CN103116714A - Double-process protection method for executable files of Windows platform - Google Patents

Double-process protection method for executable files of Windows platform Download PDF

Info

Publication number
CN103116714A
CN103116714A CN2013100669459A CN201310066945A CN103116714A CN 103116714 A CN103116714 A CN 103116714A CN 2013100669459 A CN2013100669459 A CN 2013100669459A CN 201310066945 A CN201310066945 A CN 201310066945A CN 103116714 A CN103116714 A CN 103116714A
Authority
CN
China
Prior art keywords
target
process
debugger
target process
debug
Prior art date
Application number
CN2013100669459A
Other languages
Chinese (zh)
Inventor
郑子琛
Original Assignee
中标软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中标软件有限公司 filed Critical 中标软件有限公司
Priority to CN2013100669459A priority Critical patent/CN103116714A/en
Publication of CN103116714A publication Critical patent/CN103116714A/en

Links

Abstract

The invention discloses a double-process protection method for executable files of a Windows platform. The double-process protection method includes starting target programs of a user according to operation of the user and generating target processes; enabling the target processes to judge whether the target processes are debugged at the moment or not; and triggering a debugger via the target processes if the target processes are not debugged at the moment, and restarting the target processes by the debugger in a debug mode. The double-process protection method has the advantage that the processes of the target programs of the user are restarted via the debugger which is triggered by the processes of the target programs of the user, so that the target programs of the user can be effectively prevented from being cracked.

Description

—种Windows平台可执行文件双进程保护方法 - kind of platform Windows executable file double process protection method

技术领域 FIELD

[0001] 本发明涉及一种软件防破解领域,尤其涉及一种Windows平台可执行文件双进程保护方法。 [0001] The present invention relates to a software anti-crack, and more particularly, to a Windows platform executables double process protection methods.

背景技术 Background technique

[0002] 软件的盗版问题已经引起了各国政府的高度关注。 [0002] software piracy problem has attracted the attention of Governments. 盗版软件最基本的技术手段是通过逆向工程来理解程序,进而对软件进行非法的篡改,以达到去除软件保护的目的。 Software piracy is the most basic technology through reverse engineering to understand the program, and then the software is illegal tampering, in order to achieve the purpose of removing software protection. 软件盗版的日益猖獗已经严重扰乱了软件市场的秩序,严重损害了软件厂商的利益。 Rampant software piracy has seriously disrupted the market order, software, and seriously damaged the interests of software vendors.

[0003] 比软件盗版更可怕的是逆向分析。 [0003] more frightening than software piracy is reverse analysis. 根据经验,一个熟练的逆向分析者一天可以逆向1000行C++代码。 According to experience, analysis by a skilled one day reverse reverse 1000 lines of C ++. 也就是说,辛辛苦苦几年时间开发出来的软件,如果不加保护,就会被人以每天1000行的速度逆向全部代码。 That is to say, a few years hard time developed software, if not protected, people will be at a rate of 1,000 lines per day reverse all the code. 这个问题在驱动程序方面体现的尤为突出。 The problem in terms of the driver reflected particularly prominent. 驱动程序各个短小精悍,汇集着众多的核心技术,但他往往只有几十KB,可能在几天的时间内就被人逆向出全部源码。 Driver various short and pithy, bringing together a large number of core technologies, but he was often only a few dozen KB, people might be reverse out all the source code in a few days time. 所以往往在你的软件发布后很短的一段时间内,就会涌现出无数个与你的软件功能相同的软件,你的竞争力也就不复存在了。 So often when your software is released within a very short period of time, will be the emergence of numerous software functions the same with your software, your competitiveness would be gone.

[0004] 由此可见软件保护的重要性。 [0004] This shows the importance of software protection. 不过由于软件加密是一种对抗性技术,所以需要开发者对解密技术有一定的了解。 However, because the software is a confrontational encryption technology, so developers need to have some knowledge of the decryption technology. 但是软件加密技术的资料相对来讲比较匮乏,这也就使得大多数软件保护程序的开发者不熟悉软件加密与解密,进而导致花费了大量人力物力设计出的加密方案不堪一击。 But data encryption software technologies are relatively scarce, which also makes the most software developers are not familiar saver software encryption and decryption, which led to spend a lot of manpower and resources to design an encryption scheme vulnerable. 为了让软件开发者从软件保护的措施中脱离出来,专心致力于自己的软件开发,专用加密软件这个事物就应运而生了。 In order for software developers out from measures to protect the software out, focused on their own software development, special encryption software this thing came into being. 本专利申请提出的方案就属于一种用于专用加密软件的软件加密方案。 The present patent application proposes a scheme belongs to software encryption scheme for specific encryption software.

[0005] 壳技术是最早出现的一种专用的加密技术。 [0005] technology is a special case of encryption technology first appeared. 现在大家能够接触到的绝大多数软件都经过了加壳的保护,而壳技术也成为了现阶段最流行的软件加密技术。 Now everyone with access to the vast majority of software protection through the shell, and the shell technology has become the present, the most popular software encryption technology. 世界知名的加壳加密软件有ASProtect、Armadillo、EXECryptor 等等。 World-renowned packers encrypted software ASProtect, Armadillo, EXECryptor and so on.

[0006] 例如,ASProtect是一款非常强大的Win32程序保护工具,具有压缩、加密、反跟踪代码、CRC校检和花指令等众多保护措施。 [0006] For example, ASProtect is a very powerful tool for Win32 programs, with compression, encryption, anti-tracking code, many protection measures CRC checksum and flowers directives. 它使用Blowfish、Twofish、TEA等强劲的加密算法,用RSA1024作为注册密钥生成器。 It uses strong encryption algorithm Blowfish, Twofish, TEA, etc., used as a registration key generator RSA1024. 他还通过API钩子与加壳的程序进行通信,并且ASProtect提供SDK,支持VC、VB等,实现加密程序内外结合。 He also via the API hook-packed program to communicate with and provide ASProtect SDK, support VC, VB, etc., to achieve encryption program and external integration.

[0007] Armadillo是一款应用面较为广泛的商业保护软件,可以在提供保护的同时为你的软件加上各种限制,包括时间、次数、启动画面等等。 [0007] Armadillo is a more widespread commercial application of surface protection software, you can add restrictions to your software at the same time providing protection, including time, frequency and the splash screen and so on. 他的特点是双进程保护。 He is characterized by a double process protection. 他在加壳时会扫描程序,将标记过的跳转指令替换成int3指令。 He scans the program when packers, replacing the labeled int3 jump instruction to instruction. 程序在运行时,保护进程截获int3指令,将其替换成目标地址返回被保护进程,然后被保护进程继续运行。 Program at run time, protection process interception int3 command, substituting it with the destination address is protected return process, and then the protected process continues to run.

[0008] EXECryptor是一款商业保护软件,可以为目标软件加上注册机制、时间限制、使用次数等功能。 [0008] EXECryptor is a commercial software protection, you can add software registration system as the goal, time limits, frequency of use and other functions. 他的特点是Ant1-Debug功能很强大。 He is characterized Ant1-Debug function is very powerful.

[0009] 通过加壳保护的软件,在壳与解密后的原始程序之间有一条明显的分界线,破解者可以在这个分割线下断点,等待壳自己解密完成后进行内存倒出,并利用倒出的内存重构exe文件,达到解密的目的。 [0009] The software is protected by a shell, between the shell and the decrypted original program there is a clear boundary, cracking may break at this parting line, waiting for memory pouring their shell after decryption is complete, and memory utilization poured reconstruction exe file, the purpose of decryption. [0010] 其他已有的双进程保护软件仅仅针对软件解密过程进行保护,并没有针对软件运行全过程进行保护,也存在解密过程与程序运行的明显分界线,与传统加壳保护存在相同的问题。 [0010] Other existing dual-process protection software is only carried out for software protection decryption process, and did not protect against software running the whole process, there are also clear dividing line decryption process with programs running, the same problems exist with the traditional shell protection .

[0011] 还存储一种虚拟机保护技术。 [0011] is also a kind of virtual machine memory protection technology. 虚拟机保护与虚拟机这种概念不同,他比较类似于P-C0DE,将一系列的指令解释成字节码,放在一个解释引擎中执行,以对软件进行保护。 Protection different virtual machines and virtual machine concept, he was more similar to P-C0DE, it will be interpreted as a series of bytecode instructions, executed in an interpretive engine, to protect the software. 调试者跟踪进入到虚拟机,是非常难于理解原指令的。 Debugger trace into virtual machines, it is very difficult to understand the original instructions. 想要理解程序流程,就必须深入分析虚拟机引擎,完整地得到P-CODE与原始代码的对应关系,其复杂度可想而知。 Want to understand program flow, it is necessary to analyze in depth virtual machine engine, complete correspondence between P-CODE get the original code, its complexity can be imagined. VMProtect是一款著名的虚拟机保护软件,它以向开发者提供SDK的方式提供保护。 VMProtect is a well-known virtual machine protection software, which provides protection to provide the SDK to developers manner. 以VMPiOtect为代表的而虚拟机保护也就成为了当今最安全的保护方式。 To VMPiOtect represented and virtual machine protection has become today's most secure protection. 随着虚拟机保护技术的日益成熟,许多基于壳技术的加密软件也转向虚拟机加密方式,现在,上述的几种加壳保护软件也都或多或少的包含了虚拟机加密功能。 With the virtual machine protection technologies become more sophisticated, many software-based encryption technology also turned to shell virtual machine encryption, now, several of these packers protection software is also more or less including a virtual machine encryption.

[0012] 可见,虚拟机加密保护在安全方面做得较好,但是存在过大的性能损耗,影响了这种加密机制的广泛使用。 [0012] visible, virtual machine encryption do better in terms of security, but the big loss of performance existed, affecting the widespread use of this encryption mechanism. 虚拟机保护是以效率换取安全的,一条原始的汇编指令经过VM处理后会膨胀几十倍甚至几百倍,执行效率会大大下降。 Virtual machine protection is the efficiency in exchange for security, a VM after the original assembly instructions will expand treatment after a few times or even hundreds of times, the efficiency will be greatly decreased. 正因如此,VM保护一般采取提供SDK的方式。 For this reason, VM SDK provides protection in general way. 不过对于一些对执行效率要求较高的程序,虚拟机保护就不适合了。 But for some of the procedures for the implementation of high efficiency requirements, virtual machine protection are not appropriate.

发明内容 SUMMARY

[0013] 本发明所要解决的技术问题之一是需要提供一种能够较好地防破解的Windows平台可执行文件双进程保护方法。 [0013] One of the present invention to solve the technical problem of the need to provide an executable file double process protection method capable of better anti-crack Windows platform.

[0014] 为了解决上述技术问题,本发明提供了一种Windows平台可执行文件双进程保护方法,包括: [0014] In order to solve the above problems, the present invention provides a Windows platform executables double process protection methods, including:

[0015] 根据用户操作启动用户目标程序,生成目标进程; [0015] The user starts a user operation target program, generating the target process;

[0016] 所述目标进程判断其自身是否正被调试; [0016] determines whether the target process itself being debugged;

[0017] 若判断为否,则通过所述目标进程触发调试器,由所述调试器以调试方式重新启动所述目标进程。 [0017] If the determination is NO, the debugger is triggered by the target process, the debugger by the debugger to restart the target process.

[0018] 其中,通过所述目标进程触发调试器进程,所述调试器以调试方式重新启动所述目标进程的步骤,包括: [0018] wherein, triggered by the debugger process target process, the debugger to debug the target restart step process, comprising:

[0019] 所述目标进程判断其运行参数是否符合设定条件; [0019] The target process which determines whether the operational parameter setting conditions;

[0020] 若判断为不符合,则所述目标进程重新启动用户目标程序以生成新的所述目标进程然后退出,然后目标进程生成所述调试器后退出,所述调试器以调试方式重新启动所述用户目标程序以生成处于调试状态的目标进程。 [0020] If a decision is not met, the target process to restart the user program to generate a new target of the target process and then exit, and then generate the target process exits after the debugger, the debugger is restarted in debug mode target process to generate the target user is in debug state.

[0021] 其中,所述目标进程重新启动用户目标程序以生成新的所述目标进程然后退出的步骤,进一步包括:所述目标进程调用SHl异常处理函数,以通过自修改代码技术修改筛选器处理函数代码,使得筛选器处理函数能够修改SHl异常处理函数,再由SHl异常处理函数调用修改后的筛选器处理函数;修改后的筛选器处理函数通过自修改代码技术修改SHl异常处理函数代码,然后由修改后的筛选器处理函数调用修改后的SE: H异常处理函数,修改后的SHl异常处理函数重新启动用户目标程序以生成新的所述目标进程。 Step [0021] wherein, the target user to restart the process target program to generate a new target process then exits, further comprising: the target process calls SHl exception handler, through self-modifying code handling technique modify filters the function code, so that the filter handler can modify SH1 exception handler, then exception handling filter handler after the function call is modified by SH1; modified filter handler through self-modifying code technical modifications SH1 exception handler code, and the call handler is modified by a filter modified SE: H exception handler, SHl modified exception handler to restart the target user to generate a new target process.

[0022] 其中,所述目标进程重新启动用户目标程序以生成新的所述目标进程的处理,包括:所述目标进程通过在WinExec命令行参数末尾加上魔数和当前系统时间来重新启动用户目标程序生成新的所述目标进程。 [0022] wherein, the target user to restart the process target program to a new generation process of the target process, comprising: a target process by the end of the plus command line arguments WinExec magic number and the current system time to the user restarts the goal of the program to generate a new target process.

[0023] 其中,通过所述目标进程触发调试器进程,所述调试器以调试方式重新启动所述目标进程的步骤,包括:所述目标进程判断其运行参数是否符合设定条件;若判断为符合,则所述目标进程生成所述调试器后退出,所述调试器以调试方式重新启动所述用户目标程序以生成处于调试状态的目标进程。 [0023] wherein, triggered by the debugger process target process, the debugger to debug the target restart step process, comprising: determining a target process setting its operating parameters meets conditions; if it is determined in line, after the process of generating the target quit the debugger, the debugger to debug the target user restart the program to generate the target process is in debug state.

[0024] 其中,所述目标进程判断其运行参数是否符合设定条件的步骤,包括:所述目标进程利用SEH异常处理函数判断其运行参数是否符合设定条件。 [0024] wherein the step of determining the target process operating parameters meets a set condition, comprising: a target process using SEH exception handler operating parameter which determines whether the set condition.

[0025] 进一步,所述设定条件为所述目标进程的运行参数包括魔数和所述目标进程的启动时间,且所述启动时间距离上次启动所述目标进程的时间间隔小于预设时长。 [0025] Further, the setting parameter of the operating condition is start time of the target process and the magic number of the target process, and a long time since the last start time of the target process time interval is less than said predetermined start .

[0026] 其中,所述目标进程生成所述调试器后退出的步骤,包括:所述目标进程通过远程线程注入的方式生成所述调试器后退出。 [0026] wherein, after the withdrawal of the target process generating step debugger, comprising: generating the debug target process by way of injection remote thread exit.

[0027] 其中,所述目标进程通过远程线程注入的方式生成所述调试器后退出的步骤,进一步包括:所述目标进程采用远程注入的代码覆盖筛选器异常处理函数的代码;由SHl异常处理函数将异常向下传递直到调用所述筛选器异常处理函数;由所述筛选器异常处理函数通过远程线程注入的方式生成所述调试器。 [0027] wherein, the target process through a remote injection thread generation step manner after exiting the debugger, further comprising: using the target process code coverage remote injection exception handling code filter function; exception handling by a SHl function call until the exception pass down the filter exception handlers; manner from the filter by the exception handler for generating the remote thread injection debugger.

[0028] 其中,由所述调试器以调试方式重新启动所述目标进程的步骤,包括:所述调试器通过CreateProcess函数启动所述目标进程,并指定DEBUG_PR0CESS标志。 [0028] wherein, by the debugger to debug the target restart step process, comprising: a debugger is started by the target process CreateProcess function, and specifies DEBUG_PR0CESS flag.

[0029] 与现有技术相比,本发明的一个或多个实施例可以具有如下优点:通过由用户目标程序的进程所触发的调试器来重新启动用户目标程序的进程,能够较好地防止用户目标程序被破解。 [0029] Compared with the prior art, one or more embodiments of the present invention may have the following advantages: the user to restart the process by the process target program by the target user triggered debugger can better prevent is the target user is compromised.

[0030] 本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。 [0030] Other features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or learned by practice of the present invention. 本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。 The objectives and other advantages of the present invention can be in the specification, the drawings, and particularly pointed out in the structure realized and attained by the claims.

附图说明 BRIEF DESCRIPTION

[0031] 附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明的实施例共同用于解释本发明,并不构成对本发明的限制。 [0031] The accompanying drawings provide a further understanding of the present invention, and constitute part of this specification, the embodiments of the present invention serve to explain the present invention, not to limit the present invention. 在附图中: In the drawings:

[0032] 图1示出根据本发明实施例一的Windows平台可执行文件双进程保护方法的流程示意图; [0032] FIG. 1 shows a schematic flow diagram of a platform for Windows executable process dual protection method according to an embodiment of the present invention;

[0033] 图2示出图1中的步骤S130中各子步骤的流程示意图。 [0033] FIG. 2 shows a schematic flow of each sub-step in step S130 in FIG.

具体实施方式 Detailed ways

[0034] 以下将结合附图及实施例来详细说明本发明的实施方式,借此对本发明如何应用技术手段来解决技术问题,并达成技术效果的实现过程能充分理解并据以实施。 [0034] The accompanying drawings and the following embodiments will be described in detail embodiments of the present invention, thereby fully understand how the present invention is applied to the technical means to solve the technical problem, and achieve the technical effect of implementation and accordingly embodiment. 需要说明的是,只要不构成冲突,本发明中的各个实施例以及各实施例中的各个特征可以相互结合,所形成的技术方案均在本发明的保护范围之内。 Incidentally, they do not constitute a conflict, various embodiments of the present invention and the various embodiments of the various features may be combined with each other, are within the scope of the technical solutions of the present invention are formed.

[0035] 另外,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。 [0035] Further, the steps shown in the flowchart drawings can be executed in a computer system a set of computer executable instructions, and, although in the flowchart shown in a logical order, but in some cases, may perform the steps shown or described in a different order. [0036] 传统的思路是通过加壳或加密代码来使得调试器无法解读正确的代码。 [0036] The conventional thinking by such packers or encrypted code debugger can not interpret the correct code. 然而,如前面所述加壳和加密均都有其局限性。 However, as previously mentioned packers are encrypted and has its limitations.

[0037] windows 分4 层保护结构ringO、ringl、ring2 和ring3,最核心的ringO,最外面的是ring3。 [0037] windows in four layer protective structure ringO, ringl, ring2 and ring3, the core ringO, the outermost ring3. 上述调试器可以是一个运行在Ring3的简化版调试器,可以以调试状态启动一个目标程序,接收该程序产生的调试事件,并做出相应的处理。 Above debugger can be run on a simplified version of Ring3 debugger can debug state of a start target program, the program receives the generated debug event, and make the appropriate treatment.

[0038] 本发明的发明人注意到,Windows环境中的Ring3调试器与被调试程序之间的关系是一一对应的,也就是说一个程序只能有一个调试器,而要破解一个程序的基本手段就是动态分析,也就是调试,因而创造性地提出了这样一种技术路线:如果预先主动附加一个调试器在用户目标进程上,也就阻止了其他调试器的附加,这也就起到反调试的作用。 [0038] The present inventors have noticed, Windows environment Ring3 debugger with the relationship between the debugger is one to one, meaning that a program can only have a debugger, and a program to crack dynamic analysis is the basic means, that is, debugging, thus creatively proposes a technology roadmap: If proactively attach a debugger on the user's target process, it prevents other additional debugger, which also play a counter commissioning role. 本发明预先主动附加的Ring3级调试器。 The present invention proactively Ring3 additional level debugger. 加之,调试器还可以分担部分或全部的代码解压、变换等功能,也可以对目标进程进行实时的监视与控制,这使得根据本发明的可执行文件防破解方法更加灵活,也大大增加了对可执行文件的破解难度。 Additionally, the debugger can also share some or all of the code decompression, conversion and other functions, it can also be real-time monitoring and control of the target process, which makes the executable file in accordance with the present invention the anti-crack method is more flexible, but also greatly increased the the difficulty of guessing executable file. 此处所说的破解,主要指对软件(可执行程序)版权的破解和对软件的代码破译。 Here said to break, mainly refers to software (executable) Copyright crack the code and decipher the software.

[0039] 实施例一 [0039] Example a

[0040] 下面参考图1说明本发明的实施例一。 [0040] Referring to FIG. 1 illustrates an embodiment of the present invention. 图1示出了根据本发明实施例一的Windows平台可执行文件双进程保护方法的流程示意图。 FIG 1 shows a flow diagram of a dual executable file for the Windows platform embodiment of the protection method according to the process of the present invention.

[0041] 步骤S110,根据用户操作启动用户目标程序,生成目标进程; [0041] step S110, the start target user according to user operations, to generate the target process;

[0042] 步骤S120,所述目标进程判断其自身是否正被调试; [0042] In step S120, the process determines whether the target itself being debugged;

[0043] 步骤S130,若判断为否,则通过所述目标进程触发调试器,由所述调试器以调试方式重新启动所述目标进程。 [0043] Step S130, the determination is negative if, the debugger is triggered by the target process, the debugger by the debugger to restart the target process. 调试器可通过CreateProcess函数重新启动所述目标进程,并指定DEBUG_PR0CESS标志。 The debugger can restart the target process via CreateProcess function, and specify DEBUG_PR0CESS flag. 若判断为是,则进入步骤S140,以执行后续程序代码。 If the determination is yes, the process proceeds to step S140, the program to execute the subsequent code.

[0044] 步骤S140,目标程序执行后续的程序代码,以完成用户所要实现的各种功能。 [0044] step S140, the target program execution subsequent program code to perform various functions to be implemented by the user.

[0045] 这样,可阻止第三方启动调试器来调试目标进程,从而起到防破解的目的。 [0045] In this way, it prevents third parties to start the debugger to debug the target process, and thus serve the purpose of anti-crack.

[0046] 步骤SllO中,用户可双击运行用户目标程序,触发Windows操作系统(本发明中也将安装有Windows操作系统的系统称作Windows平台)启动该用户目标程序的进程,即目标进程。 [0046] Step SllO, the user can double-click operation target user, trigger the Windows operating system (the present invention will be with Windows operating system called Windows platform) to start the process target program to the user, i.e., the target process.

[0047] 步骤S130中,通过目标进程触发调试器进程,所触发的调试器以调试方式重新启动该目标进程的处理进一步包括(参考图2): [0047] In Step S130, triggered by the target process debugger process, triggered in debug mode debugger restarts the process further comprises a target process (refer to FIG. 2):

[0048] 步骤S131,该目标进程判断其运行参数是否符合设定条件;若判断为不符合,则进入子步骤S132 ;反之,进入子步骤S133。 [0048] Step S131, it is determined that the target process setting operating parameters meets conditions; if it is determined not, the process proceeds to sub-step S132; the other hand, into the sub-step S133.

[0049] 子步骤S132,该目标进程重新启动用户目标程序以生成新的目标进程然后退出然后进入子步骤S133 ; [0049] sub-step S132, the target process to restart the target user to generate a new target process and then exit and then enter the sub-step S133;

[0050] 子步骤S133,目标进程生成该调试器后退出,进入子步骤S134 ; [0050] Sub-step S133, the target process generates the debugger exits into the sub-step S134;

[0051] 子步骤S134,该调试器以调试方式重新启动该用户目标程序以生成处于调试状态的目标进程。 [0051] Sub-step S134, the debugger to debug the target user restart the program to generate the target process is in debug state.

[0052] 优选地,该设定条件可为:目标进程的运行参数包括魔数和目标进程的启动时间,且该启动时间距离上次启动该目标进程的时间间隔小于预设时长。 [0052] Preferably, the setting condition may be: the target operating parameters of the process start time of the target process and the magic number, and the start time of the target process, since the last start time interval is less than a predetermined duration. 通过由不符合预设条件的目标进行自身重新启动用户目标程序以生成新的目标进程然后退出,可进一步为破解该用户目标程序设置障碍。 Restart the target by itself does not meet the pre-conditions for the target user to generate a new target process then exits, further obstacles to crack the target user. 相应地,目标进程重新启动用户目标程序以生成新的所述目标进程的处理可包括:目标进程通过在WinExec命令行参数末尾加上魔数和当前系统时间来重新启动用户目标程序生成新的所述目标进程。 Accordingly, the target user to restart the process target program to generate a new process of the target process may include: a target process by adding at the end of the command line parameters WinExec magic number and the current system time to restart the user program generates a new desired target above the target process.

[0053] 此外,该设定条件还可以为其它各种各样的条件,例如,还可将设定条件仅设为:包含魔数和目标进程前一次的总运行时长等,只要能够一定程度为破解该用户目标程序设置障碍即可。 [0053] In addition, the setting condition may also be a variety of other conditions, for example, only the setting condition may also be set to: the total length and the like comprising a front magic number and the running time of the target process, as long as a certain degree to break the obstacles to the target user.

[0054] 进一步,目标进程利用SEH异常处理函数判断其运行参数是否符合设定条件。 [0054] Further, the target process is running it is determined whether the set condition parameters using SEH exception handler.

[0055] SEH (Structured Exception Handling),是windows 操作系统的一种异常处理机制。 [0055] SEH (Structured Exception Handling), exception handling mechanism is a windows operating system. SHl是基于线程的,每一个线程都可以设置多个SHl异常处理例程。 SHl is based on the thread, each thread may be provided a plurality of exception handling routines SHl. SHl因为与硬件平台有关,所以windows并未公开SE:H的技术细节,但SE:H却在各种语言中被广泛使用。 SHl because the hardware platform-dependent, so the windows did not open SE: H technical details, but SE: H has been widely used in a variety of languages.

Windows为每一个线程定义了一个线程环境块(TIB----Thread Information Block),在其 Windows for each thread defines a thread environment block (TIB ---- Thread Information Block), in its

中保存了一些线程的属性数据,其结构定义如下: Attribute data stored in a number of thread structure is defined as follows:

[0056] NT_TIB STRUCT [0056] NT_TIB STRUCT

[0057] ExceptionList DWORD? [0057] ExceptionList DWORD?

[0058] StackBase DWORD? [0058] StackBase DWORD?

[0059] SubSystemTib DWORD? [0059] SubSystemTib DWORD?

[0060] FiberData DWORD? [0060] FiberData DWORD?

[0061] ArbitraryUserPointer DWORD? [0061] ArbitraryUserPointer DWORD?

[0062] Self DWORD?` [0062] Self DWORD? `

[0063] NT_TIB ENDS [0063] NT_TIB ENDS

[0064]其中,Exc^ptionList 字段指向一个EXCEPT10N_REGISTERAT10N 结构,定义如下: [0064] wherein, Exc ^ ptionList EXCEPT10N_REGISTERAT10N field points to a structure defined as follows:

[0065] EXCEPT10N_REGISTRATION STRUCT [0065] EXCEPT10N_REGISTRATION STRUCT

[0066] prev DWORD? [0066] prev DWORD?

[0067] handler DWORD? [0067] handler DWORD?

[0068] EXCEPT10N_REGISTRATION ENDS [0068] EXCEPT10N_REGISTRATION ENDS

[0069] 当异常发生时,系统从TIB (线程信息±夹,Thread Info Block)中取出ExceptionList字段,然后取出其指向的handler字段,根据其中的地址去调用异常处理函数。 [0069] When an exception occurs, the system from TIB (± thread information folder, Thread Info Block) field ExceptionList removed, and then remove the handler which points to a field, wherein the address used to invoke the exception handler. 如果用户需要构建一个自己的异常处理函数,只需要构建一个新的EXCEPT10N_REGISTERAT10N结构,修改这个结构的prev字段指向当前的EXCEPT10N_REGISTERAT10N结构,然后修改TIB中的Exc印tionList指针。 If the user needs to build its own exception handling function, only need to build a new structure EXCEPT10N_REGISTERAT10N, prev modify this field points to the current configuration of EXCEPT10N_REGISTERAT10N structure, then modify Exc TIB pointer of printed tionList. TIB由fs段寄存器指出,可以通过fs: [O]访问TIB结构。 TIB fs indicated by the segment register by fs: [O] TIB access structure. 可以通过如下代码设置新的SHl异常处理函数。 You may be provided by the new codes SHl exception handler.

[0070] push offset_ProcCalIback [0070] push offset_ProcCalIback

[0071] push fs: [0] [0071] push fs: [0]

[0072] moV fs: [0], esp [0072] moV fs: [0], esp

[0073] 可以通过如下代码卸载一个SHl异常处理函数: [0073] SHl can be unloaded by an exception handler codes:

[0074] pop fs:[O] [0074] pop fs: [O]

[0075] pop eax [0075] pop eax

[0076] 当异常发生时,windows会调用的异常处理函数,并传入如下几个参数: [0076] When an exception occurs, the exception handler calls the windows, and pass the following parameters:

[0077] _ProcCallback proc C_lpExceptionRecord, \ [0077] _ProcCallback proc C_lpExceptionRecord, \

[0078] _lpSEH, \[0079] _lpContext, \ [0078] _lpSEH, \ [0079] _lpContext, \

[0080] _lpDispatcherContext [0080] _lpDispatcherContext

[0081] _lpExc印tionRecord 指向一个EXCEPT10N_REC0RD 结构,_lpSEH 指向注册回调函数时使用的EXCEPT10N_REGISTRAT10N 结构,_lpContext 指向一个CONTEXT 结构。 [0081] _lpExc a printed tionRecord point EXCEPT10N_REC0RD structure, _lpSEH point EXCEPT10N_REGISTRAT10N structure used for callback function is registered, _lpContext a point CONTEXT structure.

[0082] 在处理完异常后,函数可以返回4种值。 [0082] After processing the exception, four kinds of functions can return value. 返回ExceptionContinueExecution时,系统把CONTEXT结构设置回去,然后继续执行;当回调函数返回ExceptionContinueSearch时,系统会根据EXCEPT10N_REGISTRAT10N结构里的prev字段得到前一个SHl回调函数的地址,然后调用它;当回调函数返回ExceptionNestedException时,表示在异常处理回调函数里有发生了新的异常;ExceptionCollidedUnwind表示发生了展开操作。 Return ExceptionContinueExecution, the system the CONTEXT structure set back and continue; when the callback function returns ExceptionContinueSearch, will address before a SHl callback function obtained according to the EXCEPT10N_REGISTRAT10N structure in the prev field, and then call it; when the callback function returns ExceptionNestedException , it said in exception handling callback function new exception occurred; ExceptionCollidedUnwind indicates that a developing operation.

[0083] 由于SHl异常处理函数一般情况下仅用于处理一些程序异常,而本发明创造性地将判断其运行参数是否符合设定条件的防破解代码处理放在异常处理函数中,这进一步提高了程序的防破解强度。 [0083] Since SHl exception handler for processing only the general exception of some programs, and the determination of the present invention creatively preventing its operating parameters meets a set condition codes break exception handler in handling, which further improves the anti-breaking strength of the program. 此外,若存在第三方的调试器在试图破解目标进程,当目标进程发生异常时,第三方调试器无法执行与本实施例中的异常处理函数中的功能,因此无法启动目标进程的后续操作,从而实现了阻碍第三方调试器的破解操作。 Further, if there is a third party trying to break the debugger target process when the target process abnormality occurs, the debugger can not perform the functions to third embodiment of the exception handler in the present embodiment, the subsequent operation can not start the target process, in order to achieve operating break impede third-party debugger.

[0084] 更进一步,目标进程重新启动用户目标程序以生成新的目标进程然后退出的处理可进一步包括:目标进程调用SHl异常处理函数,以通过自修改代码技术修改筛选器处理函数代码,使得筛选器处理函数能够修改SHl异常处理函数,再由SHl异常处理函数调用修改后的筛选器处理函数;修改后的筛选器处理函数通过自修改代码技术修改SHl异常处理函数代码,然后由修改后的筛选器处理函数调用修改后的SE:H异常处理函数,修改后的SEH异常处理函数重新启动用户目标程序以生成新的目标进程。 Treatment [0084] Furthermore, the target process to restart the target user to generate a new target process then exits may further comprise: a target process calls SHl exception handler, through self-modifying code technology modify the filter handler code, making screening processing functions can modify SH1 exception handler, then exception handling filter handler after the function call is modified by SH1; modified filter handler through self-modifying code technical modifications SH1 exception handler code, and then by a modified filter after the call processing functions to modify SE: H exception handler, SEH modified exception handler to restart the target user to generate a new target process. 这样,可更进一步地提高程序的防破解强度。 Thus, the program can be further improved anti-crack strength.

[0085] 此外,新的目标进程生成该调试器后退出的处理中,目标进程可通过远程线程注入的方式生成所述调试器。 After processing exits [0085] In addition, the process of generating a new target in the debugger, the target process can be injected by way of generating the remote debugger thread. 换而言之,为了将调试器的进程也保护起来,本发明进一步将作为调试器的进程以远程线程的方式注入到Windows Explorer等系统进程中,以达到隐藏调试器进程与阻碍调试器附加的作用。 In other words, in order to process the debugger also protected, the invention further by way of remote process threads injected into the system such as Windows Explorer as a debugger process, in order to hide the debugger process and hinder the debugger attached effect.

[0086] 要实现这个功能需要用到如下几个AP1:VirtualAllocEx、WriteProcessMemory和CreateRemoteThreacL首先,调用VirtualAllocEx在目标进程的地址空间内申请一块内存,内存的大小必须要能容纳线程使用的代码和数据,内存的属性应为PAGE_EXECUTE_READffRITE0然后调用WriteProcessMemory函数将调试器的代码和数据拷贝到刚刚申请的内存块中再调用CreateRemoteThread函数创建远程线程并开始执行。 [0086] To achieve this function need to use the following several AP1: VirtualAllocEx, WriteProcessMemory and CreateRemoteThreacL First, call VirtualAllocEx apply for a memory, the memory must be able to accommodate the size of the code and data threads in the address space of the target process, memory the property should be PAGE_EXECUTE_READffRITE0 WriteProcessMemory then call the function to copy the debugger code and data memory blocks just to re-apply for the call CreateRemoteThread function to create remote thread and begin execution.

[0087] 用这种方法注入到另一个进程中的程序是属于目标进程的一个线程,整个过程中不会产生新的进程,这也就达到了隐藏调试器进程的目的。 [0087] In this way to inject a thread in another process program is part of the target process, the whole process does not produce a new process, which also reached the hidden debugger process purposes.

[0088] 远程线程在具体实现的过程中还有一些技术问题,主要的就是代码重定位问题和API导入问题。 [0088] remote thread in the process of realization of some technical problems, the main problem is the code relocation and API import problems.

[0089] 代码重定位问题可以由下面的代码片段来说明: [0089] relocations problem can be described by the following code fragment:

[0090] dwVar dd ? [0090] dwVar dd?

[0091]......[0092] mo V eax, dwVar [0091] ...... [0092] mo V eax, dwVar

[0093]......[0094] 本段代码经过编译后在反汇编就会变成如下的样子: [0093] ...... [0094] This code compiled after disassembly becomes like the following:

[0095]......[0096] A100204000mov eax, dword ptr [00402000] [0095] ...... [0096] A100204000mov eax, dword ptr [00402000]

[0097] 由于编译成的机器指令中包含绝对地址,所以如果全局变量dwVar在目标进程地址空间中不是位于固定的地址就无法进行正确的存取。 [0097] Since compiled into machine instructions contained in absolute address, so if the global variable dwVar in the target process address space is not a fixed address can not be located for proper access. 而因为用于远程注入的代码是使用VirtualAllocEx动态分配的,所以就不能保证对于任何目标进程的任何一次注入,dwVar的地址都是固定不变的,也就是说无法使用存取全局变量的方式对该变量进行存取。 And because the code for the remote injection is the use of VirtualAllocEx dynamically allocated, so there is no guarantee for any of the target process at any one time injection, dwVar addresses are fixed, that can not be used to access the global variable manner this variable access. 类似地,只要是编译完成的机器指令中涉及到对一个绝对内存地址的操作,那么这一整块程序就无法自由地注入另一个进程。 Similarly, as long as the machine instruction compiled involved in the operation of an absolute memory address, then this entire process can not be free to inject another process.

[0098] 为解决该问题,可把所有的绝对地址变成动态计算出的地址,下面这段代码是解决自定位问题最常用的方法: [0098] In order to solve this problem, all the absolute address into a dynamic calculated address, the following code is to solve the positioning problem from most commonly used methods:

[0099] dwVar dd ? [0099] dwVar dd?

[0100]......[0101] call label [0100] ...... [0101] call label

[0102] label: [0102] label:

[0103] pop ebx [0103] pop ebx

[0104] sub ebx, offset label [0104] sub ebx, offset label

[0105]......[0106] moveax, dword ptr[ebx+offset dwVar] [0105] ...... [0106] moveax, dword ptr [ebx + offset dwVar]

[0107] 只需要保证在程序的运行过程中不将ebx用于其它用途,则程序中所有的绝对地址都可以通过ebx进行正确的修正,这也就解决了重定位问题。 [0107] only need to ensure that in the course of running the program does not ebx used for other purposes, the program addresses all the absolutely correct can be corrected by both ebx, which also solves the problem of relocation.

[0108] 进一步,目标进程通过远程线程注入的方式生成调试器的处理还可进一步包括:目标进程采用远程注入的代码覆盖筛选器异常处理函数的代码;由SHl异常处理函数将异常向下传递直到调用筛选器异常处理函数;由筛选器异常处理函数通过远程线程注入的方式生成调试器。 Processing [0108] Further, the target process generated by the remote debugger thread injection manner may further comprise: a target injection process using overlay codes to exception handling code filter function; SHl the exception handling function to pass down to the exception call filter exception handler; from the filter to generate debug exception handler via remote thread injection way. 与前面所述原因类似地,由于SHl异常处理函数一般情况下仅用于处理一些程序异常,因此能够进一步提供了程序的防破解强度。 Similarly, the previously described reason, since the exception handler SHl Generally only some of the procedures for exception processing, it is possible to provide a further anti-breaking strength of the program.

[0109] 虽然本发明所揭露的实施方式如上,但所述的内容只是为了便于理解本发明而采用的实施方式,并非用以限定本发明。 [0109] While the disclosed embodiment of the present invention described above, the embodiment of the content only to facilitate understanding of the present invention is employed, the present invention is not limited thereto. 任何本发明所属技术领域内的技术人员,在不脱离本发明所揭露的精神和范围的前提下,可以在实施的形式上及细节上作任何的修改与变化,但本发明的专利保护范围,仍须以所附的权利要求书所界定的范围为准。 Any skilled person in the art the present invention belongs art, without departing from the spirit and scope of the present invention is disclosed, and modifications may be made any changes in form and details of the embodiments, but the scope of the present invention patent, still in the appended claims define the scope of equivalents.

Claims (10)

1.一种Windows平台可执行文件双进程保护方法,其特征在于,包括: 根据用户操作启动用户目标程序,生成目标进程; 所述目标进程判断其自身是否正被调试; 若判断为否,则通过所述目标进程触发调试器,由所述调试器以调试方式重新启动所述目标进程。 An internet Windows executable process double protection method, characterized by comprising: the target user starts a user operation, generates a target process; it is determined whether the target process itself being debugged; If the determination is no, triggered by the debugger target process by the debugger to debug restart the target process.
2.根据权利要求1所述的方法,其特征在于,通过所述目标进程触发调试器进程,所述调试器以调试方式重新启动所述目标进程的步骤,包括: 所述目标进程判断其运行参数是否符合设定条件; 若判断为不符合,则所述目标进程重新启动用户目标程序以生成新的所述目标进程然后退出,然后目标进程生成所述调试器后退出,所述调试器以调试方式重新启动所述用户目标程序以生成处于调试状态的目标进程。 2. The method according to claim 1, characterized in that, triggered by the debugger process target process, the debugger to debug the target process step manner restart, comprising: determining a target process is running it parameter meets set conditions; if it is determined not met, the target process to restart the user program to generate a new target of the target process and then exit, and then generate the target process exits after the debugger, the debugger to restart the user to debug the target program to generate the target process is in debug state.
3.根据权利要求2所述的方法,其特征在于,所述目标进程重新启动用户目标程序以生成新的所述目标进程然后退出的步骤,进一步包括: 所述目标进程调用SHl异常处理函数,以通过自修改代码技术修改筛选器处理函数代码,使得筛选器处理函数能够修改SEH异常处理函数,再由SHl异常处理函数调用修改后的筛选器处理函数; 修改后的筛选器处理函数通过自修改代码技术修改SHl异常处理函数代码,然后由修改后的筛选器处理函数调用修改后的SE:H异常处理函数,修改后的SE:H异常处理函数重新启动用户目标程序以生成新的所述目标进程。 3. The method according to claim 2, wherein said target user to restart the process target program to the step of generating a new target process then exits, further comprising: the target process calls SHl exception handler, through self-modifying code technology modify filters handler code, so that the filter handler can modify SEH exception handler, then the SHl exception handler filter handler after the function call modification; by self-modifying the modified filter handler technical modifications SHl codes exception handler code, and SE modified filter handler invoked by the modified: H exception handler, modified SE: H exception handler to restart the user program to generate a new target of the target process.
4.根据权利要求2所述的方法,其特征在于,所述目标进程重新启动用户目标程序以生成新的所述目标进程的处理,包括: 所述目标进程通过在WinExec命令行参数末尾加上魔数和当前系统时间来重新启动用户目标程序生成新的所述目标进程。 The method according to claim 2, characterized in that the target user to restart the process target program to a new generation process of the target process, comprising: a target process by the end of the command line parameters plus WinExec magic number and the current system time to restart the user program to generate new target of the target process.
5.根据权利要求4所述的方法,其特征在于,通过所述目标进程触发调试器进程,所述调试器以调试方式重新启动所述目标进程的步骤,包括: 所述目标进程判断其运行参数是否符合设定条件; 若判断为符合,则所述目标进程生成所述调试器后退出,所述调试器以调试方式重新启动所述用户目标程序以生成处于调试状态的目标进程。 The method according to claim 4, characterized in that, triggered by the debugger process target process, the debugger to debug the target process step manner restart, comprising: determining a target process is running it parameter meets the set condition; after it is determined if met, the process of generating the target exits the debugger, the debugger to debug the target process restart the user program to generate the target in debug state.
6.根据权利要求2至5中任一项所述的方法,其特征在于,所述目标进程判断其运行参数是否符合设定条件的步骤,包括:所述目标进程利用SHl异常处理函数判断其运行参数是否符合设定条件。 6. The method according to any one of claims 2 to 5, wherein said step of determining the target process operating parameters meets a set condition, comprising: a process using the target function to determine which exception handler SHl meets the conditions set operating parameters.
7.根据权利要求2至5中任一项所述的方法,其特征在于,所述设定条件为所述目标进程的运行参数包括魔数和所述目标进程的启动时间,且所述启动时间距离上次启动所述目标进程的时间间隔小于预设时长。 7. A method as claimed in any one of claims 2 to 5, wherein said setting condition of said operating parameter comprises a target process start time of the target process and the magic number, and the start less than a preset time interval long distance last start time of the target process.
8.根据权利要求2至5中任一项所述的方法,其特征在于,所述目标进程生成所述调试器后退出的步骤,包括:所述目标进程通过远程线程注入的方式生成所述调试器后退出。 8. The method according to claim 5, characterized in that said step of generating the target process after exiting the debugger, comprising: a target process generated by the remote threads way of injection exit after the debugger.
9.根据权利要求8所述的方法,其特征在于,所述目标进程通过远程线程注入的方式生成所述调试器后退出的步骤,进一步包括: 所述目标进程采用远程注入的代码覆盖筛选器异常处理函数的代码;由SHl异常处理函数将异常向下传递直到调用所述筛选器异常处理函数; 由所述筛选器异常处理函数通过远程线程注入的方式生成所述调试器。 9. The method according to claim 8, characterized in that, after the step of exiting the debug target process is generated by the remote threads way of injection, further comprising: using the codes to process the target injection filter cover exception handling code function; SHl the exception handling function call until the exception pass down the filter exception handlers; manner from the filter by the exception handler for generating the remote thread injection debugger.
10.根据权利要求1所述的方法,其特征在于,由所述调试器以调试方式重新启动所述目标进程的步骤,包括: 所述调试器通过CreateProcess函数启动所述目标进程,并指定DEBUG_PROCESS标志。 10. The method according to claim 1, wherein the debug mode is the debug target process step of restarting, comprising: a debugger is started by the target process CreateProcess function, and specifies DEBUG_PROCESS mark.
CN2013100669459A 2013-03-01 2013-03-01 Double-process protection method for executable files of Windows platform CN103116714A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013100669459A CN103116714A (en) 2013-03-01 2013-03-01 Double-process protection method for executable files of Windows platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2013100669459A CN103116714A (en) 2013-03-01 2013-03-01 Double-process protection method for executable files of Windows platform

Publications (1)

Publication Number Publication Date
CN103116714A true CN103116714A (en) 2013-05-22

Family

ID=48415087

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013100669459A CN103116714A (en) 2013-03-01 2013-03-01 Double-process protection method for executable files of Windows platform

Country Status (1)

Country Link
CN (1) CN103116714A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105512548A (en) * 2015-12-02 2016-04-20 湘潭大学 Method for protecting mirror image codes based on executable mirror image hiding and dll injection
CN105653908A (en) * 2015-12-31 2016-06-08 西北大学 Implicit anti-debugging protection method
CN106021106A (en) * 2016-05-19 2016-10-12 北京金山安全软件有限公司 Process control method and user terminal
CN106055934A (en) * 2016-05-19 2016-10-26 福建创意嘉和软件有限公司 Method and device for code protection based on VEH
CN106055935A (en) * 2016-05-19 2016-10-26 北京金山安全软件有限公司 Method, device and electronic equipment for process control

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6874087B1 (en) * 1999-07-13 2005-03-29 International Business Machines Corporation Integrity checking an executable module and associated protected service provider module
CN1842767A (en) * 2003-06-26 2006-10-04 微软公司 An intermediate representation for multiple exception handling models
CN101136049A (en) * 2006-09-01 2008-03-05 富士施乐株式会社 Information processing system, information processing method, information processing program, computer readable medium and computer data signal
CN101458630A (en) * 2008-12-30 2009-06-17 中国科学院软件研究所 Self-modifying code identification method based on hardware emulator

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6874087B1 (en) * 1999-07-13 2005-03-29 International Business Machines Corporation Integrity checking an executable module and associated protected service provider module
CN1842767A (en) * 2003-06-26 2006-10-04 微软公司 An intermediate representation for multiple exception handling models
CN101136049A (en) * 2006-09-01 2008-03-05 富士施乐株式会社 Information processing system, information processing method, information processing program, computer readable medium and computer data signal
CN101458630A (en) * 2008-12-30 2009-06-17 中国科学院软件研究所 Self-modifying code identification method based on hardware emulator

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
马金鑫 等: "基于Windows环境下的进程保护技术的研究与实现", 《计算机应用与软件》, vol. 27, no. 3, 31 March 2010 (2010-03-31) *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105512548A (en) * 2015-12-02 2016-04-20 湘潭大学 Method for protecting mirror image codes based on executable mirror image hiding and dll injection
CN105653908A (en) * 2015-12-31 2016-06-08 西北大学 Implicit anti-debugging protection method
CN105653908B (en) * 2015-12-31 2018-12-25 西北大学 A kind of implicit anti-debug guard method
CN106021106A (en) * 2016-05-19 2016-10-12 北京金山安全软件有限公司 Process control method and user terminal
CN106055934A (en) * 2016-05-19 2016-10-26 福建创意嘉和软件有限公司 Method and device for code protection based on VEH
CN106055935A (en) * 2016-05-19 2016-10-26 北京金山安全软件有限公司 Method, device and electronic equipment for process control
CN106055934B (en) * 2016-05-19 2019-04-02 福州利倍得网络技术有限公司 A kind of code protection method and device based on VEH

Similar Documents

Publication Publication Date Title
CN1189819C (en) Interference-free microprocessor
CN1794131B (en) Computer security management, such as virtual machine or a hardened operating system
KR101187554B1 (en) Securing software
CN1607503B (en) Systems and methods for using synthetic instruction in a virtual machine
US7665143B2 (en) Creating secure process objects
CN102792307B (en) Providing network access control in a virtual environment system and method
US9607151B2 (en) Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features
KR101213821B1 (en) Proactive computer malware protection through the dynamic translation
JP4702957B2 (en) Tamper-proof trusted virtual machine
US8261359B2 (en) Systems and methods for preventing unauthorized use of digital content
Srinivasan et al. Process out-grafting: an efficient out-of-vm approach for fine-grained process execution monitoring
JP6370747B2 (en) System and method for virtual machine monitor-based anti-malware security
US7779394B2 (en) Software self-defense systems and methods
CN102460382B (en) Annotating virtual application processes
McCune et al. How low can you go?: recommendations for hardware-supported minimal TCB code execution
AU2009200459A1 (en) Systems and Methods for the Prevention Of Unauthorized Use and Manipulation of Digital Content Related Applications
EP1352307A2 (en) Systems and methods for preventing unauthorized use of digital content
US20130024676A1 (en) Control flow integrity
Jackson et al. Compiler-generated software diversity
KR101657191B1 (en) Software protection mechanisms
JP2004038966A (en) Secure and opaque type library for providing secure variable data protection
Roundy et al. Binary-code obfuscations in prevalent packer tools
US8225317B1 (en) Insertion and invocation of virtual appliance agents through exception handling regions of virtual machines
CN1690957A (en) A method and system of enforcing a security policy via a security virtual machine
CN103748594A (en) Firmware-based trusted platform module for arm processor architectures and trustzone security extensions

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C12 Rejection of a patent application after its publication