.
Step D5: judge whether each address can find the address identical with the address among this IAT_1 among the IAT_1 in the DLL information list, if so, execution in step D6 then; If not, execution in step D7 then;
Step D6: will in the DLL information list, find address among the IAT_1 of identical address, and be filled up among the IAT_2;
Be convenient to be understood that, the listings format of IAT_2 also can be with reference to figure 3.
Wherein, in the DLL information list, find address among the IAT_1 of identical address, also can be called " effective address "; In the DLL information list, do not find address among the IAT_1 of identical address, can be called " invalid address " yet.
Step D7: to the content of address among the IAT_1 that in the DLL information list, does not find identical address, carry out dis-assembling, obtain the code after the dis-assembling;
Step D8: judge in the code after the dis-assembling whether API Calls is arranged, if having, execution in step D9; If no, process ends then;
Step D9: obtain the address of first API Calls in the code after the dis-assembling, this address is filled among the IAT_2;
Wherein, compare with embodiment one, the step D7 that increases among this embodiment two is to step D9, and equipment can be repaired the invalid address, namely gets access to the address of API Calls in the content of pointing to the invalid address.In the DLL information list that has created, can find the derivative function address identical with the address of this API Calls.Thereby, in follow-up step D10, can realize the reconstruct input table.
Step D10: similar to step 4 among the embodiment one, all addresses that comprise among the IAT_2 that obtains according to step D6 and step D9, the content that this address is pointed to, and in the DLL information list of having set up all information corresponding to this address, set up the input table of this target cryptor.
Wherein, the effect that acts on IAT_3 among the embodiment one of IAT_2 is identical.To the explanation of step D10, please refer among the embodiment one about the explanation of step 4, do not repeat herein.
By to the explanation of above-mentioned steps D1 to step D10, by in the DLL information list of setting up, among each DLL that the target cryptor that comprises loads in the address of derivative function, search the address identical with address among the IAT_2, thereby the effective address of obtaining and invalid address, the invalid address is repaired, thereby obtain IAT_3; According to the DLL information list, and IAT_3, thereby input table set up.The method all is suitable for for any shell side method that adds, and compared with prior art, the method has more universality, and does not need manual intervention, and automaticity is high.
Further, but remove the operation of the address in the non-executive address scope in the method, reduced in the subsequent operation the unnecessary reparation to the invalid address, thereby improved the execution efficient of the method;
Further, increased in the method among the step D4 and begun search address from address maximal value and/or minimum value, prevented from omitting the possible API address of calling at IAT_1, so that the input table that finally obtains is more accurate.
Further, increase the operation of step D7 to D9 in the method, the invalid address is repaired, can get access to the API address of control stream jump class instruction indirect call, so that the input table that finally obtains is more accurate.
Embodiment three,
The embodiment of the invention provides a kind of device that obtains the executable file input table, as shown in Figure 6, this device comprises: dynamic link library (DLL) information acquisition unit 100, dis-assembling unit 101, control stream jump class instruction address acquiring unit 102, effective address acquiring unit 103, and input table reconfiguration unit 104.
Wherein, DLL information acquisition unit 100, be used for obtaining all dynamic link library (DLL)s that the target cryptor loads, set up the DLL information list according to the DLL that obtains, comprise in this DLL information list: the title of all DLL that the target cryptor loads, the plot of each DLL that the target cryptor loads, the memory range that each DLL that the target cryptor loads takies, among each DLL that the target cryptor loads the address of derivative function wherein all, the title of derivative function among each DLL that loads with the target cryptor, among each DLL that loads with the target cryptor sequence number of derivative function wherein each;
Dis-assembling unit 101 is used for target cryptor code is carried out dis-assembling;
Control stream jump class instruction address acquiring unit 102 is used for from the result of dis-assembling unit 101 dis-assemblings, obtains the destination address of all control stream jump class instructions and the content that this address is pointed to;
Effective address acquiring unit 103, be used in obtaining the DLL information list that DLL message unit 100 set up, among each DLL that the target cryptor that comprises loads in the address of derivative function, search with control stream jump class instruction address acquiring unit 102 in the identical address of the destination address of the control stream jump class instruction of obtaining, the content production that the address that comprises in the lookup result and this address are pointed to is IAT_3;
Input table reconfiguration unit 104 is used for all addresses of comprising according to the IAT_3 that obtains, the content that this address is pointed to, and in the DLL information list of having set up all information corresponding to this address, set up the input table of this target cryptor.
Wherein, also need to prove, the logical block of this device can also be divided into: the Import Address Table identification module, Import Address Table is repaired module, and input table is rebuild module.
It should be understood that the Import Address Table identification module can comprise: above-mentioned explanation obtain dynamic link library (DLL) message unit 100, dis-assembling unit 101, and control stream jump class instruction address acquiring unit 102 these three unit;
Import Address Table is repaired module and can be comprised: the effective address acquiring unit 103 of above-mentioned explanation;
Input table is rebuild module and can be comprised: the input table reconfiguration unit 104 of above-mentioned explanation.
Understand the device that the present embodiment provides in order more to have known, the explanation of the method that can be in conjunction with the embodiments provides in.
Explanation by device that the embodiment of the invention is provided, this device is by in the DLL information list of having set up, among each DLL that the target cryptor that comprises loads in the address of derivative function, the identical address of destination address of the control stream jump class instruction of Search and acquirement, thus IAT_3 obtained; According to the DLL information list, and IAT_3, thereby input table set up.This device all is suitable for for any shell side method that adds, and compared with prior art, this device has more universality, and does not need manual intervention, and automaticity is high.
Further, but in order to remove the address in the non-executive address scope in the control stream jump class instruction address acquiring unit 102, can also comprise in this device: screening unit 105, be used for removing control stream jump class instruction address acquiring unit 102, but the address in the non-executive address scope in the destination address of all control stream jump class instructions of obtaining, but the content that the address in this non-executive address scope of reaching is pointed to; Thereby get access to IAT_1, comprise among this IAT_1: do not have the destination address of the control stream jump class instruction of removal, and be somebody's turn to do the content of the destination address sensing of the control stream jump class instruction that did not have removal.
Further, in order not omit Input Address, enlarge the Input Address scope of being selected, this device can also comprise: search unit 106, be used for from control stream jump class instruction address acquiring unit 102, perhaps screen unit 105 wherein in the Output rusults in each, obtain the maximal value of address, from this maximal value, search for greater than this peaked direction to the address, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that the address that searches and the address that searches are pointed to is filled up to IAT_1;
And/or, obtain the minimum value of address, from this minimum value, the direction to the address less than this minimum value is searched for, run into the content of pointing to the address and stop for empty (perhaps being zero) time in searching for, the content that the address that searches and the address that searches are pointed to is filled up to IAT_1;
Wherein, the control that does not have to remove be can preserve among the IAT_1 here and the destination address of jump class instruction and the content that the address is pointed to flowed, also can preserve from control stream jump class instruction address acquiring unit 102, all that obtain flow the content that the jump class instruction address is and the address is pointed to from control.
Further, the effective address acquiring unit 103 in the device that provides of the embodiment of the invention can specifically comprise: the first judging unit 2001 and first is filled in unit 2002.
Wherein, the first judging unit 2001 is used for judging whether each address of IAT_1 can in the DLL information list, find the address identical with the address among this IAT_1; Notify first to fill in unit 2002 judged result;
First fills in unit 2002, is used for the first judging unit 2001 is judged, and finds address among the IAT_1 of identical address in the DLL information list, is filled up among the IAT_2.
Need to prove, the address among the above-mentioned IAT_2 that obtains is effective address, but does not comprise the address that is repaired, and also can set up correct input table in input table reconfiguration unit 104 according to current IAT_2.And in fact, effective address acquiring unit 103 can also be repaired the invalid address, and therefore, effective address acquiring unit 103 can also comprise: the second dis-assembling unit 2003, the second judging unit 2004 and second are filled in unit 2005.
Wherein, the second dis-assembling unit 2003 is used for the first judging unit 2001 is judged, and does not find the content of address among the IAT_1 of identical address in the DLL information list, carries out dis-assembling, obtains the code after the dis-assembling;
The second judging unit 2004 is used for judging in the code after the dis-assembling that the second dis-assembling unit 2003 obtains whether API Calls is arranged, if having, notifies second to fill in unit 2005, if do not have, does not carry out any operation;
Second fills in unit 2005, is used for obtaining the address of first API Calls of code after the dis-assembling, and this address is filled among the IAT_2.
Wherein, in order to prevent obscuring, also it should be explained that: that record among the above-mentioned IAT_3 is the result that control stream jump class instruction address acquiring unit 102 obtains, and this result is exported to input table reconfiguration unit 104; And IAT_2 has increased screening unit 105 when device, and perhaps search unit 106 or after this device has increased repair function is finally exported to the address of input table reconfiguration unit 104.
By increase above-mentioned the second dis-assembling unit 2003, the second judging unit 2004 and second is filled in unit 2005, so that this device has the function of repairing the invalid address, so that the input table that finally obtains is more accurate.
Wherein, a kind of understanding of obtaining the device of executable file input table that the embodiment of the invention is provided, the explanation in also can reference example one, two.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of above-described embodiment is to come the relevant hardware of instruction finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
Abovely a kind ofly obtain executable file input table method and device is described in detail to what the embodiment of the invention provided, used specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (10)

1. one kind is obtained executable file input table method, it is characterized in that, comprising:
Obtain all dynamic link libraries that the target cryptor loads, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
Code to described target cryptor carries out dis-assembling, obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
In described dynamic link library information list, the identical address of destination address of the control of Search and acquirement stream jump class instruction;
According to the address of the derivative function that comprises in the lookup result, with the address of described derivative function corresponding all information in described dynamic link library information list, set up the input table of described target cryptor; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
2. method according to claim 1, it is characterized in that, described obtaining after destination addresses of all control stream jump class instructions and the content that described destination address points to, before the identical address of the destination address of the control stream jump class instruction of described Search and acquirement, described method also comprises:
Remove and comprise in described destination addresses that obtain all control stream jump class instructions, but the address in the non-executive address scope;
Then the identical address of destination address of jump class instruction is flowed in the control of described Search and acquirement, specifically comprise: search the address identical with the destination address of controlling the instruction of stream jump class, the destination address of jump class instruction is flowed in described control, but flows the destination address of jump class instruction for the control of removing address in the non-executive address scope.
3. method according to claim 2 is characterized in that, but described non-executive address scope comprises at least: null pointer zone, kernel area, perhaps the address of reserved state wherein each.
4. method according to claim 1, it is characterized in that, described obtaining after destination addresses of all control stream jump class instructions and the content that described destination address points to, before the identical address of the destination address of the control stream jump class instruction of described Search and acquirement, described method also comprises:
Obtain the maximal value in all destination addresses of controlling the instructions of stream jump class, from described maximal value,, stop when empty when running into the content pointed to the address in the search greater than described peaked direction search to the address, record searching to address and the content pointed to of the address that searches;
And/or, obtain minimum value in all destination addresses of controlling the instructions of stream jump class, from described minimum value, the direction to the address less than described minimum value is searched for, stop when empty when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
The identical address of destination address of the control stream jump class instruction of described Search and acquirement specifically comprises: the identical address of destination address of the control stream jump class instruction of Search and acquirement, and, search the address identical with the address that searches.
5. method according to claim 1, it is characterized in that, described method also comprises: the destination address that flows the jump class instruction when control is: in described dynamic link library information list, when not finding the identical address of destination address with the instruction of described control stream jump class, described control is flowed the content of the destination address sensing of jump class instruction, carry out dis-assembling, obtain the code after the dis-assembling;
Whether judge in the code after the described dis-assembling has application programming interfaces to call; If have, obtain the address that described application programming interfaces call;
Then, address according to the derivative function that comprises in the lookup result, all information of the address of described derivative function correspondence in described dynamic link library information list, the address that described application programming interfaces call, the address of calling with described application programming interfaces corresponding all information in described dynamic link library information list are set up the input table of described target cryptor.
6. one kind is obtained executable file input table device, it is characterized in that, comprising:
Dynamic link library (DLL) information acquisition unit, be used for obtaining all dynamic link libraries that the target cryptor loads, according to all dynamic link libraries that obtain, set up the dynamic link library information list, comprise in the described dynamic link library information list: the title of all dynamic link libraries that described target cryptor loads, the plot of each dynamic link library that described target cryptor loads, the memory range that each dynamic link library that described target cryptor loads takies, in each dynamic link library that described target cryptor loads the address of derivative function wherein all;
Also comprise in the described dynamic link library information list: the title of derivative function in each dynamic link library that described target cryptor loads, in each dynamic link library that loads with described target cryptor the sequence number of derivative function wherein each;
The dis-assembling unit is used for the code of described target cryptor is carried out dis-assembling;
Address location is obtained in the instruction of control stream jump class, is used for from the dis-assembling code that described dis-assembling unit is exported, and obtains the destination address of all control stream jump class instructions and the content that described destination address points to;
The effective address acquiring unit, for what comprise at described dynamic link library information list, in the address of derivative function, the identical address of destination address of jump class instruction is flowed in the control of Search and acquirement in each dynamic link library that described target cryptor loads;
The input table reconfiguration unit; The input table of described target cryptor is set up in the address that is used for the derivative function that comprises according to lookup result, and the address of described derivative function corresponding all information in described dynamic link library information list; The address of the derivative function that comprises in the described lookup result is the address in the Import Address Table in the described input table.
7. device according to claim 6 is characterized in that, described device also comprises:
The screening unit is used for removing that described destination addresses that obtain all control stream jump class instructions comprise, but the address in the non-executive address scope;
Described effective address acquiring unit then, specifically be used for comprising at described dynamic link library information list, in each dynamic link library that described target cryptor loads in the address of derivative function, search the address identical with the destination address of controlling the instruction of stream jump class, the destination address of jump class instruction is flowed in described control, but flows the destination address of jump class instruction for the control of removing address in the non-executive address scope.
8. device according to claim 6 is characterized in that, described device also comprises:
Search unit, be used for obtaining the maximal value that the destination address of jump class instructions is flowed in all controls, from described maximal value, search for greater than described peaked direction to the address, stop when empty when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
And/or, obtain minimum value in all destination addresses of controlling the instructions of stream jump class, from described minimum value, the direction to the address less than described minimum value is searched for, stop when empty when running into the content pointed to the address in the search, record searching to address and the content pointed to of the address that searches;
Effective address acquiring unit then, specifically be used for comprising at described dynamic link library information list, in each dynamic link library that described target cryptor loads in the address of derivative function, the identical address of destination address of the control stream jump class instruction of Search and acquirement, with, search the address identical with the address that searches.
9. device according to claim 6 is characterized in that, described effective address acquiring unit specifically comprises:
The first judging unit, whether the destination address for judging described control stream jump class instruction of obtaining finds in described dynamic link library information list, if so, notifies first to fill in the unit;
First fills in the unit, is used for finding at described dynamic link library information list, and the address identical with the destination address of described control stream jump class instruction be filled up in the second Import Address Table;
Then described input table reconfiguration unit specifically is used for according to described the second Import Address Table, and the dynamic link library information list, sets up the input table of described target cryptor.
10. device according to claim 9 is characterized in that, described effective address acquiring unit also comprises:
The second dis-assembling unit, be used for going out when described the first judgment unit judges, the destination address of control stream jump class instruction is: in described dynamic link library information list, when not finding the identical address of destination address with the instruction of described control stream jump class, described control is flowed the content of the destination address sensing of jump class instruction, carry out dis-assembling, obtain the code after the dis-assembling;
The second judging unit is used for judging that whether the code after the described dis-assembling has application programming interfaces to call, if having, notifies second to fill in the unit;
Second fills in the unit, and the address for described application programming interfaces are called is filled up to described the second Import Address Table.
CN 200910171415 2009-08-28 2009-08-28 Method and device capable of acquiring executable file input table Expired - Fee Related CN102004884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910171415 CN102004884B (en) 2009-08-28 2009-08-28 Method and device capable of acquiring executable file input table

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910171415 CN102004884B (en) 2009-08-28 2009-08-28 Method and device capable of acquiring executable file input table

Publications (2)

Publication Number Publication Date
CN102004884A CN102004884A (en) 2011-04-06
CN102004884B true CN102004884B (en) 2013-04-17

Family

ID=43812239

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910171415 Expired - Fee Related CN102004884B (en) 2009-08-28 2009-08-28 Method and device capable of acquiring executable file input table

Country Status (1)

Country Link
CN (1) CN102004884B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184103B (en) * 2011-05-12 2014-05-21 电子科技大学 Shell characteristic extracting method of software protection shell
CN102184363B (en) * 2011-05-21 2013-09-25 电子科技大学 Automatic software packer shelling method based on comprehensive processing
CN103177222B (en) * 2011-12-23 2015-08-12 腾讯科技(深圳)有限公司 A kind of file adds shell, the disposal route of shelling and equipment thereof
CN102890758B (en) * 2012-10-11 2014-12-17 北京深思洛克软件技术股份有限公司 Method and system for protecting executable file
CN103093142B (en) * 2012-12-26 2015-07-22 飞天诚信科技股份有限公司 Java card object access control method
CN103019740B (en) * 2012-12-28 2015-08-19 北京神州绿盟信息安全科技股份有限公司 A kind of method and device obtaining importing table and relocation table
CN103019828B (en) * 2012-12-28 2015-06-17 北京神州绿盟信息安全科技股份有限公司 Auxiliary shelling method and device based on shell adding program
CN103077029B (en) * 2012-12-28 2016-07-13 北京神州绿盟信息安全科技股份有限公司 A kind of restorative procedure importing table and device
CN103413071B (en) * 2013-07-09 2016-03-23 北京深思数盾科技有限公司 A kind of method of data in protection software
WO2015099778A1 (en) 2013-12-27 2015-07-02 Mcafee, Inc. Segregating executable files exhibiting network activity
CN103886042B (en) * 2014-03-10 2017-07-21 珠海市君天电子科技有限公司 A kind of method and device for recognizing dynamic link library
CN105528220B (en) * 2014-09-28 2020-12-01 腾讯科技(深圳)有限公司 Method and device for loading dynamic shared object
CN104504310A (en) * 2015-01-15 2015-04-08 深圳市东信时代信息技术有限公司 Method and device for software protection based on shell technology
CN105117644B (en) * 2015-08-26 2018-08-28 福建天晴数码有限公司 Acquire Android plug-in program method and system
CN106021096B (en) * 2016-05-09 2018-12-21 珠海豹趣科技有限公司 A kind of abnormal function lookup method and device
CN106325927B (en) * 2016-08-19 2019-12-17 北京金山安全管理系统技术有限公司 interception method and device applied to dynamic library API in linux system
CN107784204B (en) * 2016-08-31 2021-10-22 百度在线网络技术(北京)有限公司 Application shelling method and device
CN108108617B (en) * 2017-12-21 2019-10-08 中国人民解放军战略支援部队信息工程大学 Importing table restorative procedure and device based on the tracking of static instruction stream

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101154258A (en) * 2007-08-14 2008-04-02 电子科技大学 Automatic analyzing system and method for dynamic action of malicious program
CN101154259A (en) * 2007-08-27 2008-04-02 电子科技大学 General automated shelling engine and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101154258A (en) * 2007-08-14 2008-04-02 电子科技大学 Automatic analyzing system and method for dynamic action of malicious program
CN101154259A (en) * 2007-08-27 2008-04-02 电子科技大学 General automated shelling engine and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘晓冬.《软件加壳技术的研究与实现》.《中国优秀硕士论文电子期刊网》.2006,(第10期),全文. *

Also Published As

Publication number Publication date
CN102004884A (en) 2011-04-06

Similar Documents

Publication Publication Date Title
CN102004884B (en) Method and device capable of acquiring executable file input table
US9639377B2 (en) Method for linking and loading to protect applications
US20180107489A1 (en) Computer instruction processing method, coprocessor, and system
EP2897074B1 (en) Application code obfuscation device based on self-conversion and method therefor
US20170372068A1 (en) Method to identify known compilers functions, libraries and objects inside files and data items containing an executable code
CN107480476B (en) Android native layer instruction compiling virtualization shell adding method based on ELF infection
US20200342100A1 (en) System and method for runtime detection, analysis and signature determination of obfuscated malicious code
US7725879B2 (en) Method and apparatus for executing instructions of java virtual machine and transforming bytecode
KR101861341B1 (en) Deobfuscation apparatus of application code and method of deobfuscating application code using the same
KR20130018642A (en) System and method to protect java bytecode code against static and dynamic attacks within hostile execution environments
CN107273723B (en) So file shell adding-based Android platform application software protection method
CN104239757A (en) Application program reversing-preventing method and device and operation method and terminal
US20120284688A1 (en) System and method for blurring instructions and data via binary obfuscation
US20190286818A1 (en) Methods and systems for defending against cyber-attacks
CN109614772B (en) Code conversion method and device based on application installation package file
US9098355B2 (en) Method and apparatus for substituting compiler built-in helper functions with machine instructions
CN115390945A (en) Application program running method and device, electronic equipment and readable storage medium
CN108932407B (en) Program safety protection method and device
US20150347745A1 (en) Method for extracting executable code of application using memory dump
Al-Sharif et al. The Effects of Platforms and Languages on the Memory Footprint of the Executable Program: A Memory Forensic Approach.
CN106775843B (en) Dalvik byte code optimization method based on memory loading
CN103677746B (en) Instruction recombination method and device
CN113626773A (en) Code protection method based on intermediate language
CN107209815B (en) Method for code obfuscation using return-oriented programming
CN111222103B (en) Software protection method based on vectorization exception handling

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130417

Termination date: 20190828

CF01 Termination of patent right due to non-payment of annual fee