CN107423586B - Method for protecting software and software protecting equipment - Google Patents
Method for protecting software and software protecting equipment Download PDFInfo
- Publication number
- CN107423586B CN107423586B CN201710639745.6A CN201710639745A CN107423586B CN 107423586 B CN107423586 B CN 107423586B CN 201710639745 A CN201710639745 A CN 201710639745A CN 107423586 B CN107423586 B CN 107423586B
- Authority
- CN
- China
- Prior art keywords
- net
- program
- code
- executable program
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012545 processing Methods 0.000 claims description 16
- 238000013507 mapping Methods 0.000 claims description 9
- 238000011084 recovery Methods 0.000 claims description 7
- 230000001960 triggered effect Effects 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims 1
- 230000003068 static effect Effects 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000014616 translation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Abstract
The disclosure provides a kind of method for protecting software, and this method includes:.NET executable program is parsed, identifies the metadata catalog in .NET executable program;Content in metadata catalog is hidden with predetermined way;The program entry of .NET executable program is modified to point to predetermined code, obtains shielded .NET executable program, the predetermined code is for restoring metadata catalog.The disclosure additionally provides software protecting equipment and the computer readable storage medium for being stored with instruction.Method for protecting software and device through the invention can resist static analysis, realize the purpose for preferably protecting .NET program.
Description
Technical field
The present invention relates to field of software protection more particularly to a kind of method for protecting software and a kind of software protecting equipment.
Background technique
.NET for framework while providing abnormal convenient, there is also a very big defects, that is .NET program is held very much
Easily by decompiling.The executable program under .NET frame for using the generation of the language compilation such as C#, using specific anti-
Compilation tool can instruct its direct decompiling IL (intermediate language), or even decompile into C# code, therefore safety is very poor.
Common decompiling instrument includes such as dnSpy, ILSpy.Decompiling can regard the inverse process of compiling as, that is, will be with
The generation of the assembler language form of target code translations Cheng Yuqi function equivalence or high level language version existing for machine language form
The process of code.Since the logic of original code can be obtained after having carried out decompiling, lead to holding under corresponding .NET frame
The version of line program is highly susceptible to encroach on.
Guard method more in the prior art for .NET program includes choosing packet from compiled .NET program
The binary code section of the instruction of IL containing .NET;The binary code section is converted, and delete from .NET program this two into
Code segment processed;It will be written by transformed binary code section in the shell of .NET program, and shell called
In instruction write-in .NET program;When .NET program runs to shell call instruction, shell calls .NET virtual machine,
Then by .NET virtual machine run it is transformed after binary code section.However, what this method only chose is referred to comprising .NET IL
The binary code section of order, and need to call .NET virtual machine, on the one hand, this transformation institute to binary code section can be real
Existing safety is not strong, cannot resist the static analysis of decompiling instrument well, on the other hand .NET virtual machine is called to increase
Memory overhead.
Currently, the method for protecting the executable program under .NET frame in a manner of simpler, flexible and effective
There is urgent demand with device.
Summary of the invention
The object of the present invention is to provide can enhance the method protected to the executable program under .NET frame and dress
It sets.
It is a further object of the present invention to provide one kind to be protected under .NET frame in a manner of simple, safe and efficient
The method and apparatus of executable program.
According to an aspect of the present invention, a kind of method for protecting software is provided, this method may include:It is executable to parse .NET
Program identifies the metadata catalog in .NET executable program;Content in metadata catalog is hidden with predetermined way;It will
.NET the program entry of executable program is modified to point to predetermined code, obtains shielded .NET executable program, this is predetermined
Code is for restoring metadata catalog.
Preferably, the content predetermined way in metadata catalog is hidden and may include, in metadata catalog
Appearance is encrypted with predetermined cryptographic algorithm.
Preferably, the content predetermined way in metadata catalog is hidden and may include, in metadata catalog
After holding encryption, encrypted content is stored into the predetermined position into .NET executable program, and remove the content in metadata catalog.
Preferably, the program entry of .NET executable program is modified to point to predetermined code includes:Modification .NET can be held
The entry address of line program is new entry address;Predetermined code is inserted into after new entry address.
Preferably, include in predetermined code:The code that content in hiding metadata catalog is restored;For weight
Build the local file of .NET executable program and the code of memory mapping;When .NET executable code operating system access,
Trigger the code of hook program.
Preferably, hook program is configured to the member after the notice currently performed program of operating system is .NET program and restores
The position of the storage catalogue of data.
Especially preferably, above-mentioned predetermined code can be shell (ShellCode).
According to another aspect of the present invention, a kind of software protecting equipment is provided, which may include storage
At least one processor for having the memory of instruction and being coupled with memory, when instruction is loaded and executed by least one processor
When so that at least one processor is executed following operation:.NET executable program is parsed, identifies first number in .NET executable program
According to catalogue;Content in metadata catalog is hidden with predetermined way;The program entry of .NET executable program is revised as referring to
To predetermined code, shielded .NET executable program is obtained, predetermined code can be used for restoring metadata catalog.
Preferably, the content predetermined way in metadata catalog is hidden and may include, in metadata catalog
Appearance is encrypted with predetermined cryptographic algorithm.
Preferably, the content predetermined way in metadata catalog is hidden and may include, in metadata catalog
After holding encryption, encrypted content is stored into the predetermined position into .NET executable program, and remove the content in metadata catalog.
Preferably, the program entry of .NET executable program is modified to point to predetermined code includes:Modification .NET can be held
The entry address of line program is new entry address;The predetermined code is inserted into after the new entry address.
Preferably, may include in the predetermined code:The generation that content in hiding metadata catalog is restored
Code;For rebuilding the local file of .NET executable program and the code of memory mapping;It is when .NET executable code operates
When system access, the code of hook program is triggered.
Preferably, hook program is configured to the member after the notice currently performed program of operating system is .NET program and restores
The position of the storage catalogue of data.
According to the technical solution of the present invention, it realizes and resists static analysis of the decompiling instrument to .NET program, it can be with
The executable program under .NET frame is more effectively protected in stronger safety.
Detailed description of the invention
The Detailed description of the invention various examples of principles described herein, and be a part of this specification.Attached drawing should be with
Example rather than the mode of limitation understand, wherein:
Fig. 1 is the flow chart of the method for protecting .NET program provided according to one embodiment of the disclosure;
Fig. 2 is the flow chart of the method for protecting .NET program provided according to another embodiment of the present disclosure;
Fig. 3 is the flow chart of the method for protecting .NET program provided according to another embodiment of the present disclosure;
Fig. 4 is the structural schematic diagram of the device for protecting .NET program provided in accordance with an embodiment of the present disclosure.
Fig. 5 is the screenshot capture for illustrating the metadata catalog in .NET PE executable program.
Fig. 6 is for illustrating by the metadata in treated .NET PE executable program according to embodiments of the present invention
The screenshot capture of catalogue.
Specific embodiment
It will be apparent, however, that elaborating concrete details in order to provide the understanding of the present invention.
It will be apparent, however, to one skilled in the art, that can realize the present invention in the case where without these details.In addition, this
Field is it will be recognized that the embodiment of invention described below can be realized in many ways, such as process, dress
It sets, the method on system, equipment or tangible computer readable storage medium.In order to more clearly describe the disclosure purpose,
Scheme and advantage, are with reference to the accompanying drawing described in detail various embodiments of the present invention.
Furthermore, it is to be noted however that term " coupling ", " connection " and " communicative couplings " should be understood to include directly connecting
It connects, being indirectly connected with and being wirelessly connected by one or more intermediate equipments.
.NET the basic factors of program operation first is that metadata, metadata are the data for describing data, be described
Data be exactly the framework for referring to code.In general, metadata is a kind of binary message, for executable literary to portable is stored in
Part (PE) file or the program being stored in memory are described.It, will when program code is compiled as PE file by compiler
Metadata is inserted into a part of this document.
Specifically.NET is based on object-oriented, so the main contents of metadata description are exactly object-oriented
Basic element:Class, type, attribute, method, field, parameter, characteristic etc. mainly include following items:
●Define table, type and information about firms defined in source code are described, mainly includes:TypeDef,
MehodDef, FieldDef, ModuleDef, PropertyDef etc..
●Reference list, the type quoted in source code and information about firms are described, reference element can be same program collection
Other modules, be also possible to the module of distinct program collection, mainly include:AssemblyRef,TypeRef,ModuleRef,
MethodsRef etc..
●Pointer gauge, using pointer table reference unknown code, mainly include:MethodPtr,FieldPtr,ParamPtr
Deng.
·Heap, in the form of stream save information heap, mainly include:#String, #Blob, #US, #GUIDe etc..
When executing code, metadata is loaded into memory by .NET run-time library, and quotes it to find pertinent code
The information such as class, member, succession.
Fig. 5 is the screenshot capture for illustrating the metadata catalog in .NET PE executable program..NET it is generated under frame
Executable program be one of PE executable program of standard, as shown in the screenshot capture in Fig. 5 .NET PE is executable
.NET MetaData Directory RVA and .NET MetaData Directory Size in the corresponding data directory of program
Item is non-zero value, has been directed toward the .NET in program operation and has run required .NET catalogue, has made in preceding program wherein containing and compiling
The character string used, function information, function property information etc..Therefore the safety of .NET PE executable program is very poor.
The present invention realizes the protection to .NET program by the content in protection metadata catalog, and the present invention is into one
Step modify to the structure of .NET executable program and using " shell " (ShellCode) with predetermined function come
Realize the purpose of protection .NET executable program.Specifically, by the way that the content in metadata catalog is hidden processing, from
And making .NET executable program to the eye is only a local executable program.
Fig. 6 is for illustrating by the metadata in treated .NET PE executable program according to embodiments of the present invention
The screenshot capture of catalogue.As shown in Figure 6, to the eye by aforesaid way treated .NET PE executable program
It is local PE executable program .NET MetaData Directory RVA and .NET MetaData Directory therein
Size are 0 value, i.e. the content of metadata catalog is hidden.
By this processing mode for being hidden the content of metadata catalog, it is executable that .NET can be greatlyd improve
The safety of program.
As shown in Figure 1, providing the method for protecting .NET program, this method packet according to one embodiment of the disclosure
Include step S100-S106.In the step s 100 .NET executable program is parsed, identifies the metadata in .NET executable program
Catalogue.In step s 102, the content in metadata catalog is hidden with predetermined way.At step 104 .NET can be performed
The program entry of program is modified to point to predetermined code.In step 106, shielded .NET executable program is obtained.According to
The embodiment, predetermined code can be used in restoring metadata catalog, to predetermined generation by taking ShellCode as an example in the embodiment of the present invention
Code is illustrated.
In accordance with an embodiment of the present disclosure, the mode for hiding the content of metadata catalog may include by pre-defined rule or rule
Collect and " upsetting " processing is carried out to the content of metadata catalog, or metadata catalog is subjected to logic by pre-defined rule or rule set
Transformation, and after carrying out these processing, by the relative virtual address in the corresponding data directory in .NET executable program
(RVA) item and size (size) item are (for example.NET MetaData Directory RVA and .NET MetaData
Directory Size) it is set as zero (0) value.In addition to this, as long as the content of metadata catalog can be hidden, it can be used
Its any mode is hidden processing.In this way, seeing on surface, the content of metadata catalog is sky.Again due to being substantially to carry out
Therefore hiding processing can resist the static analysis of decompiling instrument.
So-called " shell " is exactly to add a shell to executable program.Since program entry is directed toward ShellCode, so journey
The execution of sequence is actually since ShellCode.To the mode that the content in metadata catalog is hidden be with
What ShellCode had made an appointment.It is write based on the mode made an appointment with the predetermined function being hereafter described in detail
ShellCode。
According to embodiment, the program entry of .NET executable program, which is modified to point to predetermined code, includes:Modify .NET
The entry address of executable program is new entry address;Predetermined code is inserted into after new entry address.
According to embodiment, include in above-mentioned predetermined code:Content in hiding metadata catalog is restored
Code;For rebuilding the local file of .NET executable program and the code of memory mapping;When .NET executable code operates
When system accesses, the code of hook program is triggered.According to embodiment, it is currently performed that hook program is configured to notice operating system
Program is the position of the storage catalogue of the metadata after .NET program and recovery, so that operating system can be read from corresponding position
Metadata simultaneously executes program.
Fig. 2 is the flow chart of the method for protecting .NET program provided according to one embodiment of the disclosure.Such as Fig. 2
Shown, the method which provides includes step S200-S206.In step s 200 .NET executable program is parsed first,
Identify the metadata catalog in .NET executable program.In step S202, by the predetermined encryption of the content in metadata catalog
Algorithm for encryption.In step S204, the program entry of .NET executable program is modified to point to predetermined code, i.e.,
ShellCode.Then, in step S206, a new shielded .NET executable program is obtained.
According to this embodiment, predetermined cryptographic algorithm can use any Encryption Algorithm well known in the art, for example, symmetrical add
Close algorithm, such as advanced encryption standard and rivest, shamir, adelman, such as RSA or elliptic curve cipher method.In addition, restoring
Metadata catalog includes that encrypted metadata catalog is decrypted.Used by decryption processing depends on encryption
Encryption Algorithm.
According to embodiment, the program entry of .NET executable program, which is modified to point to predetermined code, includes:Modify .NET
The entry address of executable program is new entry address;Predetermined code is inserted into after new entry address.
According to embodiment, include in above-mentioned predetermined code:Content in the metadata catalog of encryption is restored
Code;For rebuilding the local file of .NET executable program and the code of memory mapping;When .NET executable code operates
When system accesses, the code of hook program is triggered.According to embodiment, it is currently performed that hook program is configured to notice operating system
Program is the position of the storage catalogue of the metadata after .NET program and recovery, so that operating system can be read from corresponding position
Metadata simultaneously executes program.
Fig. 3 is the flow chart of the method for protecting .NET program provided according to another embodiment of the present disclosure.Such as Fig. 3
Shown, the method which provides includes step S300-S308.In step S300 .NET executable program is parsed first,
Identify the metadata catalog in .NET executable program.In step s 302, by after the content-encrypt in metadata catalog, will add
Content after close stores the predetermined position into .NET executable program.In step s 304, it removes interior in metadata catalog
Hold.In step S306, the program entry of .NET executable program is modified to point to predetermined code, i.e. ShellCode.So
Afterwards, in step S308, a new shielded .NET executable program is obtained.
Similar to above-described embodiment, encryption can use any Encryption Algorithm well known in the art, for example, symmetrical add
Close algorithm, such as advanced encryption standard and rivest, shamir, adelman, such as RSA or elliptic curve cipher method.Restore metadata
Catalogue includes that encrypted metadata catalog is decrypted.Decryption processing depends on encryption used by encryption and calculates
Method.
According to embodiment, the program entry of .NET executable program, which is modified to point to predetermined code, includes:Modify .NET
The entry address of executable program is new entry address;Predetermined code is inserted into after new entry address.
According to embodiment, include in above-mentioned predetermined code:Content in the metadata catalog of encryption is restored
Code;For rebuilding the local file of .NET executable program and the code of memory mapping;When .NET executable code operates
When system accesses, the code of hook program is triggered.According to embodiment, it is currently performed that hook program is configured to notice operating system
Program is the position of the storage catalogue of the metadata after .NET program and recovery, so that operating system can be read from corresponding position
Metadata simultaneously executes program.
According to this embodiment, above-mentioned predetermined position can be other positions in addition to the original position where metadata catalog
It sets, and removes the content in metadata catalog and refer to the content for removing the situ where metadata catalog.Removing member
The relative virtual in corresponding data directory after the content of situ where data directory, in .NET executable program
Address (RVA) item and size (size) item are (for example.NET MetaData Directory RVA and .NET MetaData
Directory Size) actually become zero (0) value.As shown in fig. 6, by the modified .NET journey of present invention method
Sequence is stored in the form of local file, when its execution, the predetermined code being added is executed from modified inlet, by executing institute
It states predetermined code to restore the content in the metadata catalog of encryption, rebuilds the local file of .NET executable program and interior
It deposits the code of image and when .NET executable code operating system access, triggers hook program, the hook program is logical
The position for knowing the storage catalogue of the metadata after the currently performed program of operating system is .NET program and restores, so that operation is
System can read metadata from corresponding position and execute program.
Fig. 4 is the structural schematic diagram of the device for protecting .NET program provided in accordance with an embodiment of the present disclosure.It should
.NET programmed protection device can be computing device 40.According to this embodiment, which includes memory 401, center
Processor (CPU) 402 and keyboard, mouse, touch screen and/or video display etc. input/output (I/O) component 403.
Computer executable instructions are can store in memory 401.Memory 401 and I/O component 403 can be logical with CPU 402
Letter coupling.
It can storage program area (OS) and multiple program modules and data file in memory 401.Program module can be with
It is such as I/O manager, other utility programs and various application programs.Computing device 40 can include but is not limited to desk-top calculating
Machine, laptop, tablet device, mobile computing device and any kind of terminal device.
According to one embodiment, when CPU 402 is executed instruction, the operation for realizing CPU 402 includes:Parsing .NET can
Program is executed, identifies the metadata catalog in .NET executable program;By the content predetermined cryptographic algorithm in metadata catalog
Encryption;The program entry of .NET executable program is modified to point to predetermined code, such as ShellCode;Obtain one it is new
Shielded .NET executable program.
According to a preferred embodiment, when CPU 402 is executed instruction, the operation for realizing CPU 402 includes:Parsing
.NET executable program identifies the metadata catalog in .NET executable program;It, will after the content-encrypt in metadata catalog
Encrypted content stores the predetermined position into .NET executable program;Remove the content in metadata catalog;.NET can be performed
The program entry of program is modified to point to predetermined code, such as ShellCode;It is executable to obtain a new shielded .NET
Program.
According to embodiment, the program entry of .NET executable program, which is modified to point to predetermined code, includes:Modify .NET
The entry address of executable program is new entry address;Predetermined code is inserted into after new entry address.It is above-mentioned according to embodiment
Predetermined code in include:The code that content in the metadata catalog of encryption is restored;It is executable for rebuilding .NET
The local file of program and the code of memory mapping;When .NET executable code operating system access, hook program is triggered
Code.According to embodiment, hook program is configured to the notice currently performed program of operating system for .NET program and after restoring
Metadata storage catalogue position so that operating system can be read from corresponding position metadata and executes program.
According to another embodiment of the present disclosure, a kind of computer readable storage medium, computer readable storage medium are provided
In be stored with instruction, so that at least one processor is executed following operation when instruction is loaded and executed by least one processor:
.NET executable program is parsed, identifies the metadata catalog in .NET executable program;By the content in metadata catalog in advance
Determine mode to hide;The program entry of .NET executable program is modified to point to predetermined code, such as ShellCode, obtain by
The .NET executable program of protection, ShellCode is for restoring metadata catalog.
In the following, having the function of to predetermined code achieved by the ShellCode of specific function and shielded
.NET the implementation procedure of executable program is described in detail.The program entry of .NET executable program by above-mentioned processing is repaired
It is changed to point to ShellCode.In this way, ShellCode can be executed in the entrance of .NET executable program.It is executing
After ShellCode .NET run-time library entrance is called .NET run-time library can be to the file on the file and disk in memory
It is verified, including the verifying of the content to encrypted metadata catalog.Call the mode of .NET run-time library entrance
As shown in following code sample section:
In accordance with an embodiment of the present disclosure, the predetermined function that above-mentioned ShellCode is realized includes the following aspects.
Firstly, restoring the content of encrypted metadata catalog, which includes in encrypted metadata catalog
Appearance is decrypted, and decryption processing depends on method used by encrypting.Recovery process for example may include being protected to generated
The program image in memory for protecting .NET executable program restores metadata catalog, make .NET executable program in memory at
For can be by .NET PE executable program that .NET run-time library is verified.In this way, making .NET run-time library in verifying memory
.NET PE executable program when it is available arrive correct parameter.
In addition, being held in the operation of shielded .NET executable program in the pre-entry address of .NET executable program
Row predetermined code, the predetermined code include:Position the metadata catalog after hiding and to the content in hiding metadata catalog
The code restored;Rebuild the local file of .NET executable program and the code of memory mapping;When detecting operating system
The code of hook program is executed when executing .NET executable program.According to the present embodiment, above-mentioned hook program is configured to notify
The currently performed program of operating system is the position of the storage catalogue of the metadata after .NET program and recovery.
As described above, in the operation of shielded .NET executable program, responsible pair of predetermined code (such as ShellCode)
The file operation application programming interfaces (API) of current process are linked up with (HOOK) (also referred to as hook) processing, file operation API
Mainly include:CreateFileW, GetFileSize, CreateFileMappingW, CloseHandle etc., these only show
Example.It, can be with by it as it is known in the art, HOOK is very important a kind of system interface in Windows operating system
The message transmitted between other applications is easily intercepted and captured and handled, and is difficult to it is possible thereby to complete some common applications
The specific function of realization.Reading in the embodiment of the present invention by hook processing adapter tube to local file, to be run by .NET
Verification of the Shi Ku to local file.
Above-mentioned function is realized by ShellCode, when shielded .NET PE executable program is loaded in computing device
When running on 40, program image in memory can be operated normally as common .NET PE executable program.Also
It is to say, according to each embodiment of the disclosure, had not only realized the protection to .NET program, but also will not influence its normal load and fortune
Row.
It is protected by the contemplated scheme of the above-mentioned disclosure since the content in metadata catalog being encrypted
The safety of the .NET executable program of shield is largely increased, and can be reasonably resistant to the static analysis of decompiling instrument.
Flow chart shown in this article provides the example of the sequence of various processing movements.Although in a particular order or sequentially
It shows, unless otherwise indicated, the sequence of movement can be modified.Therefore, the merely illustrative purpose of shown embodiment and provide,
Processing can be executed in a different order, and some processing can be performed in parallel.In addition, can save in various embodiments
Slightly one or more steps.
Embodiment described herein software can be via the computer readable storage medium for being wherein stored with software content
Or any product provides to provide, or via communication interface.Computer readable storage medium can be such that machine execution is retouched
The functions or operations stated, including any mechanism to calculate form storage program module or data content that equipment can access, example
Such as, read-only memory, random access memory, magnetic disk storage medium, optical disk medium, flash memory device etc..Communication interface packet
Include with any one of the media such as hardwired, wireless, optics any mechanism of the interface to be communicated with another equipment, such as store
Device bus interface, processor bus interface, internet connection, Magnetic Disk Controler etc..
Mention in the description " one embodiment ", " preferred embodiment ", " embodiment " and " each embodiment " mean with
Specific feature, structure, characteristic or the function that the embodiment combines description are included at least one embodiment of the disclosure
And it may be embodied in more than one embodiment.Moreover, specification occur everywhere above-mentioned wording be not necessarily all referring to it is same
Embodiment.
It, can be without departing from the scope of the invention to disclosed reality other than content described herein
Example is applied to carry out various modifications.Therefore, explanation and example here is interpreted as illustrative rather than restrictive.Of the invention
Spirit and scope should be considered solely by reference to claim and its equivalent.
Claims (12)
1. a kind of method for protecting software, including:
.NET executable program is parsed, identifies the metadata catalog in the .NET executable program;
Content in the metadata catalog is hidden with predetermined way, the content in the metadata catalog is stored to institute
The predetermined position in .NET executable program is stated, and removes the content in the metadata catalog, so that .NET executable program
In corresponding metadata catalog relative virtual address item and big event be all provided with and be set to 0 value;
The program entry of the .NET executable program is modified to point to predetermined code, obtaining shielded .NET can be performed journey
Sequence, the predetermined code is for restoring the metadata catalog.
2. according to the method described in claim 1, wherein, the predetermined way of the content in the metadata catalog is hidden packet
It includes, the content in the metadata catalog is encrypted with predetermined cryptographic algorithm.
3. according to the method described in claim 1, wherein, the predetermined way of the content in the metadata catalog is hidden packet
It includes, after the content-encrypt in the metadata catalog, encrypted content is stored predetermined into the .NET executable program
Position.
4. according to the method described in claim 1, wherein, the program entry of the .NET executable program is modified to point to pre-
Determining code includes:The entry address for modifying the .NET executable program is new entry address;After the new entry address
It is inserted into the predetermined code.
5. according to the method described in claim 1, wherein, including in the predetermined code:To in hiding metadata catalog
The code that content is restored;For rebuilding the local file of the .NET executable program and the code of memory mapping;Work as institute
When stating .NET executable code operating system access, the code of hook program is triggered.
6. according to the method described in claim 5, wherein, the hook program is configured to the notice currently performed journey of operating system
Sequence is the position of the storage catalogue of the metadata after .NET program and recovery.
7. a kind of software protecting equipment, including at least one processing for being stored with the memory of instruction and being coupled with the memory
Device makes at least one described processor execute following behaviour when described instruction is loaded and executed by least one described processor
Make:
.NET executable program is parsed, identifies the metadata catalog in the .NET executable program;
Content in the metadata catalog is hidden with predetermined way, the content in the metadata catalog is stored to institute
The predetermined position in .NET executable program is stated, and removes the content in the metadata catalog, so that .NET executable program
In corresponding metadata catalog relative virtual address item and big event be all provided with and be set to 0 value;
The program entry of the .NET executable program is modified to point to predetermined code, obtaining shielded .NET can be performed journey
Sequence, the predetermined code is for restoring the metadata catalog.
8. device according to claim 7, wherein the predetermined way of the content in the metadata catalog is hidden packet
It includes, the content in the metadata catalog is encrypted with predetermined cryptographic algorithm.
9. device according to claim 7, wherein the predetermined way of the content in the metadata catalog is hidden packet
It includes, after the content-encrypt in the metadata catalog, encrypted content is stored predetermined into the .NET executable program
Position.
10. device according to claim 7, wherein the program entry of the .NET executable program to be modified to point to
Predetermined code includes:The entry address for modifying the .NET executable program is new entry address;The new entry address it
After be inserted into the predetermined code.
11. device according to claim 7, wherein include in the predetermined code:To in hiding metadata catalog
The code that content is restored;For rebuilding the local file of the .NET executable program and the code of memory mapping;Work as institute
When stating .NET executable code operating system access, the code of hook program is triggered.
12. device according to claim 11, wherein it is currently performed that the hook program is configured to notice operating system
Program is the position of the storage catalogue of the metadata after .NET program and recovery.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710639745.6A CN107423586B (en) | 2017-07-31 | 2017-07-31 | Method for protecting software and software protecting equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710639745.6A CN107423586B (en) | 2017-07-31 | 2017-07-31 | Method for protecting software and software protecting equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107423586A CN107423586A (en) | 2017-12-01 |
| CN107423586B true CN107423586B (en) | 2018-11-20 |
Family
ID=60431540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710639745.6A Active CN107423586B (en) | 2017-07-31 | 2017-07-31 | Method for protecting software and software protecting equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107423586B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110472425A (en) * | 2019-07-18 | 2019-11-19 | 福建天晴在线互动科技有限公司 | Unity plug-in unit encryption method based on Mono, storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7426734B2 (en) * | 2003-10-24 | 2008-09-16 | Microsoft Corporation | Facilitating presentation functionality through a programming interface media namespace |
| CN101377737A (en) * | 2007-08-28 | 2009-03-04 | 上海宝信软件股份有限公司 | Resource management apparatus of application system |
| CN104866312A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | ASP.NET-based pseudo static page implementation method |
| CN105205539A (en) * | 2015-08-25 | 2015-12-30 | 携程计算机技术(上海)有限公司 | OTA website hotel room management method and system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AR042599A1 (en) * | 2002-11-19 | 2005-06-29 | Schiavoni Juan Jose | METHOD OF PROTECTION OF PROGRAMS AND EQUIPMENT TO PERFORM IT |
| CN100474253C (en) * | 2007-11-22 | 2009-04-01 | 北京飞天诚信科技有限公司 | .Net program protection method and device |
| CN101964040B (en) * | 2010-09-10 | 2012-07-04 | 西安理工大学 | PE loader-based software packing protection method |
| CN101980160B (en) * | 2010-10-28 | 2013-02-13 | 飞天诚信科技股份有限公司 | Implementing method for encrypted .NET program |
| CN103065069A (en) * | 2013-01-28 | 2013-04-24 | 电子科技大学 | Shell technology based software protection method |
| CN103955635B (en) * | 2014-04-04 | 2017-02-15 | 北京深思数盾科技股份有限公司 | Method and system for protecting .NET executable program |
| CN106295257A (en) * | 2015-06-29 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of authentication method being reinforced software and device |
| CN106650340B (en) * | 2016-11-16 | 2019-12-06 | 中国人民解放军国防科学技术大学 | binary software protection method adopting dynamic fine-grained code hiding and obfuscating technology |
-
2017
- 2017-07-31 CN CN201710639745.6A patent/CN107423586B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7426734B2 (en) * | 2003-10-24 | 2008-09-16 | Microsoft Corporation | Facilitating presentation functionality through a programming interface media namespace |
| CN101377737A (en) * | 2007-08-28 | 2009-03-04 | 上海宝信软件股份有限公司 | Resource management apparatus of application system |
| CN104866312A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | ASP.NET-based pseudo static page implementation method |
| CN105205539A (en) * | 2015-08-25 | 2015-12-30 | 携程计算机技术(上海)有限公司 | OTA website hotel room management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107423586A (en) | 2017-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3807797B1 (en) | Pointer authentication and dynamic switching between pointer authentication regimes | |
| Hanna et al. | Juxtapp: A scalable system for detecting code reuse among android applications | |
| US8090959B2 (en) | Method and apparatus for protecting .net programs | |
| US20160203087A1 (en) | Method for providing security for common intermediate language-based program | |
| CN108633309A (en) | The Compiler Optimization of coroutine | |
| US20170024230A1 (en) | Method, apparatus, and computer-readable medium for ofuscating execution of an application on a virtual machine | |
| JP2016511905A (en) | Compiler-based obfuscation | |
| CN105068932A (en) | Android application program packing detection method | |
| CN103324481A (en) | Compiling method and compiling system for obfuscating codes by means of assembly | |
| CN105022936A (en) | Class file encryption and decryption method and class file encryption and decryption device | |
| US9256409B2 (en) | Building reusable function summaries for frequently visited methods to optimize data-flow analysis | |
| JP2016525760A (en) | Identify irrelevant code | |
| WO2015035827A1 (en) | Method and apparatus for providing string encryption and decryption in program files | |
| CN103413074A (en) | Method and device for protecting software through API | |
| US10691791B2 (en) | Automatic unpacking of executables | |
| CN114925338A (en) | Compiling method, device, equipment, medium and product | |
| CN107871066B (en) | Code compiling method and device based on android system | |
| US10013517B1 (en) | High level programming language core protection for high level synthesis | |
| CN107423586B (en) | Method for protecting software and software protecting equipment | |
| Lin et al. | Solsee: a source-level symbolic execution engine for solidity | |
| CN107577925B (en) | Based on the virtual Android application program guard method of dual ARM instruction | |
| TW201804349A (en) | On demand code decryption | |
| CN104751026A (en) | Software protection method and software application method of android system, and related devices | |
| CN112965736A (en) | Code processing method and device, electronic equipment and medium | |
| CN112052462B (en) | Virtualized encryption method, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |