CN106096338B - A kind of virtualization software guard method obscured with data flow - Google Patents
A kind of virtualization software guard method obscured with data flow Download PDFInfo
- Publication number
- CN106096338B CN106096338B CN201610399231.3A CN201610399231A CN106096338B CN 106096338 B CN106096338 B CN 106096338B CN 201610399231 A CN201610399231 A CN 201610399231A CN 106096338 B CN106096338 B CN 106096338B
- Authority
- CN
- China
- Prior art keywords
- handler
- instruction
- data flow
- register
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 90
- 230000008569 process Effects 0.000 claims abstract description 46
- 238000013461 design Methods 0.000 claims abstract description 9
- 230000002159 abnormal effect Effects 0.000 claims description 16
- 230000009191 jumping Effects 0.000 claims description 8
- 238000011109 contamination Methods 0.000 claims description 6
- 238000004061 bleaching Methods 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000009792 diffusion process Methods 0.000 claims description 3
- 239000012634 fragment Substances 0.000 claims description 3
- 230000000644 propagated effect Effects 0.000 claims 1
- 238000004458 analytical method Methods 0.000 description 22
- 230000006870 function Effects 0.000 description 14
- 230000000694 effects Effects 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000003780 insertion Methods 0.000 description 3
- 230000037431 insertion Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 230000001172 regenerating effect Effects 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 206010033546 Pallor Diseases 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000002425 crystallisation Methods 0.000 description 1
- 230000008025 crystallization Effects 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009919 sequestration Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 230000007474 system interaction Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a kind of virtualization software guard method obscured with data flow, step includes:Step 1, PE file detects;Step 2, critical code section is positioned;Step 3, local x86 is instruction morphing for fictitious order;Step 4, coding is carried out to fictitious order and generates corresponding byte code instruction;Step 5, two process design is carried out to the scheduling structure of virtual machine;Step 6, data flow is carried out to the Handler in virtual machine to obscure;Step 7, in concealing program script predicate information, and add new predicate information and constitute false execution flow branching;Step 8, file destination reconstructs;This method utilizes computer system, carries out virtualization protection to the executable binary code file under windows system, protection intensity is high, is easy to extend.
Description
Technical field
The present invention relates to computer security technical fields, and in particular to a kind of virtualization software guarantor obscured with data flow
Maintaining method.
Background technique
With the development of information science technology, nowadays it is daily to have become people for the various softwares of computer and mobile terminal
Indispensable a part in life.Software generally always refers to the program run on computers, it is software developer's intelligence
Intelligent crystallization, its R&D process can consume a large amount of manpower and financial resources.However software Yi Dan publication after once will receive it is various
The threat of various kinds, attacker by it is code conversed, the means such as distort, steal core algorithm in software, confidential information, Jin Er
Wrongful advantage is obtained in the competition of product, this brings serious loss to enterprise and software developer, seriously endangers
The sound development of software industry.
1. software shelling of method for protecting software common at present, makes software be compressed or be encrypted by shell adding;2. rubbish
Code insertion makes dis-assembling mistake occur by the way that rubbish code is added into code;3. Code obfuscation, such as variable replacement,
Valence instructs replacement, control flow transformation etc., these guard methods prevent the conversed analysis difficulty of attacker to a certain extent, but
It is that they still have itself limitation, such as software shelling, can shell (decompression or decryption) first when software executes,
Attacker is it is seen that presumptive instruction;Rubbish code insertion can only prevent static analysis that from cannot preventing based on the soft of Dynamic Execution
Part analysis;Code obfuscation is based on semantic equivalence, be all the effect by simple map function, to conversed analysis is limited
's.
Software virtual machine protection is a kind of method for protecting software emerging in recent years, and powerful guarantor can be provided for software
Shield.Compared to traditional guard method, the advantage of virtual machine protection is that it substantially increases the generation of attacker's conversed analysis
Valence.
The method of program after traditional attack virtual machine protection inversely goes out virtual interpreter first, then according to virtual solution
It releases device to read bytecode one by one and the process of Handler execution is called to obtain the function of every byte code instruction, finally by right
The function of byte code sequence is simplified and analyzes to restore the function of original program.This traditional attack method needs
It is familiar with the structure of virtual machine protection, the attack method based on virtual Machine Architecture can be referred to as.Above to virtual machine protection
Various reinforcement means can increase the safety of virtual machine, improve to above-mentioned traditional attack method based on virtual Machine Architecture
Resilience.
In addition to traditional attack method based on virtual Machine Architecture, researcher had also been proposed semantic-based attack in recent years
Hit method.Coogan et al. proposes a kind of method for calling relevant instruction with system for identification, can extract one
It is similar to the original instruction sequence for not obscuring program.Effect ratio of this method for the rogue program after analysis virtual machine protection
Preferably, it if because rogue program will realize some significant malicious operation, just inevitably calls and occurs with system
Interaction, and those are used for and system calls instructions for interacting that will be identified critical behavior for analyzing program.
Sharif et al. is gone in identification byte coded program by Dynamic Execution program, and using dynamic dataflow analysis and stain analysis
Hold and extract the semanteme of byte coded program, and then reconstructs the execution route and effect of original program.Yadegari et al. passes through
Then one execution route of collection procedure divides path accessibility using the analysis of dynamic stain and symbolic execution technique
Analysis, and then simplify the controlling stream graph for original program and the logical construction inside program.Due to these attack methods independent of
The structure of virtual machine protection, so versatility is relatively good.Above-mentioned various reinforcement means can not be resisted semantic-based well
Conversed analysis.
Summary of the invention
For above-mentioned problems of the prior art, the object of the present invention is to provide one kind to obscure with data flow
Virtualization software guard method, prevent semantic-based data stream analysis techniques to virtualization protection after software attack
It hits.
In order to realize that above-mentioned task, the present invention use following technical scheme:
A kind of virtualization software guard method obscured with data flow, includes the following steps:
Step 1, whether the file to be protected for verifying loading is PE file, is if it is carried out in next step;
Step 2 specified in the source code fragment of file to be protected and needs protected critical code section, to crucial generation
Code section carries out dis-assembling operation, obtains the x86 instruction set of critical code section;
The x86 instruction set that step 2 obtains is converted into fictitious order by step 3;
Fictitious order is mapped to corresponding Handler sequence HAS, then the Handler sequence of mapping by step 4
HAS is encrypted, and obtains byte code instruction;
Step 5 carries out two process design to the scheduling structure of virtual machine, and two process refers to for executing normal procedure function
Subprocess and parent process for debugging subprocess generate an exception when whole Handler, which are executed, to be completed,
The exception, the mesh that abnormal address is searched in the interrupt address table of parent process and is jumped to extremely are captured by parent process
Address, when the destination address that can be inquired abnormal address and jump to extremely, parent process is by the EIP register of subprocess
It is directed toward destination address and restores subprocess and continue to execute, if inquiry is less than the execution of terminator;
Step 6 carries out data flow to each of virtual machine Handler and obscures, and keeps the data flow in program complicated
Change;
Step 7, the predicate information of script in concealing program, and add new predicate information and constitute false execution flow branching;
Step 8 adds a new section to former PE file, by the Handler after obscuring, byte code instruction and virtual machine its
His component part, including VMcontext, VMinit, Dispatcher, VMexit are embedded into new section, are instructed and are filled with rubbish
Critical code section, and be the jump instruction for jumping to virtual machine entrance by instruction modification at the initial address of critical code section,
Executable file after regenerating a protection.
Further, carrying out the process that data flow is obscured to Handler in the step six includes:
Stain bleaching:Handler to be obscured is chosen, the path of tainting in Handler is analyzed, is chosen on path
One register al, and increase a new register ebx;When program goes to register al, register ebx is enabled constantly to execute
+ 1 operation continues the numerical value in register ebx rearwards when the value in register ebx is equal with the value in register al
Program circulation.
Further, carrying out the process that data flow is obscured to Handler in the step six further includes:
Excess contamination:Handler to be obscured is chosen, the path of tainting in Handler is analyzed, is chosen on path
Register to be used is needed, is arrived by the register pop down, and by stain data using data transmission or arithmetic operator diffusion of instructions
In one other register, register pop-up stack to be used then will be needed to restore stack environment.
Further, the detailed process of the step seven includes:
The jump instruction after the part Handler in virtual machine is hidden using random function, increases program and executes
The complexity of stream, while some predicate information are added at random to constitute false branch in Handler.
Further, the specific method that the jump instruction after the Handler is hidden includes:
Structural anomaly instruction database is stored with different exceptional instructions in exceptional instructions library;
Interrupt address information table is established, the table is by the current address of the exceptional instructions in exceptional instructions library and exceptional instructions institute
It is formed in the destination address of basic block;
The jump instruction after part Handler in virtual machine, which is revised as an exceptional instructions, using random function makes its production
A raw abnormal interrupt, after abnormal interrupt is captured, search in interrupt address information table the current address of exceptional instructions and
Then the destination address of basic block where exceptional instructions carries out jumping reaching original and jumps purpose.
The present invention has following technical characterstic compared with prior art:
1. being protected for binary code, unrelated with the programming language used, applicability is wide;
2. traditional software virtual machine protection system can not resist semantic-based antialiasing attack well, based on semanteme
Antialiasing basis be data-flow analysis and optimization, therefore, obscuring method by using effective data flow can be improved void
Quasi- machine protection system resists effect to what such was attacked.In order to achieve the effect that preferable data flow is obscured, using and realize
It is a kind of that system is protected based on the virtual machine with two process, virtual Machine Architecture is redesigned, software after protecting virtual machine
The more complicated diversification of implementation procedure.
3. two process structure is introduced in design compared to the VM structure of single process, so that virtual Machine Architecture has not
Determining structure, the program of performance executes the more complicated diversification of stream and data flow, increases attacker's semantic analysis difficulty, double
It is to interactively communicate to cooperate the common implementation procedure for completing program between process, there is certain Message-based IPC and anti-tune to study
With.
4. converting using data flow metamorphic engines to virtual interpreter Handler, Handler is enabled to prevent base
In the analysis of data flow.
Detailed description of the invention
Fig. 1 is process frame diagram of the invention;
Fig. 2 is program execution after the virtual machine protection that the method for the present invention data flow is obscured;
Fig. 3 is using software implementation procedure after virtual machine protection before the present invention;
Fig. 4 is the simply hiding predicate example of the present invention one;
Specific embodiment
The invention proposes a kind of virtualization software guard methods obscured with data flow, include the following steps:
Step 1, whether the file to be protected for verifying loading is PE file, is if it is carried out in next step;In the present invention
PE file refer to the executable file format of mainstream on windows platform, such as:.exe file .dll file etc..
Step 2 specified in the source code fragment of file to be protected and needs protected critical code section, to crucial generation
Code section carries out dis-assembling operation, obtains the x86 instruction set of critical code section;
Critical code section refers to the protected key code of needs that user specifies on source code, opens in critical code section
SDK start mark is embedded at beginning, insertion SDK terminates to mark at end.SDK is DFO-VMP (A Virtual Software
Protection Method with Data Flow Obfuscation) define one group of starting and ending mark.Generate PE
After file, the starting and ending address of critical code section can be obtained as long as finding SDK label, to navigate to key code
Section, then dis-assembling is carried out, obtain the x86 instruction set of critical code section.
Step 3, under the premise of guaranteeing semantic equivalence, according to the corresponding relationship of x86 instruction and fictitious order, by step
Two obtained x86 instruction sets are converted into fictitious order;
During protection, x86 instruction is changed into fictitious order, mainly there is the operation of three steps:
(1) " load " fictitious order.The operand locally instructed is pressed into stack;
(2) object run instructs.Execute the object run locally instructed, class of the fictitious order without the concern for operand
Type directly obtains relevant operation number from stack top, but needs to consider the size of operand;
(3) " store " fictitious order.In the result deposit virtual environment that operation is executed.
Data transfer instruction virtualization process mainly use " load ", " store " instruction, such as " mov ", " push " and
" pop " instruction;It counts and is realized with the virtualization process of logic instruction in strict accordance with three steps operation above;Control skip
Instruction virtual process is realized by " load " instruction and " jmp " instructing combination.Table 1 gives some local instruction virtuals
Example.
Locally instruction has complicated addressing system for some, can use above-mentioned fictitious order repeatedly during virtualization,
Such as " move eax, dword [esi+32] " instruction in table 1;Wherein, " 42a583h " in table 1 is in address
The local stored in " 4020a8h " instructs the address of corresponding byte code instruction.
Table 1:The example of local instruction and corresponding fictitious order
Fictitious order is mapped to corresponding Handler sequence HAS, then the Handler sequence of mapping by step 4
HAS is encrypted, and obtains byte code instruction;
Fictitious order is finally the pseudo operation of fictitious order in the program after being stored in protection in the form of bytecode
Code, addressing system and operand are different, and corresponding Handler sequence is not also identical, wherein a fictitious order be by one or
What the multiple Handler of person were explained, VI is mapped as corresponding Handler sequence HAS (Handler Sequence), and HAS by
Handler serial number and Handler parameter composition, are then encrypted the HAS of mapping, obtain byte code instruction
VMdata。
Fictitious order and local instruction are a kind of simple corresponding relationships, and this programme takes a kind of simple coding rule,
Description in fictitious order is operated and the byte of description operation object separates.In the implementation, each fictitious order is given
Different ID is specified, these ID value ranges are 0~255, and a byte can adequately encode all ID, these ID can also
To become operation code.As shown in table 2:
Table 2:The corresponding byte code instruction of fictitious order
load_r 4 | 00 04 |
load_i 32 | 04 0x20 |
add32 | 42 |
Step 5, the redesign of scheduling virtual machine structure
The process of traditional centralized scheduling structure is in virtual machine:Into after virtual machine, executes Dispatcher and take
VMdata, decryption obtain Handler serial number and execute corresponding Handler, have executed and have continued to return to Dispatcher, before repeating
The process in face, the function until completing critical code section.
This step carries out two process design to the scheduling structure of traditional virtual machine, and two process refers to for executing normal procedure
The subprocess of function and parent process for debugging subprocess, when whole Handler, which are executed, to be completed, generate one it is different
Often, the exception is captured by parent process;Interrupt address table is provided in parent process, record has abnormal address in table
And exception jumps to destination address;
The destination address searching abnormal address in the interrupt address table of parent process and jumping to extremely, when can inquire
When abnormal address and the destination address jumped to extremely, the EIP register of subprocess is directed toward destination address and restored by parent process
Subprocess continues to execute, if inquiry is less than the execution of terminator.
When program execute when, first parent process execute a paragraph assembly program for create a subprocess, creation son into
Journey is used to execute the function of normal procedure, and parent process is used as debugging subprocess, creates an example of the assembly code of subprocess
As shown in table 3:
Table 3:Create subprocess assembly code
Conventional virtual machine structure is redesigned, virtual Machine Architecture is distributed in two different processes, it is this
Structure has the characteristics that following:1. being the complexity for increasing control stream and execution stream when program executes, make the structure of calling program more
The complexity added.2. the mechanism that is in communication with each other between process enables to the execution of program monitored, do not alterred program by attacker
Execution stream.3. play the purpose of anti-debug simultaneously, this is because in Windows environment debugger can only to single process into
Row debugging tracking.These comprehensive features make this structure can be good at playing a protective role.
Step 6 carries out data flow to each of virtual machine Handler and obscures, and keeps the data flow in program complicated
Change;
It is to increase the complexity of data flow when program executes to the purpose of obscuring for introducing data flow in virtual machine, prevents attack
Person is analyzed it inversely using the analytical technology of data flow, is reached and is resisted semantic analysis purpose, is obscured introducing data flow
When, a variety of data flow obfuscation mechanisms can be used, main includes the content of two aspects, and 1. be stain bleaching, i.e., in program
Data flow in be added stain blanching effect.2. it is excess contamination, i.e., the contamination data as much as possible increased in program, this
Kind mechanism makes attacker when carrying out stain analysis, can not isolate useful data information from a large amount of stain data,
From being unable to accurately to instruction analysis.The content of two aspects is illustrated respectively below.
1. stain is bleached
Table 4 is without the atom Handler obscured
It is a Handler obscured without data flow in virtual machine, this atom Handler as shown in table 4
The operation of completion is to read and (instruct 3 to complete to read) bytecode from VMdata then (to instruct 4-7 complete bytecode decryption
At decryption), the address (instruction 8-9 completes to calculate) of a virtual register environment is calculated according to the bytecode decrypted, and
This address is pressed into stack.Wherein what register esi was directed toward is the initial address of VMdata, and register edi is directed toward VMcontext
First address.
This atom Handler is analyzed it can be found that giving the defeated of a program first when attacker analyzes program
Enter value and is labeled as stain data (such as:Bytecode data in VMdata carry out stain label), when program goes to this
When Handler, lods byte ptr ds is executed instruction:When [esi], stain can be transmitted to register al, in subsequent meter
When calculating Virtual context environment address, stain can be transmitted always, and such attacker can accurately be analyzed using data flow
Out in Virtual context environment register address layout scenarios, and then carry out subsequent analysis work again.
Bytecode in virtual machine be finally by virtual machine design Handler explain execute, therefore to Handler into
Row data flow obscure be it is vital, it is this to obscure and effectively prevent attacker from analyzing using tainting technology it.
Atom Handler of the table 5 after obscuring
It is the atom Handler after data flow is obscured as shown in table 5, as can be seen from the table after obscuring
The propagation path of pollution is blocked by increasing a new register ebx in Handler.As instruction lods byte ptr
ds:[esi] is stored in register al after reading a bytecode, then carries out adding operation certainly using register ebx, when
When the value of ebx and the al value read are equal, the value of ebx is passed into eax, such register eax would not be contaminated, then
Propagation will not be contaminated when calculating memory address.The principle of this mode is to carry out data more using cmp comparison operation
Newly, diversified forms can be deformed out using this principle, in order to reduce the number that circulation compares, such as utilizes rounding and complementation
Reduce number of comparisons.The propagation that pollution can be effectively prevented using this method, prevents the further analysis of attacker.
Stain bleaching detailed process be:Handler to be obscured is chosen, the path of tainting in Handler is analyzed,
A register al is chosen on path, and increases a new register ebx;When program goes to register al, deposit is enabled
Device ebx constantly executes+1 operation, and when the value in register ebx is equal with the value in al, the numerical value in register ebx is continued
Program circulation rearwards.
2. excess contamination
It is equally illustrated using atom handler in table 4, is added what some data flows were obscured in atom handler
Instruction, the effect of these instructions is as far as possible to expand the propagation of stain, so that the finger for needing to mark cannot be distinguished in attacker
It enables, accurate execution information cannot be collected into.
The excessive propagation instruction of stain is added in table 6 in atom handler
The excessive propagation instruction of stain is added in atom handler as shown in table 6, it is given when attacker analyzes program
One stain label, is stored in register al, this stain label will propagate to register bl, and ebx (is previously mentioned in table 5
Register), ecx, edx, the instruction number being collected simultaneously also will be more many without increase when data flow is obscured than script.It needs
It is noted that original program is to be gone to execute the function of completing original program, stain final so jointly by multiple handler
Propagation will become very it is huge, be capable of it is very effective prevent attacker analysis.
The detailed process of excess contamination is:Handler to be obscured is chosen, the path of tainting in Handler is analyzed,
Choosing on path needs register to be used to need to keep the balance of stack by the register pop down, and by stain data
The data transmission used or arithmetic operator diffusion of instructions are into an other registers, such as:Stain data are stored in deposit
In device al, using mov ebx, al, the operation such as add ecx, al, move dx, al passes the data stored in the al of the stain rate of exchange
It is multicast in other registers, register pop-up stack to be used then will be needed to restore stack environment.
Step 7, the predicate information of script in concealing program, and add new predicate information and constitute false execution flow branching;
Resisting the key that semiology analysis is analyzed is the predicate information in concealing program, because attacker is utilizing semiology analysis
Be predicate information in program to be navigated to first when going analysis program, instruction be then subjected to symbolic formulation, so again into
The controlling stream graph information of program is finally constructed in row accessibility reasoning.
In the design of virtual machine, each Handler, which has been executed, can have a jump instruction to jump back to
Dispatcher carries out that next bytecode is taken then to decrypt execution, and circulation executes code fetch-decoding-execution, until all words
Section code executes completion, then end loop.Based on this, we convert the Handler in virtual machine, utilize random function
Jump instruction after making part Handler is hidden, and increases the complexity that program executes stream, while random in Handler
Some predicate information are added, constitutes false branch, further confuses attacker, when attacker analyzes, constructed
Controlling stream graph is branched structure information that is incomplete or there is vacation.
The specific method that jump instruction is hidden includes:
Structural anomaly instruction database is stored with different exceptional instructions in exceptional instructions library;What the design of exceptional instructions used
It is common x86 instruction, does so with certain sequestration, make attacker can not be easily when analyzing program instruction
Note abnormalities code.The structural anomaly instruction database first in design randomly chooses in exceptional instructions library abnormal when being replaced
Instruction is replaced, and abnormality code as shown in table 3 is some instructions of x86, and such as except zero is abnormal, internal storage access is abnormal, is interrupted different
Often etc..
7 exceptional instructions type of table and illustration
Interrupt address information table is established, the table is by the current address of the exceptional instructions in exceptional instructions library and exceptional instructions institute
It is formed in the destination address of basic block;The structure of interrupt address information table is as shown in table 8:
8 interrupting information table of table
The current address of exceptional instructions | The destination address of basic block where exceptional instructions |
The predicate information in program is hidden using the method for abnormal mechanism, as shown in figure 4, will using random function
Jump instruction in virtual machine after the Handler of part, which is revised as an exceptional instructions, makes it generate an abnormal interrupt, works as exception
It interrupts after being captured, searches the mesh of the current address of exceptional instructions and exceptional instructions place basic block in interrupt address information table
Address, then carry out jumping reaching original jumping purpose.
Step 8 adds a new section to former PE file, Handler after step 6 is obscured, the byte ultimately generated
Code instruction and virtual machine other components (VMcontext, VMinit, Dispatcher, Handlers, VMexit) are embedded into
In new section, filling critical code section is instructed with rubbish, and instruction modification at the initial address of critical code section is one and is jumped to
The jump instruction of virtual machine entrance, the executable file after regenerating a protection.
New saves by the combination of each component part of above-mentioned virtual machine and byte code sequence as PE file is added
After former PE file, and the size and sector number of the new PE file of size modification according to the PE file being added to after new section
Mesh.Critical code section original position in PE file is filled with a unconditional jump sentence, and the skip instruction is for being directed toward
In new section at the code section start address of virtual machine initialization entrance (VMinit);Then the remainder of critical code section is used
Some random junk data fillings.When being executed, this section of code will not be performed, and will not influence program function, and can also
Play the role of confusing attacker.
Claims (5)
1. a kind of virtualization software guard method obscured with data flow, which is characterized in that include the following steps:
Step 1, whether the file to be protected for verifying loading is PE file, is if it is carried out in next step;
Step 2 specifies in the source code fragment of file to be protected and needs protected critical code section, to critical code section
Dis-assembling operation is carried out, the x86 instruction set of critical code section is obtained;
The x86 instruction set that step 2 obtains is converted into fictitious order by step 3;
Fictitious order is mapped to corresponding Handler sequence HAS by step 4, then the Handler sequence HAS of mapping into
Row encryption, obtains byte code instruction;
Step 5 carries out two process design to the scheduling structure of virtual machine, and two process refers to the son for executing normal procedure function
Process and parent process for debugging subprocess generate an exception, pass through when whole Handler, which are executed, to be completed
Parent process captures the exception, the destination that abnormal address is searched in the interrupt address table of parent process and is jumped to extremely
Location, when the destination address that can be inquired abnormal address and jump to extremely, the EIP register of subprocess is directed toward by parent process
Destination address simultaneously restores subprocess and continues to execute, if inquiry is less than the execution of terminator;
Step 6 carries out data flow to each of virtual machine Handler and obscures, complicates the data flow in program;
Step 7, the predicate information of script in concealing program, and add new predicate information and constitute false execution flow branching;
Step 8 adds a new section to former PE file, by other groups of the Handler after obscuring, byte code instruction and virtual machine
It is embedded into new section at part, including VMcontext, VMinit, Dispatcher, VMexit, instructs filling crucial with rubbish
Code segment, and be the jump instruction for jumping to virtual machine entrance by instruction modification at the initial address of critical code section, again
Executable file after generating a protection.
2. the virtualization software guard method obscured as described in claim 1 with data flow, which is characterized in that the step
Carrying out the process that data flow is obscured to Handler in rapid six includes:
Stain bleaching:Handler to be obscured is chosen, the path of tainting in Handler is analyzed, one is chosen on path
Register al, and increase a new register ebx;When program goes to register al, register ebx is enabled constantly to execute+1 behaviour
Make, when the value in register ebx is equal with the value in register al, the numerical value in register ebx is continued into journey rearwards
Sequence is propagated.
3. the virtualization software guard method obscured as claimed in claim 2 with data flow, which is characterized in that the step
Carrying out the process that data flow is obscured to Handler in rapid six further includes:
Excess contamination:Handler to be obscured is chosen, the path of tainting in Handler is analyzed, chooses and needs on path
The register used uses data transmission or arithmetic operator diffusion of instructions to one by the register pop down, and by stain data
In other registers, register pop-up stack to be used then will be needed to restore stack environment.
4. the virtualization software guard method obscured as described in claim 1 with data flow, which is characterized in that the step
Rapid seven detailed process includes:
The jump instruction after the part Handler in virtual machine is hidden using random function, increases program and executes stream
Complexity, while some predicate information are added at random to constitute false branch in Handler.
5. the virtualization software guard method obscured as claimed in claim 4 with data flow, which is characterized in that described
The specific method that jump instruction after Handler is hidden includes:
Structural anomaly instruction database is stored with different exceptional instructions in exceptional instructions library;
Interrupt address information table is established, table base where the current address of the exceptional instructions in exceptional instructions library and exceptional instructions
The destination address of this block forms;
The jump instruction after part Handler in virtual machine, which is revised as an exceptional instructions, using random function makes it generate one
A abnormal interrupt searches the current address of exceptional instructions and exception in interrupt address information table after abnormal interrupt is captured
Then the destination address of basic block where instruction carries out jumping reaching original jumping purpose.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610399231.3A CN106096338B (en) | 2016-06-07 | 2016-06-07 | A kind of virtualization software guard method obscured with data flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610399231.3A CN106096338B (en) | 2016-06-07 | 2016-06-07 | A kind of virtualization software guard method obscured with data flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106096338A CN106096338A (en) | 2016-11-09 |
CN106096338B true CN106096338B (en) | 2018-11-23 |
Family
ID=57228501
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610399231.3A Active CN106096338B (en) | 2016-06-07 | 2016-06-07 | A kind of virtualization software guard method obscured with data flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106096338B (en) |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106529296A (en) * | 2016-11-16 | 2017-03-22 | 武汉工程大学 | Method for attacking software protection virtual machine based on fuzzy clustering |
CN106599627A (en) * | 2016-11-22 | 2017-04-26 | 江苏通付盾科技有限公司 | Method and apparatus for protecting application security based on virtual machine |
CN107092518A (en) * | 2017-04-17 | 2017-08-25 | 上海红神信息技术有限公司 | A kind of Compilation Method for protecting mimicry system of defense software layer safe |
CN107480476B (en) * | 2017-06-15 | 2020-05-19 | 西北大学 | Android native layer instruction compiling virtualization shell adding method based on ELF infection |
CN109697339A (en) * | 2017-10-20 | 2019-04-30 | 南京理工大学 | A kind of Android application method for security protection based on dynamic virtual instruction map |
CN108021790B (en) * | 2017-12-28 | 2020-09-08 | 江苏通付盾信息安全技术有限公司 | File protection method and device, computing equipment and computer storage medium |
CN108416191B (en) * | 2018-02-12 | 2021-11-19 | 北京梆梆安全科技有限公司 | Method and device for reinforcing source code based on opaque predicate and finite state machine |
CN108415709B (en) * | 2018-02-12 | 2022-01-28 | 北京梆梆安全科技有限公司 | Method and device for reinforcing source code based on finite-state machine |
CN108388778B (en) * | 2018-03-21 | 2021-03-30 | 北京理工大学 | APP anti-debugging method with Android platform fused with multiple features |
CN108614960B (en) * | 2018-05-11 | 2020-06-16 | 西北大学 | JavaScript virtualization protection method based on front-end byte code technology |
CN109145534B (en) * | 2018-07-24 | 2022-11-11 | 上海交通大学 | Anti-confusion system and method for software virtual machine protection |
CN110457948A (en) * | 2019-08-13 | 2019-11-15 | 中科天御(苏州)科技有限公司 | A kind of dynamic data means of defence and system based on store instruction randomization |
CN112069466B (en) * | 2020-09-15 | 2023-11-03 | 常熟理工学院 | Code confusion information safety control method, system and device based on mode switching |
CN112199667B (en) * | 2020-09-30 | 2024-06-21 | 常熟理工学院 | Software protection method, device, equipment and storage medium |
CN112394943A (en) * | 2021-01-18 | 2021-02-23 | 北京掌上云集科技发展有限公司 | Binary file virtualization protection method, device, medium and electronic equipment |
CN114707124B (en) * | 2022-03-22 | 2022-11-29 | 广东技术师范大学 | NET platform code protection method and system based on code virtualization |
CN115292764B (en) * | 2022-10-08 | 2023-03-24 | 山东云海国创云计算装备产业创新中心有限公司 | Bus safety protection method, device and medium |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9405570B2 (en) * | 2011-12-30 | 2016-08-02 | Intel Corporation | Low latency virtual machine page table management |
CN103514027B (en) * | 2013-11-12 | 2017-04-26 | 北京深思数盾科技股份有限公司 | Method for enhancing usability of software protection |
CN103699820B (en) * | 2013-12-25 | 2017-02-15 | 北京深思数盾科技股份有限公司 | Obfuscating method for relative jump instruction |
CN105046117A (en) * | 2015-06-30 | 2015-11-11 | 西北大学 | Code virtualization software protection system realizing instruction set randomization |
CN105608346A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | ELF file protection method and system based on ARM instruction virtualization |
-
2016
- 2016-06-07 CN CN201610399231.3A patent/CN106096338B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN106096338A (en) | 2016-11-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106096338B (en) | A kind of virtualization software guard method obscured with data flow | |
Sharif et al. | Automatic reverse engineering of malware emulators | |
CN108614960B (en) | JavaScript virtualization protection method based on front-end byte code technology | |
CN105787305B (en) | A kind of method for protecting software for resisting semiology analysis and stain analysis | |
CN103413073B (en) | A kind of method and apparatus protecting JAVA executable program | |
US8589897B2 (en) | System and method for branch extraction obfuscation | |
US8176473B2 (en) | Transformations for software obfuscation and individualization | |
Wang et al. | Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution | |
Kalysch et al. | VMAttack: Deobfuscating virtualization-based packed binaries | |
Kuang et al. | Enhance virtual-machine-based code obfuscation security through dynamic bytecode scheduling | |
Yadegari et al. | Bit-level taint analysis | |
Sepp et al. | Precise static analysis of binaries by extracting relational information | |
CN106682460B (en) | It is a kind of based on the Code obfuscation method converted twice | |
CN103413075A (en) | Method and device for protecting JAVA executable program through virtual machine | |
CN101393521A (en) | Extracting system for internal curing data of windows application program | |
CN107577925B (en) | Based on the virtual Android application program guard method of dual ARM instruction | |
Padaryan et al. | Automated exploit generation for stack buffer overflow vulnerabilities | |
Kuang et al. | Exploiting dynamic scheduling for VM-based code obfuscation | |
Batchelder et al. | Obfuscating Java: The most pain for the least gain | |
Lin et al. | A value set analysis refinement approach based on conditional merging and lazy constraint solving | |
He et al. | Exploiting binary-level code virtualization to protect Android applications against app repackaging | |
Chen et al. | Test generation for embedded executables via concolic execution in a real environment | |
Li et al. | Chosen-instruction attack against commercial code virtualization obfuscators | |
Tang et al. | Seead: A semantic-based approach for automatic binary code de-obfuscation | |
Wang et al. | Leveraging WebAssembly for numerical JavaScript code virtualization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |