CN105608346A - ELF file protection method and system based on ARM instruction virtualization - Google Patents
ELF file protection method and system based on ARM instruction virtualization Download PDFInfo
- Publication number
- CN105608346A CN105608346A CN201510996999.4A CN201510996999A CN105608346A CN 105608346 A CN105608346 A CN 105608346A CN 201510996999 A CN201510996999 A CN 201510996999A CN 105608346 A CN105608346 A CN 105608346A
- Authority
- CN
- China
- Prior art keywords
- instruction
- bytecode
- rendering engine
- virtualized
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000009877 rendering Methods 0.000 claims description 33
- 230000008569 process Effects 0.000 claims description 26
- 230000009466 transformation Effects 0.000 claims description 8
- 238000012546 transfer Methods 0.000 claims description 4
- 230000009191 jumping Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 76
- 238000012545 processing Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 6
- 238000009434 installation Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000007596 consolidation process Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000003638 chemical reducing agent Substances 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 210000003813 thumb Anatomy 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses an ELF file protection method and system based on ARM instruction virtualization. The method includes the steps that an original function instruction is converted into bytecodes; a register and stack information of an original function are stored, a jump instruction is added, and other instructions are deleted; the jump instruction is executed, and the bytecodes are interpreted by jumping to an interpreting engine. In this way, the original function instruction is converted into the bytecodes in a virtualization mode, the difficulty of a cracker is increased, and the file protection strength is improved.
Description
Technical field
The present invention relates to safe practice field, particularly protect based on the virtualized ELF file of ARM instructionMaintaining method and system.
Background technology
Android (Android) is a kind of freedom based on Linux and the operating system of open source code, mainBe used in mobile device, as smart mobile phone and panel computer, by Google company and opening mobile phone allianceLeader and exploitation. Android platform development rapidly, becomes the most universal operation of mobile terminal graduallySystem, especially Android platform have been deep into every field, comprise that finance device is this to securityRequire higher product. Compared with other-end operating system, open Android system is application and developmentPerson provides more functional interface, and these functional interfaces are improving the extensibility of system, but simultaneouslyAlso for Malware is provided convenience. Can be by camouflage for Malwares such as the wooden horses of Android systemMode is kept in Android installation kit, gains user installation by cheating and authorizes certain authority, afterwards by abuseAuthority is carried out some specific behaviors on backstage, comprise stealing privacy of user, gaining the behaviors such as rate by cheating; Not onlySo, for some normal Android system application, also exist by illegal copies, reverse-engineering, anti-The safety that compile, debug, crack, the means such as secondary packing, internal memory intercepting threatens Android system, noOnly endanger user, caused serious infringement also to normal use developer.
At present on the market for APK's (abbreviation of AndroidPackage, i.e. Android installation kit)Protection is mainly that (abbreviation of DalvikVMExecutes, AndroidDalvik carries out based on dexProgram). Current disclosed have watchman's wooden clapper watchman's wooden clapper, love encryption, ApkProtect etc. On the other hand, AndroidThe shared library file of platform, its expansion .so by name, is therefore also SO file, adopts ELF form(ExecutableandLinkableFormat: a kind of for binary file, executable file, orderThe Standard File Format of mark code, SB and Core Dump). For the protection of the file of ELF form justRelatively. Existing is to adopt linker mode or upx (Ultimate for ELF file mostlyPackerforeXecutables: executable program file compressor reducer) mode, adopt upx protection(what in APK, extract can operating file, passes through dex by the classes.dex file in APK for odexOptimizing process is optimized a dex file of generation and is deposited separately) conversion program. Undertaken by adding shellProtection. The program that adds shell can effectively stop the dis-assembling analysis to program, to protect software copyright, anti-Only cracked by software. But cracker only need to be by upx source code this journey that just can shell that slightly makes an amendmentOrder, its protection is inadequate. Also there is the side that adopts of wretched appearance code to increase certain complexity to crackerFormula, encrypts function name and character string, and loader is realized to principle all moves on to from java layerJni (JavaNativeInterface:Java calls this locality) realizes, but loader bag and former bagSeparate completely, former bag is only encrypt file, can realize easily internal memory dump (obtaining memory information).
Summary of the invention
In order to address the above problem, the invention provides a kind of based on ARM (AdvancedRISCMachine:Senior reduced instruction machine) the virtualized ELF document protection method of instruction.
According to an aspect of the present invention, providing a kind of protects based on the virtualized ELF file of ARM instructionMaintaining method, comprising: original function instruction transformation is become to bytecode; Preserve original function register andStack information, increases jump instruction, and deletes all the other instructions; Jump to rendering engine so that bytecode is enteredRow is explained.
In some embodiments, original function instruction can be divided into multiple virtual small instruction and be converted toCorresponding bytecode, described rendering engine can comprise that multiple sub-Interpretation unit are with to multiple virtual small instructionCorresponding bytecode makes an explanation.
Its beneficial effect is, original function instruction is varied, and organizational form is also ever-changing, and explanation is drawnHold up and be difficult to all translate explanation for each concrete condition. Therefore, by likely running intoInstruction is first sorted out, and is then decomposed into some simple virtual small instruction, just can these are virtual littleInstruction is given each special sub-Interpretation unit and is gone to process, and each subsolution is released unit matching and coordinated wholeThe explanation of individual instruction. Implement more simple and flexible.
In some embodiments, bytecode is made an explanation and adopts the virtual machine architecture system based on storehouse.
Its beneficial effect is, the virtual machine architecture system based on storehouse, and the virtual machine system of this structure does not haveHave the concept of temporary variable, register, all contents are all put into storehouse, need to operate frequently heapStack, owing to not needing assigned operation number in instruction, so its instruction is relatively simple, instruction system is succinct,Durability is high.
According to another aspect of the present invention, based on the virtualized ELF file protecting system of ARM instruction bagDraw together: converting unit, original function instruction transformation is become to bytecode, preserve the jump instruction of original function,Register and stack information, and delete all the other instructions; Jump-transfer unit, carries out jump instruction; Explanation is drawnHold up, make an explanation to carrying out the bytecode importing into after described jump instruction according to default bytecode semanteme.
According to said method of the present invention and system, by original function instruction transformation is become to bytecode,Original function instruction translation is become to all a string false code byte streams of None-identified of machine and people, to original letterNumber carries out virtualization process, and deletes original function instruction. Like this, cracker crack timeWait, owing to can not find original function instruction, can only find a string false code byte stream, just must developSpecific instrument is analyzed and decompiling bytecode, can quite take time and effort like this. So, by by formerBeginning function instruction is virtual to be protected ELF file, can increase code breaker's decoding difficulty. At toolIn the implementation of body, utilize default semanteme to false code by rendering engine (also referred to as virtual machine)Byte stream makes an explanation, thereby can simulate original function instruction code and carry out. Improve thus ELFThe protection of file. In some embodiments, rendering engine comprises multiple sub-Interpretation unit.
Its beneficial effect is, original function instruction is varied, and organizational form is also ever-changing, and explanation is drawnHold up and can not all translate explanation for each concrete condition, must be to the instruction likely running intoFirst carry out abstract classification, be then decomposed into some simple small instruction, then give each special subsolutionRelease unit and go to process, multiple subsolutions are released unit matching co-ordination, complete the execution of whole instruction.
In some embodiments, rendering engine adopts the virtual machine architecture based on storehouse.
Its beneficial effect is that the virtual machine based on storehouse does not have the concept of temporary variable, register, allThing all put into storehouse, need to operate frequently storehouse, the virtual register of its use is all kept atIn storehouse, the sub-Interpretation unit of each presumptive instruction needs push, pop. Owing to not needing in instructionAssigned operation number, so its instruction is relatively simple, instruction system is succinct, durability is high.
Brief description of the drawings
Fig. 1 is flowing based on the virtualized ELF document protection method of ARM instruction of an embodiment of the present inventionCheng Tu;
Fig. 2 is the thin based on the virtualized ELF file protecting system of ARM instruction of an embodiment of the present inventionChange realization flow figure;
Fig. 3 is tying based on the virtualized ELF file protecting system of ARM instruction of an embodiment of the present inventionStructure schematic diagram;
Fig. 4 (a) has shown the example of original function, and Fig. 4 (b) has shown the original function warp of this exampleCross the method situation after treatment of the embodiment of the present invention;
Fig. 5 (a) and (b) be respectively used to explanation in the method for an embodiment of the present invention, jump to wordThe example of joint code rendering engine entrance;
Fig. 6 is the schematic flow sheet of the method for reinforcing and protecting to many ELF file.
Detailed description of the invention
Below in conjunction with accompanying drawing, embodiments of the present invention are described.
Unless those skilled in the art of the present technique are appreciated that specially statement, singulative used herein" one ", " one ", " described " and " being somebody's turn to do " also can comprise plural form. Will be further understood that, the wording using in description of the present invention " comprises " and refers to and have described feature, integer, stepSuddenly, operation, element and/or assembly, but do not get rid of exist or add one or more other features,Integer, step, operation, element, assembly and/or their group.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (bagDraw together technical term and scientific terminology), have with the present invention under the general reason of those of ordinary skill in fieldSeparate identical meaning. Should also be understood that such as those terms that define in general dictionary, should be byBe interpreted as and there is the meaning consistent with meaning in the context of prior art, unless and as hereBy specific definitions, otherwise can not explain by idealized or too formal implication.
It is pointed out that technical scheme of the present invention, irrelevant, right with the type selecting of operating system in theoryAll be suitable in operating systems such as windows, android, IOS. But for the facility of explanation, below will leadTo describe as an example of Android example.
On Android system, the application that can install, move, need to be packaged into Android installation kit,It is APK file format. (APK file is generally downloaded, is installed on mobile phone, also by Android application marketCan install from PC by the mode of the data line interfaces such as usb data line or Wireless Data Transmission. Android peaceDress bag is ZIP file format in fact, but suffix name is modified to .apk, can be by instruments such as UnzipDecompress(ion) is seen its internal file structure.
Android application is normally developed with Java language, and it compiles it with Android developing instrumentAfter become binary bytecode (bytecode), these bytecodes are packaged into classes.dexFile, explains execution by the Dalvik virtual machine of Android platform. In order to call AndroidSystemic-function, Android system provides a set of running environment (AndroidFramework), AndroidThe each function of application call system is all that realize in the storehouse by calling AndroidFramework. AnotherAspect, Android system also support application program is direct by JNI or nativeexecutableOperation. What now application was carried out is the binary machine code directly moving on CPU, does not need through voidPlan machine is explained, can directly be called Android storehouse as libc, WebKit, SQLite, OpenGL/ESDeng carrying out the each function of calling system. If Android application will be by JNI orNativeexecutable operation, just needs the code compilation that will carry out to become ELF file format. ELFBeing the abbreviation of ExecutableandLinkableFormat, is in Android/Linux operating systemThe file format of executable program, SB.
In the application, in Android platform, ELF file is mainly shared library file, its extension nameFor .so, be therefore also SO file. The instruction format of SO file is the ARM instruction set of ARM architectureOr Thumb instruction set. The role that the SO file of Android mainly serves as is mutual by JNI and Java,So be mainly (it is executable also having some SO), then by Android as a stockRuntime loads, and can be called by Java layer. SO file generally leaves the lib catalogue of APK inUnder armeabi sub-folder.
Fig. 1 has schematically shown virtual based on ARM instruction according to one embodiment of the present inventionELF document protection method. As illustrated in fig. 1 and 2, according to an aspect of the present invention, based on ARMThe virtualized ELF document protection method of instruction, comprises the following steps:
S1. convert original function to bytecode.
Original function instruction transformation is that bytecode also can be described as original function virtual. For example, forCommand M OVR5, #3, converting corresponding bytecode to is exactly 0D010300000002050000000405000000, so just complete the virtual of original function instruction, thereby by original functionInstruction transformation becomes to the eye skimble-skamble bytecode. All None-identifieds of machine and people, thus needWith the special rendering engine arranging (as the VMP of special setting (VirtualMachineProtect:Virtual machine protection) engine) explain execution.
S2. preserve register and the stack information of original function, increase jump instruction, and delete all the otherInstruction.
In conversion (virtual) process, original function instruction is all virtualized as bytecode. Meanwhile,Need to preserve register corresponding to original function and stack information to new position. In addition, due to formerIn the execution process instruction of beginning function, need to constantly update register information, therefore need to be in interpretative order pairAnswer bytecode time, also to upgrade the register information being saved simultaneously, thereby ensure register letterSynchronous and the balance of breath in bytecode interpretation process, and then realize simulation original function execution process instructionEffect.
Rendering engine VMP is placed on all registers in the middle of stack architecture (VM_CONTEXT),Each in structure represents a register or temporary variable. In an embodiment of the invention,Register corresponding original function and stack information are kept to rendering engine VMP porch.
Fig. 4 (a) shows the example of an original function, and Fig. 4 (b) has shown the original function of this exampleThrough the method situation after treatment of the embodiment of the present invention.
Code shown in figure is that original function _ _ cxa_f_10x is carried out to the function after virtual. VisibleThe instruction of original function all disappears, and has some unrecognizable bytes in corresponding above-mentioned codeBytecode corresponding to instruction in original function. As shown in Fig. 5 (a), " Bloc_8F98 " in square frameBe a function jump instruction, jump in rendering engine VMP entrance, and save symbol register CPSRInformation. Carry out this instruction and explain that by jumping to function carries out the explanation of bytecode.
As shown in Fig. 5 (b), " BLsub_8FDC " in square frame is function jump instruction, carries outThis instruction jumps to explains that function is to make an explanation to bytecode. Bytecode corresponding to every instruction by0x00 isolates.
Because original function need to be upgraded register information in the time carrying out instruction. For example, instruction " MOVER0,#1 " be exactly that R0 is updated to 1. So explaining in the process of bytecode, need to be kept at explanation and drawRegister and the stack information of holding up entrance upgrade, thereby ensure the synchronous of original function register information.
S3. carry out jump instruction, jump to rendering engine entrance. As mentioned above, rendering engine entrance is protected(variable that rendering engine uses is whole to deposit running environment (value of each register) and initialization storehouseIn storehouse).
, explain after function jumping to meanwhile, explain the default bytecode semanteme of function to bytecode byIndividual parsing. In the process of bytecode corresponding to parsing instruction, rendering engine upgrades posting of being savedStorage and stack information, to ensure original function integrality. Bytecode jumps to explanation after explainingEngine outlet, rendering engine outlet recovers original function register and stack information, to ensure register letterSynchronous and the balance of breath in bytecode interpretation process, and return to original function. Thus, can realize rightThe simulation of original function execution process instruction.
As shown in Figure 2, above-mentioned embodiment is not limited to virtual to single function, but is applicable toTo multiple functions (function A, function B ...) virtual.
Because presumptive instruction is all converted into the bytecode that CPU not directly carries out, therefore in engine designIn process, must reach the effect that presumptive instruction is simulated completely, will ensure original fingerThe complete semantic interpretation of order. Wherein main consideration, first, guarantee correctly to read bytecode.Presumptive instruction may have the expression way of number of different types, as LDR instruction can be expressed as:
LDRR0,[R1]
LDRR0,[R1,#4]
LDRR0,[R1,R2LSL#2]
LDRR0, [R1, #4]! Deng,
Correspondingly, the design of engine also need to be carried out sieve for these different situations about expressing of each presumptive instructionRow also make an explanation respectively.
In addition,, to function jump instruction, need to confirm that function is the inner redirect of function or the outside jumping of functionTurn, and need to accurately calculate target jump address. So the complete semantic interpretation of presumptive instruction determinesInstruction whether can correctly carry out.
Whether the correct execution of the instruction corresponding bytecode that places one's entire reliance upon can successfully be explained. And certainly createEngine has ensured that bytecode can correctly be read and carry out.
Rendering engine can comprise Interpretation unit, for determining the interpretive program corresponding with bytecode. By separatingRelease unit and determine the interpretive program corresponding with bytecode, Interpretation unit completes bytecode and carries out, and adopts innerThe semanteme of setting makes an explanation to bytecode, and the original function instruction of progressively reducing is also carried out.
In one embodiment, Interpretation unit can comprise multiple sub-Interpretation unit. As mentioned above, original letterNumber instruction is varied, and organizational form is also ever-changing, and rendering engine can not be for each concrete feelingsCondition is all translated explanation. In the present embodiment, the instruction likely running into is first sorted out, thenBe decomposed into some simple small instruction, give each special sub-Interpretation unit and go to process. Multiple subsolutions are releasedUnit matching co-ordination, completes the execution of whole instruction. Rendering engine has been distributed to tune decoding algorithmIn degree device Dispatch and each subprogram Handler, only in instruction fetch and the Shi Caihui that fetches data deciphering,And the algorithm of each decoding is also different, and the each deciphering of its Seed all can change, thereby entersOne step has increased cracker's decoding difficulty.
For example: MOVR0, this instruction of #3, can resolve into several virtual small instruction:
Vmov
VPushImm320x3
VPushRegR0
VPopRegR0
Corresponding bytecode is:
0D01(03000000)02(00000000)04(00000000)
Below some common virtual small instruction type and explanations thereof:
Fictitious order (Vmov, Vldr, Vadd that instruction is corresponding ... ..),
Vsplit: separate each instruction, this value is 0
VPushImm32: inform engine, have immediate in instruction
VPushReg32: inform engine, the register type in command source operand
VPushDstReg32: specially treated STR instruction
VPopReg32: inform engine, destination register type
Vwriteback: specially treated LDR or STR instruction, inform engine, destination register assignmentAfter, need to continue operate source register.
In the time that engine is processed bytecode, first obtain first byte code, and then decision instruction type,Then enter into sub-Interpretation unit and then process this instruction. After being disposed, run into VSplit, exitThis subelement. Continue to explain next instruction.
In sub-Interpretation unit, need to process virtual small instruction, comprise (VPushImm32, VPushReg32,VPushDstReg32, VPopReg32, Vwriteback), and operating continually storehouse, renewal is kept atOriginal function register information in storehouse.
In one embodiment, rendering engine can adopt the virtual machine based on storehouse. Due to based on storehouseVirtual machine there is no the concept of temporary variable, register, all contents are all put into storehouse, need frequentlyNumerous operation storehouse, the virtual register of its use is all kept in storehouse, the subsolution of each presumptive instructionRelease unit and all need Push, Pop. Owing to not needing assigned operation number in instruction, so its instruction is relativeSimply, instruction system is succinct, and durability is high.
For example, for instruction ADD, the virtual machine based on storehouse is Pop two numbers from storehouse first, soAfter by two numbers be added, then with Push in storehouse. ADD instruction only takies a byte, and ADD refers toThe parameter of order is all in storehouse with returning, and there is no complicated register and internal memory operation, and instruction system is non-Normal succinct.
How to enter into engine with the example simple declaration bytecode that an ELF file is reinforced belowIn, and how to export.
Fig. 6 is the schematic flow sheet of the reinforcement means of an ELF file. As shown in Figure 6, the method bagDraw together:
Step S61, is incorporated in a shell program file multiple SO files with the multiple SO to be protectedFile unifies to add shell. That is, multiple SO files are write to an assigned address in shell program file,Shell program file can, prior to SO running paper, acquire a priority, protection SO file be not illegally modified orDecompiling.
The full name that adds shell is compression and the encryption of executable program resource. Adding shell, is exactly to carrying out in factFile adds last coat. Just this shell that user carries out. In the time carrying out this shellWait, it will be in internal memory decompress(ion) or decrypted original program, after decompress(ion) or deciphering again the right of execution of programGive back real program. So these work is just carried out in internal memory.
The existing shell side method that adds to SO file is generally only to add shell for single SO file, i.e. a SOFile adds shell once, if SO file is a lot, will repeatedly add shell, certainly will cause final installation kitVolume very large. In embodiments of the present invention, by all SO file consolidations under lib are incorporated to sameIn individual shell, write an assigned address in shell program file. Find by detection, to all SOPiece file mergence adds after shell its institute's reduction volume that takes up space generally in 30% left and right, and SO quantity of documents is more,File is larger, and its reduction volume taking up space is just larger.
Step S62, adds conservation treatment to the multiple SO files in shell program file, mainly to systemThe one SO file adding after shell is further reinforced.
Step S63, receives the call request of at least one SO file, determines that described call request institute is correspondingTreat allocating object.
Step S64, according to the determined allocating object for the treatment of, at described shell program file place to described at least oneIndividual SO file calls.
Because SO file has carried out unified adding shell processing, so in the time that third party calls it, be byAdded shell side order loads accordingly according to call request, helps through asked SO fileLoad.
In one embodiment of the invention, in the shell program file in the method shown in Fig. 6, comprising canBe decrypted the code of processing to adding SO file after conservation treatment. In the time of load operating SO file, shellProgram file can, prior to SO running paper, acquire a priority, and the SO file adding after conservation treatment is carried outDecryption processing, make the source code of SO file revert to complete, code reordering is normal, without encrypt,The code that can reduce completely, and then separating after shell load operating normally.
In one embodiment of the invention, shown in Fig. 6 in the step 61 of method by multiple SO files alsoEntering a shell program file comprises:
Convert described multiple SO files to binary stream, write in a shell program file described shell sideIn preface part, at least comprise the header file information of described multiple SO files.
In one embodiment of the invention, in the step S62 of method shown in Fig. 6 in shell program fileMultiple SO files to carry out consolidation process can be one or more following processing modes:
1) remove hiding Info of multiple SO files, thereby cause SO fileinfo disappearance, even if there is peopleSO file is carried out to malicious decryption or decompiling, also cannot obtain complete SO file, be difficult to accomplish quietState tool analysis.
2) multiple SO files are carried out to sectional encryption processing. Can be to the data section of multiple SO files andCode joint is encrypted respectively, increases deciphering difficulty.
3) multiple SO files are carried out to Code obfuscation processing, in the situation that not changing code logic,In the code of multiple SO files, increase dead code, or the code of multiple SO files carried out to rename,Make the source code after decompiling be difficult to understand, increase the difficulty that decompiling post code is analyzed.
4) multiple SO files being carried out to anti-debugging processes. Can be that the point that can be used for anti-debugging is inserted intoMultiple SO files carry out in the code after Code obfuscation; After Code obfuscation, the point of anti-debugging is just not easy to look forArrive, when can debugging to cracker like this, cause a lot of puzzlements, increase and crack difficulty.
In step S63, receive the call request of at least one SO file, determine a described call request correspondenceThe allocating object for the treatment of comprise:
Receive the call request of at least one SO file at shell program file outward, determine described call request instituteThe corresponding allocating object for the treatment of;
Described according to the determined allocating object for the treatment of, at shell program file place to described at least one SO fileCall and comprise:
At shell program file place, treat definite result of allocating object described in reception, correspondingly at least describedA SO file calls.
In one embodiment, shell program file receives the call request of at least one SO file outward, determinesDescribed call request is corresponding treats that allocating object comprises:
In system library file, set up hook;
Utilize described hook between third party's application and described shell program file, to receive the tune of third party's applicationWith request, resolve the corresponding allocating object for the treatment of of described call request.
In computer security technique, extensively adopt each to application program to be monitored of Hook (hook) technologyPlant function and link up with interception, to realize the monitoring of the event behavior to these application programs, correspondence is notCall different Hook Functions with event behavior and process, make phase thereby realize according to different behaviorsThe security protection processing of answering.
Wherein, Hook (hook) be application program in windows messaging processing procedure, arrange be used for prisonIn control message flow and treatment system, not yet arrive the mechanism of a certain kind of message process of object window. AsFruit Hook process realizes in application program, if when application program is not current window, this Hook is not justWork; If Hook realizes in DLL, program be in operation dynamic call it, it can be in real time to beingSystem is monitored. This ability of Hook, makes it the code of self " can be incorporated " to be lived by HookThe process of program in, become a part of target process. " hook " contained for existing by interceptionFunction call, message or the event between component software, transmitted change or increase operating system, applicationThe technology of the behavior of program or other component softwares. And process this function call being blocked, eventOr the code of message is just called as Hook Function. Hook is generally used for all types of target, comprises function is carried outDebug and function is expanded. Its example can be included in keyboard or mouse event is delivered to application programTackle them, or intercepting system calls (systemcall) or system function behavior, letter beforeNumber execution results etc., to monitor or to revise function of application program or other assemblies etc.
Based on this principle, the present embodiment adopts Hook Function, the call letter of interception third party to SO fileNumber, then call added shell side order, completed according to the filename of SO by added shell fileThe loading of actual SO file.
Because Android is the system of increasing income based on linux kernel, can divide according to language environment differenceFor Java layer, NativeC layer, LinuxKernel layer. Under normal circumstances, third party calls SOFile, must carry out corresponding SO according to SO filename by the LoadLibrary function of Java layerThe loading of file. Specifically, LoadLibrary can call the dlopen function of libdvm.so the insideFinally load SO file.
The normal flow of system loads SO file is first SO to be mapped to internal memory, then carries outINIT_ARRAY, and then enter JNI_OnLoad function. JNI_OnLoad is entrance function. Supposing hasFunction A need to be by JNI_OnLoad function call. Normal flow is:
JNI_OnLoad=> A=> be back to JNI_OnLoad
If using function A as protection object, so function A be just converted into jump instruction andBytecode.
JNI_OnLoad=> A '=> engine=> A '=> be back to JNI_OnLoad
A ' mainly comprises after rendering engine (VMP) entry address, exit address and virtualization processBytecode, i.e. function A after virtual as described above.
Rendering engine can be integrated in the middle of this SO, as a part of SO, but not individualism.
As shown in Figure 3, according to another aspect of the present invention, based on the virtualized ELF literary composition of ARM instructionPart protection system comprises converting unit 10, jump-transfer unit 20, and explain engine 30. Wherein, conversion is singleFirst 10 for original function instruction transformation is become to bytecode, and preserve register and the storehouse of original functionInformation, increases jump instruction, and deletes all the other instructions; Jump-transfer unit 20 is carried out jump instruction, jumps toRendering engine entrance; Rendering engine 30 can comprise Interpretation unit 301, right according to default bytecode semantemeBytecode makes an explanation one by one, and bytecode is jumped out Engine function after explaining, and jumps to engine and go outMouthful, recover original function storehouse and register information in engine outlet, then return to original function. SeparateRelease engine 30 and can comprise updating block 302, in the process of the described bytecode of explanation, renewal is savedRegister and stack information.
Above-described is only some embodiments of the present invention. Come for those of ordinary skill in the artSay, without departing from the concept of the premise of the invention, can also make some distortion and improvement, theseAll belong to protection scope of the present invention.
Claims (10)
1. based on the virtualized ELF document protection method of ARM instruction, comprising:
Original function instruction transformation is become to bytecode;
Preserve register and the stack information of original function, increase jump instruction, and delete all the other instructions;
Carry out described jump instruction, jump to rendering engine so that described bytecode is made an explanation.
2. according to claim 1 based on the virtualized ELF document protection method of ARM instruction, alsoComprise: described rendering engine entrance is pointed in described jump instruction, described rendering engine entrance is preserved each and is referred toMake the value of register and initialize storehouse.
3. according to claim 1 and 2 based on the virtualized ELF document protection method of ARM instruction,Wherein said rendering engine, explaining in the process of described bytecode, upgrades the register and the storehouse that are savedInformation.
According to described in claim 1-3 any one based on the virtualized ELF file protect of ARM instructionMethod, wherein said original function instruction is divided into multiple virtual small instruction and is converted to corresponding byteCode; And/or
Described rendering engine adopts multiple sub-Interpretation unit to make an explanation to described bytecode.
According to described in claim 1-4 any one based on the virtualized ELF file protect of ARM instructionMethod, wherein saidly makes an explanation and adopts virtual machine architecture based on storehouse bytecode.
6. the protection system based on the virtualized ELF file of ARM instruction, comprising:
Converting unit, for original function instruction transformation is become to bytecode, the redirect of preserving original function refers toOrder, register and stack information, and delete all the other instructions;
Jump-transfer unit, carries out described jump instruction;
Rendering engine, according to default bytecode semanteme to carrying out the bytecode importing into after described jump instructionMake an explanation.
7. according to claim 6 based on the virtualized ELF file protection device of ARM instruction, itsDescribed in rendering engine comprise multiple sub-Interpretation unit.
8. according to claim 6 based on the virtualized ELF file protecting system of ARM instruction, itsDescribed in rendering engine adopt the virtual machine architecture based on storehouse.
According to described in claim 6-8 any one based on the virtualized ELF file protect of ARM instructionSystem, described rendering engine entrance is pointed in wherein said jump instruction, and described rendering engine entrance is preserved eachThe value of individual command register and initialization storehouse.
10. according to protecting based on the virtualized ELF file of ARM instruction described in claim 6-8 any oneProtecting system, wherein said rendering engine also comprises updating block, in the process of the described bytecode of explanation,The register that renewal is saved and stack information.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510996999.4A CN105608346A (en) | 2015-12-25 | 2015-12-25 | ELF file protection method and system based on ARM instruction virtualization |
| PCT/CN2016/106146 WO2017107706A1 (en) | 2015-12-25 | 2016-11-16 | Elf file protection method and system based on arm instruction virtualization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510996999.4A CN105608346A (en) | 2015-12-25 | 2015-12-25 | ELF file protection method and system based on ARM instruction virtualization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105608346A true CN105608346A (en) | 2016-05-25 |
Family
ID=55988275
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510996999.4A Pending CN105608346A (en) | 2015-12-25 | 2015-12-25 | ELF file protection method and system based on ARM instruction virtualization |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105608346A (en) |
| WO (1) | WO2017107706A1 (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096338A (en) * | 2016-06-07 | 2016-11-09 | 西北大学 | A kind of have the virtualization software guard method that data stream is obscured |
| CN106778271A (en) * | 2016-12-15 | 2017-05-31 | 华中科技大学 | A kind of Android reinforces the reverse process method of plug-in unit |
| WO2017107706A1 (en) * | 2015-12-25 | 2017-06-29 | 北京奇虎科技有限公司 | Elf file protection method and system based on arm instruction virtualization |
| CN107122635A (en) * | 2017-04-27 | 2017-09-01 | 北京洋浦伟业科技发展有限公司 | A kind of reinforcement means of the reinforcement means of SO files, device and APK |
| CN107480479A (en) * | 2017-08-15 | 2017-12-15 | 北京奇虎科技有限公司 | Reinforcement means and device, computing device, the computer-readable storage medium of application program |
| CN107480476A (en) * | 2017-06-15 | 2017-12-15 | 西北大学 | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method |
| CN107577925A (en) * | 2017-08-11 | 2018-01-12 | 西北大学 | Based on the virtual Android application program guard methods of dual ARM instruction |
| CN108334756A (en) * | 2017-01-20 | 2018-07-27 | 武汉斗鱼网络科技有限公司 | A kind of interference method and device to recursive decrease formula analyzer decompiling |
| CN108460276A (en) * | 2016-12-09 | 2018-08-28 | 北京奇虎科技有限公司 | A kind for the treatment of method and apparatus of the dynamic link library SO files of Android installation kit |
| CN110096338A (en) * | 2019-05-10 | 2019-08-06 | 百度在线网络技术(北京)有限公司 | Intelligent contract executes method, apparatus, equipment and medium |
| CN110457046A (en) * | 2019-08-22 | 2019-11-15 | 广州小鹏汽车科技有限公司 | Dis-assembling method, apparatus, storage medium and the terminal of mixed instruction collection program |
| CN110502874A (en) * | 2019-07-19 | 2019-11-26 | 西安理工大学 | A kind of Android App reinforcement means based on file self-modifying |
| CN111767116A (en) * | 2020-06-03 | 2020-10-13 | 江苏中科重德智能科技有限公司 | Virtual machine for mechanical arm program development programming language and operation method for assembly file |
| CN112199160A (en) * | 2020-10-16 | 2021-01-08 | 常熟理工学院 | Virtual instruction recovery method, device, equipment and storage medium |
| CN112527392A (en) * | 2020-12-11 | 2021-03-19 | 成都云铀子网络科技有限公司 | Static translation and static bridging android simulator instruction translation method |
| CN113536328A (en) * | 2020-04-21 | 2021-10-22 | 中国移动通信集团重庆有限公司 | Method and device for encrypting link library file and computing equipment |
| CN113590624A (en) * | 2021-07-29 | 2021-11-02 | 北京天融信网络安全技术有限公司 | Data processing method and electronic device |
| CN118502814A (en) * | 2024-07-18 | 2024-08-16 | 杭州新中大科技股份有限公司 | Software modification evaluation method, device, equipment and medium based on byte codes |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110554998B (en) * | 2018-03-30 | 2024-02-13 | 腾讯科技(深圳)有限公司 | Hook method, device, terminal and storage medium for replacing function internal instruction |
| CN109684794B (en) * | 2018-12-07 | 2023-06-23 | 成都盈海益讯科技有限公司 | Code protection virtual machine KVM system realization method, device, computer equipment and storage medium |
| CN111562916B (en) * | 2019-02-13 | 2023-04-21 | 百度在线网络技术(北京)有限公司 | Method and device for sharing algorithm |
| CN110275710B (en) * | 2019-06-10 | 2023-07-14 | 天翼电子商务有限公司 | Java local interface consistency checking method and system, storage medium and terminal |
| CN110489162B (en) * | 2019-08-02 | 2023-09-22 | 北京字节跳动网络技术有限公司 | Method, device, medium and equipment for simplifying installation package SO (storage and retrieval) file |
| CN111190604B (en) * | 2019-12-30 | 2023-11-03 | 航天信息股份有限公司 | Android application memory confusion method and device, electronic equipment and medium |
| CN112114933A (en) * | 2020-08-14 | 2020-12-22 | 咪咕文化科技有限公司 | Application program protection method, electronic device and storage medium |
| CN112883374B (en) * | 2021-02-02 | 2022-07-01 | 电子科技大学 | General Android platform application program shelling method and system based on ART environment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102736943A (en) * | 2012-06-12 | 2012-10-17 | 电子科技大学 | Dynamic compiling and executing method of embedded browser engine |
| CN103294518A (en) * | 2012-12-31 | 2013-09-11 | 北京北大众志微系统科技有限责任公司 | Indirect skip prediction method and indirect skip prediction system for interpreter |
| CN103530171A (en) * | 2013-10-25 | 2014-01-22 | 大唐微电子技术有限公司 | Smart card virtual machine and implementation method thereof |
| CN105046117A (en) * | 2015-06-30 | 2015-11-11 | 西北大学 | Code virtualization software protection system realizing instruction set randomization |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7124445B2 (en) * | 2002-06-21 | 2006-10-17 | Pace Anti-Piracy, Inc. | Protecting software from unauthorized use by converting source code modules to byte codes |
| CN102831342B (en) * | 2012-07-28 | 2016-01-06 | 北京深思数盾科技有限公司 | A kind of method improving application program protection intensity in Android system |
| CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
-
2015
- 2015-12-25 CN CN201510996999.4A patent/CN105608346A/en active Pending
-
2016
- 2016-11-16 WO PCT/CN2016/106146 patent/WO2017107706A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102736943A (en) * | 2012-06-12 | 2012-10-17 | 电子科技大学 | Dynamic compiling and executing method of embedded browser engine |
| CN103294518A (en) * | 2012-12-31 | 2013-09-11 | 北京北大众志微系统科技有限责任公司 | Indirect skip prediction method and indirect skip prediction system for interpreter |
| CN103530171A (en) * | 2013-10-25 | 2014-01-22 | 大唐微电子技术有限公司 | Smart card virtual machine and implementation method thereof |
| CN105046117A (en) * | 2015-06-30 | 2015-11-11 | 西北大学 | Code virtualization software protection system realizing instruction set randomization |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017107706A1 (en) * | 2015-12-25 | 2017-06-29 | 北京奇虎科技有限公司 | Elf file protection method and system based on arm instruction virtualization |
| CN106096338A (en) * | 2016-06-07 | 2016-11-09 | 西北大学 | A kind of have the virtualization software guard method that data stream is obscured |
| CN108460276A (en) * | 2016-12-09 | 2018-08-28 | 北京奇虎科技有限公司 | A kind for the treatment of method and apparatus of the dynamic link library SO files of Android installation kit |
| CN108460276B (en) * | 2016-12-09 | 2022-01-25 | 北京奇虎科技有限公司 | Processing method and device for SO file of dynamic link library of android installation package |
| CN106778271A (en) * | 2016-12-15 | 2017-05-31 | 华中科技大学 | A kind of Android reinforces the reverse process method of plug-in unit |
| CN106778271B (en) * | 2016-12-15 | 2019-05-14 | 华中科技大学 | A kind of Android reinforces the reverse process method of plug-in unit |
| CN108334756B (en) * | 2017-01-20 | 2020-05-12 | 武汉斗鱼网络科技有限公司 | Interference method and device for decompiling recursive descent type analyzer |
| CN108334756A (en) * | 2017-01-20 | 2018-07-27 | 武汉斗鱼网络科技有限公司 | A kind of interference method and device to recursive decrease formula analyzer decompiling |
| CN107122635A (en) * | 2017-04-27 | 2017-09-01 | 北京洋浦伟业科技发展有限公司 | A kind of reinforcement means of the reinforcement means of SO files, device and APK |
| CN107480476B (en) * | 2017-06-15 | 2020-05-19 | 西北大学 | Android native layer instruction compiling virtualization shell adding method based on ELF infection |
| CN107480476A (en) * | 2017-06-15 | 2017-12-15 | 西北大学 | A kind of Android local layer compiling of instruction based on ELF infection virtualizes shell adding method |
| CN107577925A (en) * | 2017-08-11 | 2018-01-12 | 西北大学 | Based on the virtual Android application program guard methods of dual ARM instruction |
| CN107577925B (en) * | 2017-08-11 | 2019-07-05 | 西北大学 | Based on the virtual Android application program guard method of dual ARM instruction |
| CN107480479B (en) * | 2017-08-15 | 2020-08-07 | 北京奇虎科技有限公司 | Application program reinforcing method and device, computing equipment and computer storage medium |
| CN107480479A (en) * | 2017-08-15 | 2017-12-15 | 北京奇虎科技有限公司 | Reinforcement means and device, computing device, the computer-readable storage medium of application program |
| CN110096338B (en) * | 2019-05-10 | 2021-12-14 | 百度在线网络技术(北京)有限公司 | Intelligent contract execution method, device, equipment and medium |
| CN110096338A (en) * | 2019-05-10 | 2019-08-06 | 百度在线网络技术(北京)有限公司 | Intelligent contract executes method, apparatus, equipment and medium |
| CN110502874A (en) * | 2019-07-19 | 2019-11-26 | 西安理工大学 | A kind of Android App reinforcement means based on file self-modifying |
| CN110502874B (en) * | 2019-07-19 | 2021-05-25 | 西安理工大学 | Android App reinforcement method based on file self-modification |
| CN110457046A (en) * | 2019-08-22 | 2019-11-15 | 广州小鹏汽车科技有限公司 | Dis-assembling method, apparatus, storage medium and the terminal of mixed instruction collection program |
| CN110457046B (en) * | 2019-08-22 | 2023-05-12 | 广州小鹏汽车科技有限公司 | Disassembles method, disassembles device, storage medium and disassembles terminal for hybrid instruction set programs |
| CN113536328A (en) * | 2020-04-21 | 2021-10-22 | 中国移动通信集团重庆有限公司 | Method and device for encrypting link library file and computing equipment |
| CN111767116A (en) * | 2020-06-03 | 2020-10-13 | 江苏中科重德智能科技有限公司 | Virtual machine for mechanical arm program development programming language and operation method for assembly file |
| CN111767116B (en) * | 2020-06-03 | 2023-09-05 | 江苏中科重德智能科技有限公司 | Virtual machine for developing programming language for mechanical arm program and running method for assembly file |
| CN112199160A (en) * | 2020-10-16 | 2021-01-08 | 常熟理工学院 | Virtual instruction recovery method, device, equipment and storage medium |
| CN112527392A (en) * | 2020-12-11 | 2021-03-19 | 成都云铀子网络科技有限公司 | Static translation and static bridging android simulator instruction translation method |
| CN113590624A (en) * | 2021-07-29 | 2021-11-02 | 北京天融信网络安全技术有限公司 | Data processing method and electronic device |
| CN118502814A (en) * | 2024-07-18 | 2024-08-16 | 杭州新中大科技股份有限公司 | Software modification evaluation method, device, equipment and medium based on byte codes |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017107706A1 (en) | 2017-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105608346A (en) | ELF file protection method and system based on ARM instruction virtualization | |
| Roundy et al. | Binary-code obfuscations in prevalent packer tools | |
| EP2467800B1 (en) | System and method to protect java bytecode code against static and dynamic attacks within hostile execution environments | |
| RU2686552C2 (en) | Systems and methods for presenting a result of a current processor instruction when exiting from a virtual machine | |
| Checkoway et al. | Return-oriented programming without returns | |
| Caballero et al. | Binary Code Extraction and Interface Identification for Security Applications. | |
| Coogan et al. | Automatic static unpacking of malware binaries | |
| US8090959B2 (en) | Method and apparatus for protecting .net programs | |
| CN105608391A (en) | Multi-ELF (Executable and Linkable Format)-file protection method and system | |
| US20140068580A1 (en) | Visualization for Diversified Tamper Resistance | |
| US20130125243A1 (en) | Method for preventing software reverse engineering, unauthorized modification, and runtime data interception | |
| Peles et al. | One class to rule them all: 0-day deserialization vulnerabilities in android | |
| CN107690645A (en) | Use the behavior malware detection of interpreter virtual machine | |
| KR20120032477A (en) | Interlocked binary protection using whitebox cryptography | |
| Popa | Techniques of program code obfuscation for secure software | |
| Zhang et al. | SeBROP: blind ROP attacks without returns | |
| US20190102279A1 (en) | Generating an instrumented software package and executing an instance thereof | |
| Li et al. | Chosen-instruction attack against commercial code virtualization obfuscators | |
| Tang et al. | On the effectiveness of code-reuse-based android application obfuscation | |
| WO2016126206A1 (en) | Method for obfuscation of code using return oriented programming | |
| Wang et al. | Invalidating analysis knowledge for code virtualization protection through partition diversity | |
| Lee et al. | VODKA: Virtualization obfuscation using dynamic key approach | |
| Chang et al. | Program differentiation | |
| Haijiang et al. | Nightingale: Translating embedded VM code in x86 binary executables | |
| Ormandy | Sophail: Applied attacks against sophos antivirus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160525 |
|
| RJ01 | Rejection of invention patent application after publication |