CN103116714A - Double-process protection method for executable files of Windows platform - Google Patents
Double-process protection method for executable files of Windows platform Download PDFInfo
- Publication number
- CN103116714A CN103116714A CN2013100669459A CN201310066945A CN103116714A CN 103116714 A CN103116714 A CN 103116714A CN 2013100669459 A CN2013100669459 A CN 2013100669459A CN 201310066945 A CN201310066945 A CN 201310066945A CN 103116714 A CN103116714 A CN 103116714A
- Authority
- CN
- China
- Prior art keywords
- target process
- described target
- debugger
- abnormality processing
- processing function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a double-process protection method for executable files of a Windows platform. The double-process protection method includes starting target programs of a user according to operation of the user and generating target processes; enabling the target processes to judge whether the target processes are debugged at the moment or not; and triggering a debugger via the target processes if the target processes are not debugged at the moment, and restarting the target processes by the debugger in a debug mode. The double-process protection method has the advantage that the processes of the target programs of the user are restarted via the debugger which is triggered by the processes of the target programs of the user, so that the target programs of the user can be effectively prevented from being cracked.
Description
Technical field
The present invention relates to a kind of software and prevent cracking the field, relate in particular to the guard method of a kind of windows platform executable file two process.
Background technology
The problem of piracy of software has caused showing great attention to of national governments.The most basic technological means of piracy software is to come prehension program by reverse-engineering, and then software is carried out illegal distorting, to reach the purpose of removing software protection.Being becoming increasingly rampant of software piracy seriously upset the order of software market, grievous injury the interests of software vendor.
Than software piracy more fearful be conversed analysis.Rule of thumb, skilled conversed analysis person one day can reverse 1000 row c++ codes.That is to say, the software that several years that work laboriously develop, if do not add protection, will be by the speed reverse whole codes of people with row every days 1000.It is particularly outstanding that this problem embodies aspect driver.Each is short and pithy for driver, compiling numerous core technologies, but he often only has tens KB, may be within several days time be just gone out whole source codes by the people is reverse.So often in very short a period of time, will emerge the numerous software identical with your software function after your software issue, your competitive power has not just existed yet.
This shows the importance of software protection.But because software cryptography is a kind of antagonism technology, so need the developer that decryption technology is had certain understanding.But the data of software encryption technique is relatively deficient comparatively speaking, and this is also just so that the developer of most software defence program is unfamiliar with software cryptography and deciphering, and then has caused spending the encipherment scheme that a large amount of manpower and materials design and cannot withstand a single blow.In order to allow the software developer from the measure of software protection, spin off, dedicate oneself to the software development of oneself, this things of dedicated encrypted software has just arisen at the historic moment.The scheme that present patent application proposes just belongs to a kind of software cryptography scheme for dedicated encrypted software.
Shell technology is the encryption technology of a kind of special use of occurring the earliest.Everybody most softwares that can touch have all passed through the protection that adds shell now, and shell technology also becomes most popular software encryption technique of present stage.The world-famous shell encryption software that adds has ASProtect, Armadillo, EXECryptor etc.
For example, ASProtect is a very powerful Win32 programmed protection instrument, has numerous safeguard measures such as compression, encryption, antitracking code, the inspection of CRC school and flower instruction.It uses the powerful cryptographic algorithm such as Blowfish, Twofish, TEA, uses RSA1024 as the login key maker.He also communicates by API hook and the program that adds shell, and ASProtect provides SDK, support VC, VB etc., the combination of inner and outside of realization encipheror.
Armadillo is comparatively widely commercial protection software of a application surface, can add various restrictions by the software for you when protection is provided, comprises time, number of times, start picture etc.His characteristics are two process protections.He is the meeting scanning sequence when adding shell, and the jump instruction that mark is crossed replaces to the int3 instruction.Program is when operation, and the protection process is intercepted and captured the int3 instruction, it is replaced to destination address return protected process, and then protected process continues operation.
EXECryptor is a commercial protection software, can add for target software the functions such as login mechanism, time restriction, access times.His characteristics are that the Anti-Debug function is very powerful.
By adding the software of shell protection; between the original program after shell and the deciphering, an obvious separatrix is arranged, the cracker can be under this cut-off rule breakpoint, waiting for that shell oneself is deciphered carries out internal memory after finishing and pours out; and utilize the internal memory reconstruct exe file of pouring out, reach the purpose of deciphering.
Other existing two process protection softwares are only protected for the software decryption process, do not protect for the running software overall process, also have the obvious separatrix of decrypting process and program operation, add the shell protection with tradition and have identical problem.
Also store a kind of virtual machine resist technology.The virtual machine protection is different from this conception of species of virtual machine, and he is similar to P-CODE at comparing class, and a series of instruction interpretation is become bytecode, is placed in the rendering engine to carry out, so that software is protected.Debugging person follows the tracks of and enters into virtual machine, is the former instruction of beyonding one's depth very much.Want the prehension program flow process, just must analyse in depth the virtual machine engine, intactly obtain the corresponding relation of P-CODE and source code, its complexity is well imagined.VMProtect is a famous virtual machine protection software, and it is to provide the mode of SDK that protection is provided to the developer.Virtual machine protection take VMProtect as representative also just becomes current safest protected mode.Increasingly mature along with the virtual machine resist technology, many encryption softwares based on shell technology also turn to the virtual machine cipher mode, now, above-mentioned several add shell protection software also all more or less comprised the virtual machine encryption function.
As seen, the virtual machine encipherment protection is done better at secure context, but has excessive performance loss, has affected being widely used of this encryption mechanism.The virtual machine protection exchanges for safe with efficient, can expand after an original assembly instruction is processed through VM tens times even hundred times, and carrying out efficient can descend greatly.Just because of this, the VM protection generally takes to provide the mode of SDK.But for some programs of having relatively high expectations to carrying out efficient, the virtual machine protection just has been not suitable for.
Summary of the invention
One of technical matters to be solved by this invention is that a kind of windows platform executable file two process guard method of cracking can prevented preferably need to be provided.
In order to solve the problems of the technologies described above, the invention provides the guard method of a kind of windows platform executable file two process, comprising:
According to user's operation start ownership goal program, generate target process;
Described target process judges whether himself is just debugged;
If be judged as noly, then trigger debugger by described target process, restart described target process by described debugger with debud mode.
Wherein, trigger the debugger process by described target process, described debugger restarts the step of described target process with debud mode, comprising:
Described target process is judged whether its operational factor meets and is imposed a condition;
Do not meet if be judged as, then described target process restarts the ownership goal program and then withdraws to generate new described target process, then target process generates described debugger backed off after random, and described debugger restarts described ownership goal program is in debugging mode with generation target process with debud mode.
Wherein, described target process restarts the step that then the ownership goal program withdraws to generate new described target process, further comprise: described target process calls the SEH abnormality processing function, to process function code by self modifying code technology modification screening washer, can revise the SEH abnormality processing function so that screening washer is processed function, call amended screening washer by the SEH abnormality processing function again and process function; Amended screening washer is processed function by self modifying code technology modification SEH abnormality processing function code, then process the amended SEH abnormality processing function of function call by amended screening washer, amended SEH abnormality processing function restarts the ownership goal program to generate new described target process.
Wherein, described target process restarts the ownership goal program to generate the processing of new described target process, comprising: described target process restarts the ownership goal program and generates new described target process by add magic number and current system time at WinExec command line parameter end.
Wherein, trigger the debugger process by described target process, described debugger restarts the step of described target process with debud mode, comprising: described target process is judged whether its operational factor meets and is imposed a condition; Meet if be judged as, then described target process generates described debugger backed off after random, and described debugger restarts described ownership goal program is in debugging mode with generation target process with debud mode.
Wherein, described target process judges that whether its operational factor meets the step that imposes a condition, and comprising: described target process utilizes the SEH abnormality processing function to judge whether its operational factor meets and imposes a condition.
Further, described imposing a condition comprises the start-up time of magic number and described target process for the operational factor of described target process, and described start-up time apart from the time interval that started described target process last time less than default duration.
Wherein, described target process generates the step of described debugger backed off after random, comprising: described target process generates described debugger backed off after random by the mode of Remote thread injecting.
Wherein, described target process generates the step of described debugger backed off after random by the mode of Remote thread injecting, further comprises: described target process adopts the code of the code coverage screening washer abnormality processing function of Remote create; By the SEH abnormality processing function with unusual going down until call described screening washer abnormality processing function; Generate described debugger by the mode of described screening washer abnormality processing function by Remote thread injecting.
Wherein, restart the step of described target process by described debugger with debud mode, comprising: described debugger starts described target process by the CreateProcess function, and specifies the DEBUG_PROCESS sign.
Compared with prior art, one or more embodiment of the present invention can have following advantage: the debugger that triggers by the process by the ownership goal program restarts the process of ownership goal program, can prevent preferably that the ownership goal program is cracked.
Other features and advantages of the present invention will be set forth in the following description, and, partly from instructions, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in instructions, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide a further understanding of the present invention, and consists of the part of instructions, jointly is used for explaining the present invention with embodiments of the invention, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 illustrates the schematic flow sheet according to the windows platform executable file two process guard method of the embodiment of the invention one;
Fig. 2 illustrates the schematic flow sheet of each substep among the step S130 among Fig. 1.
Embodiment
Describe embodiments of the present invention in detail below with reference to drawings and Examples, how the application technology means solve technical matters to the present invention whereby, and the implementation procedure of reaching technique effect can fully understand and implements according to this.Need to prove that only otherwise consist of conflict, each embodiment among the present invention and each feature among each embodiment can mutually combine, formed technical scheme is all within protection scope of the present invention.
In addition, can in the computer system such as one group of computer executable instructions, carry out in the step shown in the process flow diagram of accompanying drawing, and, although there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order that is different from herein.
Traditional thinking is to come so that debugger can't be understood correct code by adding shell or encrypted code.Yet adding as previously described shell and encrypting all has its limitation.
Windows divides 4 layers of protection structure ring0, ring1, ring2 and ring3, most crucial ring0, and outmost is ring3.Above-mentioned debugger can be a simplification version debugger that operates in Ring3, can start a target program with debugging mode, receives the debug events that this program produces, and makes corresponding processing.
The present inventor notices, Ring3 debugger in the Windows environment and the relation between the debugged program are one to one, that is to say that a program can only have a debugger, and the basic means that will crack a program is exactly performance analysis, namely debugging, thereby creatively proposed a kind of like this technology path: if initiatively add in advance a debugger on the ownership goal process, also just stoped the additional of other debuggers, this also just plays the effect of anti-debugging.The Ring3 level debugger that the present invention initiatively adds in advance.In addition, debugger can also be shared the functions such as part or all of code decompress(ion), conversion, also can carry out real-time supervision and control to target process, this has also increased the difficulty that cracks to executable file greatly so that executable file anti-crack method according to the present invention is more flexible.Said cracking mainly refers to cracking and the code of software is decoded software (executable program) copyright herein.
Embodiment one
Below with reference to Fig. 1 embodiments of the invention one are described.Fig. 1 shows the schematic flow sheet according to the windows platform executable file two process guard method of the embodiment of the invention one.
Step S110 according to user's operation start ownership goal program, generates target process;
Step S120, described target process judge whether himself is just debugged;
Step S130 if be judged as noly, then triggers debugger by described target process, restarts described target process by described debugger with debud mode.Debugger can restart described target process by the CreateProcess function, and specifies the DEBUG_PROCESS sign.If be judged as be, then enter step S140, to carry out the down-stream code.
Step S140, target program carry out follow-up program code, the various functions that will realize with completing user.
Like this, can stop third party's Start-up and Adjustment device to come the debug target process, thereby play the anti-purpose that cracks.
Among the step S110, the user can double-click the run user target program, triggers the process that Windows operating system (system that Windows operating system also will be installed among the present invention is called windows platform) starts this ownership goal program, i.e. target process.
Among the step S130, trigger the debugger process by target process, the debugger that triggers further comprises (with reference to figure 2) with the processing that debud mode restarts this target process:
Step S131, this target process judge whether its operational factor meets and impose a condition; Do not meet if be judged as, then enter substep S132; Otherwise, enter substep S133.
Then substep S132, this target process restart the ownership goal program withdraws from and then enters substep S133 to generate new target process;
Substep S133, target process generate this debugger backed off after random, enter substep S134;
Substep S134, this debugger restarts this ownership goal program is in debugging mode with generation target process with debud mode.
Preferably, this imposes a condition and can be: the operational factor of target process comprises the start-up time of magic number and target process, and should start-up time apart from the time interval that started this target process last time less than default duration.By not carrying out self restarting the ownership goal program and then withdraw to generate new target process by meeting pre-conditioned target, may further be and crack this ownership goal programming obstacle.Correspondingly, target process restarts the ownership goal program and can comprise with the processing that generates new described target process: target process restarts the ownership goal program and generates new described target process by add magic number and current system time at WinExec command line parameter end.
In addition, this imposes a condition and can also be other various conditions, for example, also can only be made as imposing a condition: total comprise magic number and the previous operation duration of target process etc., as long as can be to a certain degree for cracking this ownership goal programming obstacle.
Further, target process utilizes the SEH abnormality processing function to judge whether its operational factor meets to impose a condition.
SEH(Structured Exception Handling), be a kind of exception handling of windows operating system.SEH is based on thread, and each thread can arrange a plurality of SEH exception handlers.SEH is because of relevant with hardware platform, thus the ins and outs of windows and unexposed SEH, but SEH is widely used in various language.Windows has preserved some thread attribute data therein for each thread has defined a thread context piece (TIB----Thread Information Block), and its organization definition is as follows:
NT_TIB?STRUCT
ExceptionList?DWORD
StackBase?DWORD
SubSystemTib?DWORD
FiberData?DWORD
ArbitraryUserPointer?DWORD
Self?DWORD
NT_TIB?ENDS
Wherein, the ExceptionList field is pointed to an EXCEPTION_REGISTERATION structure, is defined as follows:
EXCEPTION_REGISTRATION?STRUCT
prev?DWORD
handler?DWORD
EXCEPTION_REGISTRATION?ENDS
When unusual generation, system is from TIB(thread message block, Thread Info Block) in take out the ExceptionList field, then take out the handler field of its sensing, go to call abnormality processing function according to address wherein.If the user need to make up oneself a abnormality processing function, only need to make up a new EXCEPTION_REGISTERATION structure, revise the prev field of this structure and point to current EXCEPTION_REGISTERATION structure, then revise the ExceptionList pointer among the TIB.TIB is pointed out by the fs segment register, can pass through fs:[0] access TIB structure.Can new SEH abnormality processing function be set by following code.
push?offset_ProcCallback
push?fs:[0]
mov?fs:[0],esp
Can unload a SEH abnormality processing function by following code:
pop?fs:[0]
pop?eax
When unusual generation, the abnormality processing function that windows can call, and import following several parameter into:
_ProcCallback?proc?C_lpExceptionRecord,\
_lpSEH,\
_lpContext,\
_lpDispatcherContext
_ lpExceptionRecord points to an EXCEPTION_RECORD structure, the EXCEPTION_REGISTRATION structure that _ lpSEH uses when pointing to the registered callbacks function, and _ lpContext points to a CONTEXT structure.
After handling unusually, function can return 4 kinds of values.When returning ExceptionContinueExecution, the setting of CONTEXT structure is gone back by system, then continues to carry out; When call back function returned ExceptionContinueSearch, system can obtain according to the prev field in the EXCEPTION_REGISTRATION structure address of previous SEH call back function, then calls it; When call back function returns ExceptionNestedException, be illustrated in have in the abnormality processing call back function occured new unusual; ExceptionCollidedUnwind represents to have occured to launch operation.
Because the SEH abnormality processing function is generally speaking only for the treatment of some program exceptions, and the present invention will judge creatively whether its operational factor meets the anti-code process that cracks that imposes a condition and be placed in the abnormality processing function, and this has further improved the anti-intensity that cracks of program.In addition, attempting to crack target process if there is third-party debugger, when the target process abnormal, third party's debugger can't carry out with present embodiment in abnormality processing function in function, therefore can't start the subsequent operation of target process, thereby realize hindering the operation that cracks of third party's debugger.
Further, target process restarts the ownership goal program and can further comprise with the processing that generates new target process and then withdraw from: target process calls the SEH abnormality processing function, to process function code by self modifying code technology modification screening washer, can revise the SEH abnormality processing function so that screening washer is processed function, call amended screening washer by the SEH abnormality processing function again and process function; Amended screening washer is processed function by self modifying code technology modification SEH abnormality processing function code, then process the amended SEH abnormality processing function of function call by amended screening washer, amended SEH abnormality processing function restarts the ownership goal program to generate new target process.Like this, can further improve the anti-intensity that cracks of program.
In addition, new target process generates in the processing of this debugger backed off after random, and target process can generate by the mode of Remote thread injecting described debugger.In other words; for the process with debugger also protects; the present invention further will be injected in the mode of remote thread as the process of debugger in the system process such as Windows Explorer, to reach the debugger process effect additional with hindering debugger of hiding.
Realize that this function need to use following several API:VirtualAllocEx, WriteProcessMemory and CreateRemoteThread.At first, call VirtualAllocEx and apply for an internal memory in the address space of target process, the size of internal memory must be held code and the data that thread uses, and the attribute of internal memory should be PAGE_EXECUTE_READWRITE.Then calling the WriteProcessMemory function calls the code of debugger and data copy again CreateRemoteThread function creation remote thread and begins in the memory block of just having applied for and carry out.
The program that is injected in this way in another process is a thread that belongs to target process, can not produce new process in the whole process, and this has also just reached the purpose of hiding debugger process.
Remote thread also has some technical matterss in the process of specific implementation, main is exactly that code reorientation problem and API import problem.
Code reorientation problem can be illustrated by following code snippet:
dwVar?dd?
......
mov?eax,dwVar
......
This section code will become following appearance in dis-assembling after compiling:
......
A100204000mov?eax,dword?ptr[00402000]
Owing to comprise specific address in the machine instruction that is compiled into, so if global variable dwVar is positioned at fixing address just can't carry out correct access.And be to use the VirtualAllocEx dynamic assignment because be used for the code of Remote create, so just can not guarantee once to inject for any of any target process, the address of dwVar all is changeless, that is to say that the mode that can't use the access global variable carries out access to this variable.Similarly, so long as compile the operation that relates in the machine instruction of finishing an absolute memory address, this monoblock program just can't freely be injected another process so.
For addressing this problem, can become all specific address the address that dynamic calculation goes out, below this section code be to solve the most frequently used method of self-align problem:
dwVar?dd?
......
call?label
label:
pop?ebx
sub?ebx,offset?label
......
moveax,dword?ptr[ebx+offset?dwVar]
Only need to guarantee ebx not to be used for other purposes in the operational process of program, then all specific address can be carried out correct correction by ebx in the program, and this has also just solved the reorientation problem.
Further, the processing that generates debugger of the mode of target process by Remote thread injecting also can further comprise: target process adopts the code of the code coverage screening washer abnormality processing function of Remote create; By the SEH abnormality processing function with unusual going down until call the screening washer abnormality processing function; Generate debugger by the mode of screening washer abnormality processing function by Remote thread injecting.With reason noted earlier similarly because the SEH abnormality processing function is generally speaking only for the treatment of some program exceptions, therefore can further provide the anti-intensity that cracks of program.
Although the disclosed embodiment of the present invention as above, the embodiment that described content just adopts for the ease of understanding the present invention is not to limit the present invention.Technician in any the technical field of the invention; under the prerequisite that does not break away from the disclosed spirit and scope of the present invention; can do any modification and variation in the details that reaches of implementing in form; but scope of patent protection of the present invention still must be as the criterion with the scope that appending claims was defined.
Claims (10)
1. windows platform executable file two process guard method is characterized in that, comprising:
According to user's operation start ownership goal program, generate target process;
Described target process judges whether himself is just debugged;
If be judged as noly, then trigger debugger by described target process, restart described target process by described debugger with debud mode.
2. method according to claim 1 is characterized in that, triggers the debugger process by described target process, and described debugger restarts the step of described target process with debud mode, comprising:
Described target process is judged whether its operational factor meets and is imposed a condition;
Do not meet if be judged as, then described target process restarts the ownership goal program and then withdraws to generate new described target process, then target process generates described debugger backed off after random, and described debugger restarts described ownership goal program is in debugging mode with generation target process with debud mode.
3. method according to claim 2 is characterized in that, described target process restarts the step that then the ownership goal program withdraws to generate new described target process, further comprises:
Described target process calls the SEH abnormality processing function, to process function code by self modifying code technology modification screening washer, can revise the SEH abnormality processing function so that screening washer is processed function, call amended screening washer by the SEH abnormality processing function again and process function;
Amended screening washer is processed function by self modifying code technology modification SEH abnormality processing function code, then process the amended SEH abnormality processing function of function call by amended screening washer, amended SEH abnormality processing function restarts the ownership goal program to generate new described target process.
4. method according to claim 2 is characterized in that, described target process restarts the ownership goal program to generate the processing of new described target process, comprising:
Described target process restarts the ownership goal program and generates new described target process by add magic number and current system time at WinExec command line parameter end.
5. method according to claim 4 is characterized in that, triggers the debugger process by described target process, and described debugger restarts the step of described target process with debud mode, comprising:
Described target process is judged whether its operational factor meets and is imposed a condition;
Meet if be judged as, then described target process generates described debugger backed off after random, and described debugger restarts described ownership goal program is in debugging mode with generation target process with debud mode.
6. each described method in 5 according to claim 2, it is characterized in that, described target process judges that whether its operational factor meets the step that imposes a condition, and comprising: described target process utilizes the SEH abnormality processing function to judge whether its operational factor meets and imposes a condition.
7. each described method in 5 according to claim 2, it is characterized in that, described imposing a condition comprises the start-up time of magic number and described target process for the operational factor of described target process, and described start-up time apart from the time interval that started described target process last time less than default duration.
8. each described method in 5 according to claim 2, it is characterized in that described target process generates the step of described debugger backed off after random, comprising: described target process generates described debugger backed off after random by the mode of Remote thread injecting.
9. method according to claim 8 is characterized in that, described target process generates the step of described debugger backed off after random by the mode of Remote thread injecting, further comprises:
Described target process adopts the code of the code coverage screening washer abnormality processing function of Remote create;
By the SEH abnormality processing function with unusual going down until call described screening washer abnormality processing function;
Generate described debugger by the mode of described screening washer abnormality processing function by Remote thread injecting.
10. method according to claim 1 is characterized in that, restarts the step of described target process by described debugger with debud mode, comprising:
Described debugger starts described target process by the CreateProcess function, and specifies the DEBUG_PROCESS sign.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100669459A CN103116714A (en) | 2013-03-01 | 2013-03-01 | Double-process protection method for executable files of Windows platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100669459A CN103116714A (en) | 2013-03-01 | 2013-03-01 | Double-process protection method for executable files of Windows platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103116714A true CN103116714A (en) | 2013-05-22 |
Family
ID=48415087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100669459A Pending CN103116714A (en) | 2013-03-01 | 2013-03-01 | Double-process protection method for executable files of Windows platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103116714A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105512548A (en) * | 2015-12-02 | 2016-04-20 | 湘潭大学 | Method for protecting mirror image codes based on executable mirror image hiding and dll injection |
| CN105653908A (en) * | 2015-12-31 | 2016-06-08 | 西北大学 | Implicit anti-debugging protection method |
| CN106021106A (en) * | 2016-05-19 | 2016-10-12 | 北京金山安全软件有限公司 | Process control method and user terminal |
| CN106055934A (en) * | 2016-05-19 | 2016-10-26 | 福建创意嘉和软件有限公司 | Method and device for code protection based on VEH |
| CN106055935A (en) * | 2016-05-19 | 2016-10-26 | 北京金山安全软件有限公司 | Process control method and device and electronic equipment |
| CN108287769A (en) * | 2018-02-28 | 2018-07-17 | 腾讯科技(深圳)有限公司 | A kind of information processing method and device |
| CN111814119A (en) * | 2020-05-27 | 2020-10-23 | 广州锦行网络科技有限公司 | Anti-debugging method |
| CN114816546A (en) * | 2022-04-28 | 2022-07-29 | 合肥高维数据技术有限公司 | Client application program multi-keep-alive method and system |
| CN112052165B (en) * | 2020-08-21 | 2024-04-26 | 北京智游网安科技有限公司 | Method, system and storage medium for detecting target function debugged |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6874087B1 (en) * | 1999-07-13 | 2005-03-29 | International Business Machines Corporation | Integrity checking an executable module and associated protected service provider module |
| CN1842767A (en) * | 2003-06-26 | 2006-10-04 | 微软公司 | An intermediate representation for multiple exception handling models |
| CN101136049A (en) * | 2006-09-01 | 2008-03-05 | 富士施乐株式会社 | Information processing system, information processing method, information processing program, computer readable medium and computer data signal |
| CN101458630A (en) * | 2008-12-30 | 2009-06-17 | 中国科学院软件研究所 | Self-modifying code identification method based on hardware emulator |
-
2013
- 2013-03-01 CN CN2013100669459A patent/CN103116714A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6874087B1 (en) * | 1999-07-13 | 2005-03-29 | International Business Machines Corporation | Integrity checking an executable module and associated protected service provider module |
| CN1842767A (en) * | 2003-06-26 | 2006-10-04 | 微软公司 | An intermediate representation for multiple exception handling models |
| CN101136049A (en) * | 2006-09-01 | 2008-03-05 | 富士施乐株式会社 | Information processing system, information processing method, information processing program, computer readable medium and computer data signal |
| CN101458630A (en) * | 2008-12-30 | 2009-06-17 | 中国科学院软件研究所 | Self-modifying code identification method based on hardware emulator |
Non-Patent Citations (1)
| Title |
|---|
| 马金鑫 等: "基于Windows环境下的进程保护技术的研究与实现", 《计算机应用与软件》, vol. 27, no. 3, 31 March 2010 (2010-03-31) * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105512548A (en) * | 2015-12-02 | 2016-04-20 | 湘潭大学 | Method for protecting mirror image codes based on executable mirror image hiding and dll injection |
| CN105653908A (en) * | 2015-12-31 | 2016-06-08 | 西北大学 | Implicit anti-debugging protection method |
| CN105653908B (en) * | 2015-12-31 | 2018-12-25 | 西北大学 | A kind of implicit anti-debug guard method |
| CN106055934A (en) * | 2016-05-19 | 2016-10-26 | 福建创意嘉和软件有限公司 | Method and device for code protection based on VEH |
| CN106055935A (en) * | 2016-05-19 | 2016-10-26 | 北京金山安全软件有限公司 | Process control method and device and electronic equipment |
| CN106021106A (en) * | 2016-05-19 | 2016-10-12 | 北京金山安全软件有限公司 | Process control method and user terminal |
| CN106055934B (en) * | 2016-05-19 | 2019-04-02 | 福州利倍得网络技术有限公司 | A kind of code protection method and device based on VEH |
| CN106021106B (en) * | 2016-05-19 | 2019-05-28 | 珠海豹趣科技有限公司 | A kind of course control method and user terminal |
| CN108287769A (en) * | 2018-02-28 | 2018-07-17 | 腾讯科技(深圳)有限公司 | A kind of information processing method and device |
| CN108287769B (en) * | 2018-02-28 | 2021-07-02 | 腾讯科技(深圳)有限公司 | Information processing method and device |
| CN111814119A (en) * | 2020-05-27 | 2020-10-23 | 广州锦行网络科技有限公司 | Anti-debugging method |
| CN111814119B (en) * | 2020-05-27 | 2021-03-19 | 广州锦行网络科技有限公司 | Anti-debugging method |
| CN112052165B (en) * | 2020-08-21 | 2024-04-26 | 北京智游网安科技有限公司 | Method, system and storage medium for detecting target function debugged |
| CN114816546A (en) * | 2022-04-28 | 2022-07-29 | 合肥高维数据技术有限公司 | Client application program multi-keep-alive method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103116714A (en) | Double-process protection method for executable files of Windows platform | |
| US10255414B2 (en) | Software self-defense systems and methods | |
| CN103116715B (en) | Windows platform executable file API postpones to import guard method | |
| US20180211046A1 (en) | Analysis and control of code flow and data flow | |
| US10013553B2 (en) | Protecting software application | |
| US20080127114A1 (en) | Framework for stealth dynamic coarse and fine-grained malware analysis | |
| WO2013170724A1 (en) | Method for protecting java application programs in android system | |
| AU2009200459A1 (en) | Systems and Methods for the Prevention Of Unauthorized Use and Manipulation of Digital Content Related Applications | |
| TW201227394A (en) | Security through opcode randomization | |
| CN102576391A (en) | Software license embedded in shell code | |
| Eresheim et al. | The evolution of process hiding techniques in malware-current threats and possible countermeasures | |
| Kim et al. | SGX-LEGO: Fine-grained SGX controlled-channel attack and its countermeasure | |
| Huang et al. | Return-oriented vulnerabilities in ARM executables | |
| CN112733093B (en) | Program behavior protection method, system and storage medium based on ring3 ring countermeasure | |
| Gao et al. | Debugging classification and anti-debugging strategies | |
| Thomas et al. | Multi-task support for security-enabled embedded processors | |
| Liutkevicius et al. | Assessment of dongle-based software copy protection combined with additional protection methods | |
| Bauer et al. | Towards cycle-accurate emulation of cortex-m code to detect timing side channels | |
| Friedman et al. | Chronomorphic programs: Runtime diversity prevents exploits and reconnaissance | |
| Forte | Automatic Binary Analysis and Instrumentation of Embedded Firmware for a Control-Flow Integrity Solution | |
| Chen et al. | An enhancement of return address stack for security | |
| Etalle et al. | Identifying & addressing challenges in embedded binary security | |
| Blietz | Software tamper resistance through dynamic monitoring | |
| Wang et al. | VMCloak: Toward a stealthy in-VM agent execution | |
| Liu et al. | A Hooking Interpreter Based Method for Script Program Protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130522 |