CN103164643A - Method and device using hardware to debug - Google Patents
Method and device using hardware to debug Download PDFInfo
- Publication number
- CN103164643A CN103164643A CN2011104097229A CN201110409722A CN103164643A CN 103164643 A CN103164643 A CN 103164643A CN 2011104097229 A CN2011104097229 A CN 2011104097229A CN 201110409722 A CN201110409722 A CN 201110409722A CN 103164643 A CN103164643 A CN 103164643A
- Authority
- CN
- China
- Prior art keywords
- software
- debugging
- hardware
- protecting equipment
- protected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 101
- 230000008569 process Effects 0.000 claims abstract description 58
- 238000004891 communication Methods 0.000 claims description 50
- 238000012545 processing Methods 0.000 abstract description 6
- 230000006399 behavior Effects 0.000 description 48
- 230000006870 function Effects 0.000 description 25
- 238000005516 engineering process Methods 0.000 description 18
- 238000004458 analytical method Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000003203 everyday effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method and a device protecting software through hardware debugging and belongs to the field of software copyright protection. The device comprises a hardware processing unit relying on the outside in a debugging process. The hardware processing unit has the function of judging whether debugging software exists in the environment of protected software so as to prevent judgment logics of debugging software from being tracked and modified.
Description
Technical field
The present invention relates to software copyright copyright protection field, relate more specifically to a kind of anti-accent method and device of protecting software.
Background technology
Software due to the feature of its pure digi-tal, just suffers pirate puzzlement as a kind of special product always from appearance.Pirate existence has not only caused huge loss to the software developer, has also greatly hindered the development of whole Software Industry.Therefore, nearly all software has all taked corresponding technical measures to avoid software to be cracked and piracy, is exactly the most effectively wherein hardware based software protecting equipment technology.
Hardware based software protecting equipment is a kind ofly to be connected to the hardware device on main frame by computer interface (including but not limited to parallel port or USB interface).This device interior has nonvolatile storage space can for read-write, also have the calculation processing units such as single-chip microcomputer or little processing controls chip usually.The software developer can carry out exchanges data (namely software protecting equipment being read and write) by interface function and software protecting equipment, checks whether software protecting equipment is inserted on interface; Perhaps directly be encrypted with the subsidiary instrument of software protecting equipment.Like this, the software developer can arrange the many places software locks in software, utilizes software protecting equipment to open these locks as key; If it is not corresponding not insert software protecting equipment or software protecting equipment, software can not normally be carried out.
In addition, software protecting equipment inside comprises specific function, for example a part of storage space, some cryptographic algorithms or some user-defined algorithm or function.Before software publishing; the software developer revises the software code of oneself; make software need to use some functions of software protecting equipment inside in operational process; software will move after leaving software protecting equipment like this; and software protecting equipment is larger as the difficulty that a kind of hardware device copies, thereby plays the illegal effect of propagating of piracy software that prevents.
Software protecting equipment main on Vehicles Collected from Market comprises: the Hasp HL of the Sentinel Superpro of U.S. SafeNet company, Israel Aladdin company, deep thinking Lip river, BeiJing, China grams are according to the WIBU-Key of the crack IV at protection center, German Wi-Bu company etc.All these software protecting equipments all provide built-in storage space, privately owned or disclosed cryptographic algorithm, can call these functions and check whether belong to legal in software running process.Wherein the crack IV of Beijing ShenSiLuoKe data Protection center was in listing in 2002; be characterized in adopting the basis of intelligent card chip as hardware; and support the user that the own function that defines is written to software protecting equipment inside; even can directly the partial function of software be transplanted to software protecting equipment inside completes; thereby greatly improved the difficulty of software pirate version, the technology that usually claims this function with oneself definition or the partial function of software to be transplanted to software protecting equipment inside is that code is transplanted.The Beijing ShenSiLuoKe data Protection center is the inventor's predecessor, and present corresponding website is
Http:// www.sense.com.cn/, design parameter performance and the principle of work of the crack IV type software protecting equipment of inventor's exploitation are wherein disclosed in detail.
Along with computer technology universal with use, computer software industry develops rapidly, for the various attack of software with unauthorized uses and piracy is copied the behavior of grade and got more and more, software security becomes the key that protects the intellectual property.Present computer software is issued with the binary code form basically, the assailant usually utilizes the conversed analysis technology such as static disassembly instrument or Dynamic Debugging Tool can carry out version analysis to software and cracks, by seeking software vulnerability or extract the mode such as its core algorithm, software is altered and then stolen Software Intellectual Property Rights.Software conversed analysis technology comprises for the dis-assembling technology of software and two parts of inverse compiling technique.The dis-assembling technology is executable binary machine code dis-assembling to be become the method for substantially readable assembly language program(me) code, generally comprises static disassembly technology and dynamic dis-assembling technology.Static disassembly is the disposable assembly code that all is translated as of binary code, and when adopting this technology, the size of processing the consuming time and binary file of binary file is directly proportional.Dynamically dis-assembling is to be loaded into the binary program of disassembler by analysis, catches the operation characteristic instruction, is translated into readable assembly code.Inverse compiling technique is that the further decompiling of assembly routine is readable stronger higher-level language code.Usually (divide on narrow sense, software tamper-resistance techniques is to prevent that software is maliciously tampered, if software discovery oneself is maliciously tampered, so just carries out corresponding punitive function to adopt software tamperproof technology and the anti-debugging technique of software in prior art; The anti-debugging of software is that debugging software is detected or confuses, and makes the debugging software profiling error or can not normally move.In the broadest sense, these two kinds of technology are all a kind of strick precautions for the debugging behavior, namely anti-debugging) resist various illegal uses.
Software tamperproof technology and the anti-debugging technique of software commonly used has at present: the technology such as flower instruction, Information hiding, file verification, parent process detection, mistiming.The flower instruction technique refers to, by generating special assembly code or useless byte, makes debugged program produce incorrect assembly instruction in the time of dis-assembling.Common colored instruction technique is some jump instructions, and the target location is the centre of another instruction, just can cause confusion in dis-assembling like this.The flower instruction can utilize various jmp, call, and ret, some storehouse skills, the position computing, etc.Information Hiding Techniques refers to make the customizing messages (process or data) that comprises in a module when design and determination module, for other modules that do not need these information, is transparent.The meaning of " hiding " is, effectively modularization realizes by defining one group of separate module, these independently module only exchange each other those for the necessary information of completion system function, and those self realize details and data " are hidden ".Information hiding is that modification, test and the later maintenance of software systems all brings benefit.By Information hiding, can define and implement the process details of module and the limited-access of local data structure.
Referring to Fig. 1, a kind of realization flow of present anti-debugging technique is as follows.
Protected running software is in the middle of the system of main frame.In order whether there to be the debugging behavior in detecting system, protected software can check the process that whether has the debugging behavior when beginning to start.The method of judgement debugging behavior has a variety of, and relative merits are respectively arranged.As example, adopt the mode of judgement parent process title to judge whether debugged software debugging here.Under normal circumstances, a process (referring to the executable program that moves in system) needs its parent process to start.During such as use Windows system, double-click on the table the icon (as an example, the application program here is the QQ.exe of company of Tengxun) of application program, this moment, the QQ.exe program just can start up, but did not see parent process.When in fact double-clicking QQ.exe, just notify the Explorer.exe (can be interpreted as to narrow sense windows desktop) of Windows system will start QQ.exe, the remaining work that starts QQ.exe is all completed by Explorer.exe, that in fact start QQ.exe is Explorer.exe, and this Explorer.exe that starts QQ.exe is exactly the parent process of QQ.exe.Certainly, can also start application program by other forms, such as passing through order line.That is, carry out " RUN " by the start menu of Windows, opening input frame the inside input cmd order, and clicking and determine, at this moment will start the order line program cmd.exe of Windows.Input mspaint and click carriage return inside order line, this time, the drawing board program of Windows will start.Input clac and click carriage return in input frame in like manner, the computing machine instrument of Windows also can start, and be drawing board program and the counter instrument that starts by cmd.exe this time, and their parent process is not Explorer.exe but cmd.exe at this moment.
In the time of debugged program, normally start debugged program with debugging software, method may be different with normal startup Windows program, but be all same reason.When starting debugged program by debugging software, the parent process of the program that this is debugged is not just that Explorer.exe neither cmd.exe, but debugging software.Whether the parent process that judges a program is that parent process trusty (such as Explorer.exe, cmd.exe etc.) just can judge whether a program is debugged.If judge and do not have debugging behavior (referring to that here parent process is a process trusty) in system, continue to carry out other functional modules in protected software, continue to carry out the operation of protected software; Have debugging behavior (referring to that parent process is a fly-by-night process) if judge, protected software is no longer carried out other functional modules in protected software, no longer continues to carry out the operation of protected software, withdraws from this protected software.
But these technology have just increased the complexity of deciphering person's deciphering, even if use very complicated anti-debugging code logic or use simultaneously a plurality of anti-debugging code logics, a part (such as the top logic that judges parent process of mentioning) that is also software itself due to relevant treatment logic and the code thereof of anti-debugging, therefore fully be exposed to the environment that move among the same with software, directly face deciphering person's debugging and analysis.In case after deciphering person's Correct Analysis went out the logic of anti-debugging, deciphering person will make anti-debugging code logic lose efficacy, and makes software lose the protection of anti-debugging code logic.Add anti-debugging code logic and just increased certain difficulty to deciphering person in software, also make anti-debugging code logic itself in the face of deciphering person in protection software.All problems of easy decrypted person's destruction of software itself and anti-debugging code logic thereof have been caused like this.
Summary of the invention
In view of this, the present invention is directed to existing anti-debugging technique directly in the face of this shortcoming of deciphering person, propose a kind of technical method of realizing that utilizes the anti-debugging of hardware.By anti-debugging code logic is implanted in the software protecting equipment of computer host system outside; and then prevented that anti-debugging code logic from arbitrarily instead being debugged and arbitrarily revising; thereby improved the difficulty of deciphering person's debugging software, be convenient to software and better protected.
According to an aspect of the present invention, a kind of method that protected software is debugged of preventing by software protecting equipment is provided, described software protecting equipment is the hardware device for software protection, the interface unit that comprises micro controller unit, storage unit and be used for being connected with main frame;
Described method comprises step:
Step 1: described protected software is collected the system information about operating system environment;
Step 2: the described system information that described protected software will be collected sends to described software protecting equipment;
Step 3: after described software protecting equipment receives described system information, whether have the debugging behavior in the operating system environment that utilizes described system information to judge that described protected software moves;
Step 4: if there is the debugging behavior, described software protecting equipment forbids that described protected software normally moves.
According to an aspect of the present invention, have in described software protecting equipment:
Communication module is used for communicating by letter between described software protecting equipment and main frame;
Debugging behavior judge module is used for judging whether the operating system environment that described protected software moves exists the debugging behavior;
Hardware punishment module is used for forbidding that judging when having described debugging behavior described protected software normally moves.
According to an aspect of the present invention, before step 1, start the system information collection module in described protected software;
Described system information collection module is collected described system information about operating system environment.
According to an aspect of the present invention, the communication mode of described communication module employing comprises: serial interface communication, parallel interface communication, 1394 interface communications, radio-frequency (RF) identification interface communication, wireless lan interfaces communication, USB (universal serial bus) communication, blue tooth interface communication, infrared interface communication, Wi-Fi interface communication, ISO7816 serial communication;
The judgment mode that described debugging behavior judge module adopts comprises: whether all processes of judge parent process, the decision operation API of system, judge System Privileges, just judge window title at working procedure, searching in the environment of described protected running software have debug procedures; Search port or the field of specific process; The BeingDebuged field of the PEB of all right lookup process and the DebugPort port of process execution block EPROCESS; Debugging behavior judgment mode has a lot, mentions these above being not limited to.
The hardware payment method that described hardware punishment module adopts comprises: the hardware of the locked certain hour of the hardware of described software protecting equipment, described software protecting equipment hardware fully locked, described software protecting equipment returns to random data.
Description of drawings
Fig. 1: do not adopt the software protecting device of example, in hardware to protect the anti-schematic diagram of debugging of software in prior art.
Fig. 2: utilize the software protecting device of the example, in hardware of an embodiment according to the present invention to protect the anti-schematic diagram of debugging of software.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is further elaborated.
For making purpose of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is further elaborated.
According to a specific embodiment of the present invention; software protecting equipment in the present invention (being the secure hardware in Fig. 2) is for being used for the hardware device of software copyright protection; the interface module that comprises micro controller unit (Micro Control Unit calls MCU in the following text), storer and be used for being connected with main frame.
According to a specific embodiment of the present invention, described storer is connected with MCU, is used for the data of preserving.Described storer includes but not limited to nonvolatile memory, volatile memory.
According to a specific embodiment of the present invention, described interface module is connected with MCU, is responsible for communicating by letter between MCU and main frame.Described interface module includes but not limited to serial line interface, parallel interface, 1394 interfaces, radio-frequency (RF) identification (RFID) interface, wireless lan interfaces (IEEE802.11 interface etc.), USB (universal serial bus) (USB) interface, blue tooth interface, infrared interface, Wireless Fidelity (Wi-Fi) interface, ISO 7816 serials etc.
According to a specific embodiment of the present invention, described MCU, storer, interface module also can be integrated in same chip, provide all functions by single chip.
According to a specific embodiment of the present invention, the hardware in software protecting equipment comprises: communication module, debugging behavior judge module, hardware punishment module.As a kind of embodiment, these modules are all by software code realization, are similar to the Windows system and operate on computer hardware equally, and described a plurality of modules operate on the hardware chip of encryption lock.
Certainly, those skilled in the art is according to content disclosed and instruction, can adopt other mode (including but not limited to the form of hardware, firmware, software) to realize that these modules to complete similar function, perhaps further merge, split, make up to realize similar function these modules fully.In a word, only describe core concept of the present invention and specific embodiment at this, and do not mean that enforcement of the present invention and claimed scope only are subjected to the restriction of specific embodiment.
Wherein, described communication module is used for communicating by letter between secure hardware and main frame.Communication mode includes but not limited to serial interface communication, parallel interface communication, 1394 interface communications, radio-frequency (RF) identification (RFID) interface communication, wireless lan interfaces (IEEE802.11 interface etc.) communication, USB (universal serial bus) (USB) interface communication, blue tooth interface communication, infrared interface communication, Wireless Fidelity (Wi-Fi) interface communication, ISO7816 serial communication etc.
Debugging behavior judge module is used for judging whether the environment that protected software moves exists the debugging behavior.Judgment mode include but not limited to judge parent process method, use IsDebuggerPresent API (the Windows API of system), use CheckRemoteDebuggerPresent API (the Windows API of system), judge SeDebugPrivilege (the debug privilege attribute of system) authority, just judge window title at working procedure, whether all processes of searching in the environment of protected running software have debug procedures etc.; The judgment mode that described debugging behavior judge module adopts is all right: the DebugPort port of the BeingDebuged field of the PEB of lookup process and process execution block EPROCESS, debugging behavior judgment mode has a lot, mentions these above being not limited to.。
Hardware punishment module is used for carrying out hardware punishment when there is the debugging behavior in the environment of finding protected running software.The hardware payment method include but not limited to the locked certain hour of hardware, hardware thoroughly locked, hardware return to random data etc.
The anti-debugging of hardware proposed by the invention has essential difference with existing anti-debugging technique.At first, the logic of anti-debugging has been transferred to secure hardware (being software protecting equipment) inside from protected software itself, adopts more complicated example, in hardware to protect software, is debugged by counter to prevent it.Secondly, protected software normally moves and need to depend on secure hardware, and therefore protected software and secure hardware become the computing system of an overall operation.
According to a specific embodiment of the present invention, with reference to figure 2, the scheme of software protection process and enforcement is as follows:
At first, protected running software is in the middle of the system of main frame.According to a specific embodiment of the present invention, in order whether to have the debugging behavior in detecting system, protected the software startup thread that checks the debugging behavior, i.e. " a detecting thread " in Fig. 2.According to another embodiment of the present invention, in order whether there to be the debugging behavior in detecting system, also can start a process at protected software inhouse.The purpose of startup process or thread is the one section code that starts with protected software parallel, is used for the detecting of the behavior of debugging.
Then, this thread starts " the system information collection module " in Fig. 2.This system information collection module comes institute to carry out the real-time collecting of system information with method above-mentioned, such as use IsDebuggerPresent API (the Windows API of system) above-mentioned, use CheckRemoteDebuggerPresent API (the Windows API of system), judge SeDebugPrivilege (the debug privilege attribute of system) authority, just judge window title at working procedure, whether all processes of searching in the environment of protected running software have debug procedures etc.According to a specific embodiment of the present invention, the information of collecting includes but not limited to the returning results of above-mentioned parent process title, system API IsDebuggerPresent, system SeDebugPrivilege (the debug privilege attribute of system) authority credentials, and these information are sent to secure hardware.
The communication module of secure hardware receives these real-time information, then these information are sent to debugging behavior judge module.Debugging behavior judge module to communication module send real-time information process, judge in the environment that protected software moves whether have debugging software according to predefined decision logic.As a kind of example, can the title of parent process be judged.Such as, the title of judgement parent process is Explorer.exe or cmd.exe.In addition, can also judge the rreturn value of API.Such as, the judgement API IsDebuggerPresent of system returns to TRUE or FALSE etc.Certainly, those skilled in the art is fully clear, and decision logic can adopt a variety of modes, includes but not limited to the judgement of parent process title and to the judgement of API rreturn value.
If there is debugging software, such as the title of parent process is not trusty, not namely Explorer.exe or cmd.exe, perhaps the rreturn value of the API of system IsDebuggerPresent is TRUE, debugs so the hardware punishment module that the behavior judge module just sends to judged result secure hardware.The hardware of secure hardware punishment module starts corresponding punishment, such as the secure hardware function is complete unavailable or return to random error data etc. by communication module to protected software.At this moment protected software just can not normally move, and has reached the purpose of software protection.
If there is no debugging software, the function of secure hardware is normally carried out, thereby software function is normally carried out.
After using this anti-debugging technique, the cracker can't trace into secure hardware inside, also just can't obtain the code logic of hardware inner counter debugging, thereby has protected the security of anti-debugging code logic.Even if the cracker has acquired the anti-debugging code logic of secure hardware inside, also can't change the anti-debugging code logic of hardware, thereby reached can not revising of anti-debugging code logic, so just avoid shortcoming tracked in the anti-debugging code logic of software inhouse and that revise, strengthened the safe coefficient of software.
Below in conjunction with embodiment, technology contents of the present invention is further set forth.
Embodiment 1
Utilize software protecting equipment to be encrypted protection to the desktop annoyware that moves in main frame.Wherein the desktop annoyware is protected software, utilizes simultaneously software protecting equipment that it is protected.For a person skilled in the art, the present embodiment is only for application simplified embodiment of the present invention is described.Those skilled in the art clearly knows, actual ciphering process may than this example complexity many, but it does not break away from concretism of the present invention.
According to a specific embodiment of the present invention, only reminder time of desktop annoyware is stored in the inside of secure hardware, only have one every day 15:00 carry out regular meeting and remind, the anti-debugging code logic of using in the present embodiment is the judgement parent process.The parent process title of next Windows program of normal conditions is Explorer.exe or cmd.exe, if the debugged software startup of this program, the parent process title of this program is exactly this debugging software so, such as debugging software can adopt OllyICE.exe (this software is the very conventional debugging software that the cracker uses).
The step of specific implementation is as follows:
One, determine according to the significance level of the code logic of protected software information or protected software function or the data that protected software (being the desktop annoyware) needs protection, such as reminder time every day, reminder time etc. per month.In the present embodiment will every day 15:00 meeting remind this information to be stored in secure hardware inside, its storage format is " DAY 15:00 Meeting ".That is to say, need to remind judgement when protected software the time, its reminder time must obtain from secure hardware.
Two, protected software startup and start the detecting thread (perhaps process is referring to above describing) of debugging behavior mentioned above.The system information collection module of detecting thread obtains the parent process title of protected software, and the communication module by protected software sends to secure hardware with the parent process title.Clearly, those skilled in the art can obtain the parent process title by calling corresponding system API, is not described in detail in this.
Three, after the communication module of secure hardware receives above-mentioned data, send to debugging behavior judge module.Debugging behavior judge module begins judgement according to pre-set debugging software judgement code logic.If there is debugging software to exist in the system environments of described protected software place; and be the protected software that starts by this debugging software; the data number that sends of communication module is the title of debugging software so; such as " OllyICE.exe " rather than " Explorer.exe " or " cmd.exe "; this just illustrates this protected software just debugged, debugs so the behavior judge module judged result is sent to hardware punishment module.Hardware punishment module is punished according to predefined punishment logic; payment method can be to send misdata; such as " the DAY 15:00 Meeting " data with protected software pre-save are back into " DAY 24:00 Meeting "; although software can normally be carried out like this, function is wrong.If protected software place system environments does not have debugger; the data of the communication module of secure hardware reception are exactly so " Explorer.exe " or " cmd.exe "; debugging behavior judge module will be judged and not debug behavior like this; this result is sent to hardware punishment module, and hardware punishment module just can not start hardware punishment.
Four, protected software is not in the situation that exist debugging software or be not in debugging mode and normally propose the function request to secure hardware, and the function request is different and different according to the function of protected software.For example above-mentionedly store prompting message " DAY 15:00 Meeting " into secure hardware inside.When protected software goes for storage " DAY 15:00 Meeting " data, will be to the request of secure hardware sending function, secure hardware will send to protected software with " DAY 15:00 Meeting " data, as the basis for estimation of reminder time.
In the middle of whole software running process, can be periodically to secure hardware transmitting system real time data, concrete data dependence is in the debugging behavior judge module of secure hardware inside, information includes but not limited to the returning results of parent process title, system API IsDebuggerPresent, SeDebugPrivilege (the debug privilege attribute of system) authority credentials, be used for judging whether current operational process exists the debugging behavior, prevent that further software is debugged in operational process.
Inner just by judging that parent process judges whether to exist the debugging behavior at secure hardware in above-mentioned steps two.According to a specific embodiment of the present invention; in fact existing most of debugging behavior determination methods can be put into secure hardware inside; increase the correctness of debugging software judgement, such as the returning results of judgement parent process, system API IsDebuggerPresent, SeDebugPrivilege (the debug privilege attribute of system) authority credentials, search in protected software runtime environment dangerous process etc.
In addition, according to a specific embodiment of the present invention, when having judged the debugging behavior and exist, secure hardware does not first carry out hardware punishment, but waits for software and carry out hardware punishment after secure hardware is repeatedly communicated by letter again.Such as the punishment of delaying time, that is, find that the debugging behavior do not carry out later on hardware punishment immediately, but waited 5 minutes or other times are punished.Make like this deciphering person be difficult to judge the foundation of hardware punishment.
Embodiment 2
Utilize a kind of mapping software of software protecting equipment protection in the present invention, many important curve calculation formula are arranged in this mapping software.
One, mapping software is protected software, determines according to the significance level of code logic function or the data that protected software needs protection.According to one embodiment of the present invention, important curve calculation formula all is transplanted to secure hardware inside.Revise simultaneously this mapping software, can complete with secure hardware cooperation the calculating of the curve equation of secure hardware inside.
Two, mapping software starts, the thread of Start-up and Adjustment behavior detecting simultaneously, and the system information collection module of detecting thread is with the collection system real-time information.According to one embodiment of the present invention, collection be returning results of the API IsDebuggerPresent of system.And returning results by communication module of the API IsDebuggerPresent of system sent to secure hardware.
Three, after the communication module of secure hardware receives system's real-time information of mapping software transmission, this information is sent to the debugging behavior judge module of secure hardware, debugging behavior judge module carries out the debugging behavior judgement on main frame, judges that namely the real-time information that communication module sends is TRUE or FALSE.If that send is TRUE, showing has debugging software debugging shielded mapping software on main frame; If be FALSE, showing does not have debugging software in the shielded mapping software of debugging on main frame, then judged result is sent to hardware punishment module.
Four, hardware punishment module determines whether to carry out hardware punishment according to the judged result that debugging behavior judge module sends.According to one embodiment of the present invention, the hardware punitive measures of taking in the present embodiment is to allow the formula miscount that is implanted in secure hardware inside.Such as, needing to calculate the formula A:c=a+b of addition in protected software, shielded mapping software sends to secure hardware with a and b by communication module, and secure hardware calculates according to formula A.If there is no hardware punishment, secure hardware can normally return to c=a+b, if used hardware punishment, secure hardware can return to the result of certain algorithm at random, such as c=a*b, and c=a-b, c=a/b etc., and c is returned to shielded mapping software.
Clearly, above-mentioned specific embodiment has adopted the form of explanatory note to be described in detail.Those skilled in the art can adopt multiple programming language and similar programming logic to realize its similar function according to existing technology fully.
In addition, above-mentioned each embodiment is only used for illustrating inventive concept of the present invention, and realization of the present invention is not limited to above-mentioned various embodiment.For a person skilled in the art, above-mentioned each step further can be split fully, merging, conversion, deletion, thereby realize core idea of the present invention.
The distortion of above-mentioned multiple situation those skilled in the art will readily appreciate that, therefore above-mentionedly only schematically illustrates for example, and can't contain the various situations in software protection field.Core idea of the present invention is that software protecting equipment judges whether to exist the debugging behavior by the debugging behavior judge module that calls in secure hardware, and according to judged result, control and management is carried out in the execution of protected software.Therefore, on this basis, other various distortion of calling order, processing sequence all are easy to expect, need not to carry out the description of exhaustive in instructions of the present invention.
In addition, for judging in the situation that has the debugging behavior, secure hardware also can carry out such as sending the operation such as report to the police or quit work, thereby reminds current protected software to be debugged.That is to say, in case detect the debugging behavior, the secure hardware alerting pattern can have multiple, and this belongs to and those skilled in the art will readily appreciate that, need not to carry out the description of exhaustive in instructions of the present invention.
The above includes example of the present invention.Certainly, in order to describe purpose of the present invention, the combination of describing each assembly that can infer or method is unpractical, still, it will be understood by those skilled in the art that many further combinations and rotation are possible for purposes of the invention.Therefore, the present invention is intended to comprise change, improvement and the variation within all such spirit and scope that drop on appended claims.In addition, be limited with this instructions and claims, term " has " and is similar to term and " comprises ".
Claims (4)
1. method that prevents from protected software is debugged by software protecting equipment, described software protecting equipment is the hardware device for software protection, the interface unit that comprises micro controller unit, storage unit and be used for being connected with main frame;
It is characterized in that, described method comprises step:
Step 1: described protected software is collected the system information about operating system environment;
Step 2: the described system information that described protected software will be collected sends to described software protecting equipment;
Step 3: after described software protecting equipment receives described system information, whether have the debugging behavior in the operating system environment that utilizes described system information to judge that described protected software moves;
Step 4: if there is the debugging behavior, described software protecting equipment forbids that described protected software normally moves.
According to claim 1 prevent from method that protected software is debugged from it is characterized in that by software protecting equipment,
Have in described software protecting equipment:
Communication module is used for communicating by letter between described software protecting equipment and main frame;
Debugging behavior judge module is used for judging whether the operating system environment that described protected software moves exists the debugging behavior;
Hardware punishment module is used for forbidding that judging when having described debugging behavior described protected software normally moves.
3. according to claim 1,2 prevent from method that protected software is debugged from it is characterized in that by software protecting equipment,
Before step 1, start the system information collection module in described protected software;
Described system information collection module is collected described system information about operating system environment.
According to claim 1-3 prevent from method that protected software is debugged from it is characterized in that by software protecting equipment,
The communication mode that described communication module adopts comprises: serial interface communication, parallel interface communication, 1394 interface communications, radio-frequency (RF) identification interface communication, wireless lan interfaces communication, USB (universal serial bus) communication, blue tooth interface communication, infrared interface communication, Wi-Fi interface communication, ISO7816 serial communication;
The judgment mode that described debugging behavior judge module adopts comprises at least: judge parent process, the decision operation API of system, judge System Privileges, just judge window title at working procedure, whether all processes in the environment of described protected running software of searching have debug procedures, search port or the field of specific process;
The hardware payment method that described hardware punishment module adopts comprises: the hardware of the locked certain hour of the hardware of described software protecting equipment, described software protecting equipment hardware fully locked, described software protecting equipment returns to random data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110409722.9A CN103164643B (en) | 2011-12-08 | 2011-12-08 | A kind of method and apparatus that anti-debug is carried out by hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110409722.9A CN103164643B (en) | 2011-12-08 | 2011-12-08 | A kind of method and apparatus that anti-debug is carried out by hardware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103164643A true CN103164643A (en) | 2013-06-19 |
| CN103164643B CN103164643B (en) | 2017-10-24 |
Family
ID=48587723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110409722.9A Active CN103164643B (en) | 2011-12-08 | 2011-12-08 | A kind of method and apparatus that anti-debug is carried out by hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103164643B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103605607A (en) * | 2013-12-02 | 2014-02-26 | 中标软件有限公司 | Software complexity analysis system and method |
| WO2015035761A1 (en) * | 2013-09-10 | 2015-03-19 | 成都品果科技有限公司 | Method and apparatus for performing assembly-level dynamic debugging of ios system |
| CN104657268A (en) * | 2015-02-13 | 2015-05-27 | 厦门美图之家科技有限公司 | Two-factor authentication method and device for API (application program interface) compatibility |
| CN105044653A (en) * | 2015-06-30 | 2015-11-11 | 武汉大学 | Software conformance detection method for smart electric meters |
| CN105653908A (en) * | 2015-12-31 | 2016-06-08 | 西北大学 | Implicit anti-debugging protection method |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106021106A (en) * | 2016-05-19 | 2016-10-12 | 北京金山安全软件有限公司 | Process control method and user terminal |
| CN106096404A (en) * | 2016-08-18 | 2016-11-09 | 北京深思数盾科技股份有限公司 | A kind of data guard method and system |
| CN106649098A (en) * | 2016-11-04 | 2017-05-10 | 海信集团有限公司 | Method and device for achieving version-release-software debugging on terminal device |
| CN106650338A (en) * | 2015-10-28 | 2017-05-10 | 中国电信股份有限公司 | Method and system for preventing software from being anti-debugged |
| CN106778104A (en) * | 2017-01-20 | 2017-05-31 | 武汉斗鱼网络科技有限公司 | A kind of anti-debug method and system of application program |
| CN107463836A (en) * | 2017-08-17 | 2017-12-12 | 郑州云海信息技术有限公司 | A kind of synthesis anti-debug method and system under Windows systems |
| CN108021791A (en) * | 2016-10-31 | 2018-05-11 | 腾讯科技(深圳)有限公司 | Data guard method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060130016A1 (en) * | 2003-03-17 | 2006-06-15 | Wagner John R | Method of kernal-mode instruction interception and apparatus therefor |
| US20080184198A1 (en) * | 2007-01-30 | 2008-07-31 | Microsoft Corporation | Anti-debugger comprising spatially and temporally separate detection and response portions |
| CN101320416A (en) * | 2008-05-20 | 2008-12-10 | 北京深思洛克数据保护中心 | Method and system for detecting debugging mode of software |
| CN101473333A (en) * | 2006-06-21 | 2009-07-01 | 威步系统股份公司 | Method and system for intrusion detection |
-
2011
- 2011-12-08 CN CN201110409722.9A patent/CN103164643B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060130016A1 (en) * | 2003-03-17 | 2006-06-15 | Wagner John R | Method of kernal-mode instruction interception and apparatus therefor |
| CN101473333A (en) * | 2006-06-21 | 2009-07-01 | 威步系统股份公司 | Method and system for intrusion detection |
| US20080184198A1 (en) * | 2007-01-30 | 2008-07-31 | Microsoft Corporation | Anti-debugger comprising spatially and temporally separate detection and response portions |
| CN101320416A (en) * | 2008-05-20 | 2008-12-10 | 北京深思洛克数据保护中心 | Method and system for detecting debugging mode of software |
Non-Patent Citations (1)
| Title |
|---|
| 袁金国 等: "利用USB总线接口的软件加密卡设计", 《电子技术》 * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015035761A1 (en) * | 2013-09-10 | 2015-03-19 | 成都品果科技有限公司 | Method and apparatus for performing assembly-level dynamic debugging of ios system |
| CN103605607B (en) * | 2013-12-02 | 2017-02-08 | 中标软件有限公司 | Software complexity analysis system and method |
| CN103605607A (en) * | 2013-12-02 | 2014-02-26 | 中标软件有限公司 | Software complexity analysis system and method |
| CN104657268A (en) * | 2015-02-13 | 2015-05-27 | 厦门美图之家科技有限公司 | Two-factor authentication method and device for API (application program interface) compatibility |
| CN104657268B (en) * | 2015-02-13 | 2018-03-30 | 厦门美图之家科技有限公司 | A kind of double verification method and apparatus of API compatibility |
| CN105044653A (en) * | 2015-06-30 | 2015-11-11 | 武汉大学 | Software conformance detection method for smart electric meters |
| CN106650338A (en) * | 2015-10-28 | 2017-05-10 | 中国电信股份有限公司 | Method and system for preventing software from being anti-debugged |
| CN105653908B (en) * | 2015-12-31 | 2018-12-25 | 西北大学 | A kind of implicit anti-debug guard method |
| CN105653908A (en) * | 2015-12-31 | 2016-06-08 | 西北大学 | Implicit anti-debugging protection method |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106021106B (en) * | 2016-05-19 | 2019-05-28 | 珠海豹趣科技有限公司 | A kind of course control method and user terminal |
| CN106021106A (en) * | 2016-05-19 | 2016-10-12 | 北京金山安全软件有限公司 | Process control method and user terminal |
| CN106096404A (en) * | 2016-08-18 | 2016-11-09 | 北京深思数盾科技股份有限公司 | A kind of data guard method and system |
| CN106096404B (en) * | 2016-08-18 | 2019-05-21 | 北京深思数盾科技股份有限公司 | A kind of data guard method and system |
| CN108021791A (en) * | 2016-10-31 | 2018-05-11 | 腾讯科技(深圳)有限公司 | Data guard method and device |
| CN108021791B (en) * | 2016-10-31 | 2021-08-10 | 腾讯科技(深圳)有限公司 | Data protection method and device |
| CN106649098A (en) * | 2016-11-04 | 2017-05-10 | 海信集团有限公司 | Method and device for achieving version-release-software debugging on terminal device |
| CN106649098B (en) * | 2016-11-04 | 2019-06-04 | 海信集团有限公司 | The method and apparatus of released version software debugging are realized on the terminal device |
| CN106778104A (en) * | 2017-01-20 | 2017-05-31 | 武汉斗鱼网络科技有限公司 | A kind of anti-debug method and system of application program |
| CN106778104B (en) * | 2017-01-20 | 2019-10-25 | 武汉斗鱼网络科技有限公司 | A kind of anti-debug method and system of application program |
| CN107463836A (en) * | 2017-08-17 | 2017-12-12 | 郑州云海信息技术有限公司 | A kind of synthesis anti-debug method and system under Windows systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103164643B (en) | 2017-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103164643A (en) | Method and device using hardware to debug | |
| CN108027860B (en) | Hardening event counter for anomaly detection | |
| Arora et al. | Hardware-assisted run-time monitoring for secure program execution on embedded processors | |
| CN101473333B (en) | Method and system for intrusion detection | |
| CN101533449B (en) | Microprocessor device for providing secure execution environment and method for executing secure code thereof | |
| US10503931B2 (en) | Method and apparatus for dynamic executable verification | |
| CN102592083B (en) | Storage protecting controller and method for improving safety of SOC (system on chip) | |
| AU2009200459A1 (en) | Systems and Methods for the Prevention Of Unauthorized Use and Manipulation of Digital Content Related Applications | |
| Bing | Analysis and research of system security based on android | |
| CN102385671A (en) | Method and system for encrypting software | |
| US20190197216A1 (en) | Method, apparatus, and computer-readable medium for executing a logic on a computing device and protecting the logic against reverse engineering | |
| US8782809B2 (en) | Limiting information leakage and piracy due to virtual machine cloning | |
| Brasser et al. | Advances and throwbacks in hardware-assisted security: Special session | |
| Shila et al. | I can detect you: Using intrusion checkers to resist malicious firmware attacks | |
| CN108280647A (en) | Private key protection method and device for digital wallet, electronic equipment and storage medium | |
| Brasser et al. | Special session: Advances and throwbacks in hardware-assisted security | |
| CN106951779A (en) | A kind of USB security protection systems for selecting to analyze with equipment behavior based on user | |
| US10311253B2 (en) | Method for protecting an integrated circuit against unauthorized access | |
| CN102592101A (en) | Method and system for protecting LED display management software safety | |
| Patel et al. | Ensuring secure program execution in multiprocessor embedded systems: a case study | |
| Toffalini et al. | Careful-packing: A practical and scalable anti-tampering software protection enforced by trusted computing | |
| Jiutao et al. | Notice of Retraction: Research of software protection | |
| Zaharis et al. | Live forensics framework for wireless sensor nodes using sandboxing | |
| Meshram et al. | Security in embedded systems: Vulnerabilities pigeonholing of attacks and countermeasures | |
| Solanki et al. | Secure patrol: Patrolling against buffer overflow exploits |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Qiao Ruilin Document name: Notification of Passing Examination on Formalities |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHENSI SHUDUN SCIENCE + TECHNOLOGY CO., LT Free format text: FORMER OWNER: BEIJING SENSELOCK SOFTWARE TECHNOLOGY CO., LTD. Effective date: 20150722 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20150722 Address after: 100872 Zhongguancun street, Haidian District, a cultural building, No. 1706, No. 59, No. Applicant after: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. Address before: 100086 Beijing City, Haidian District Zhongguancun South Street No. 6 Zhucheng building block B room 1201 Applicant before: Beijing Senselock Software Technology Co.,Ltd. |
|
| CB02 | Change of applicant information |
Address after: 100872 Zhongguancun street, Haidian District, a cultural building, No. 1706, No. 59, No. Applicant after: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. Address before: 100872 Zhongguancun street, Haidian District, a cultural building, No. 1706, No. 59, No. Applicant before: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100872 1706, Cultural Building, No. 59 A, Zhongguancun Street, Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100872 1706, Cultural Building, No. 59 A, Zhongguancun Street, Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |