CN112199160A - Virtual instruction recovery method, device, equipment and storage medium - Google Patents

Virtual instruction recovery method, device, equipment and storage medium Download PDF

Info

Publication number
CN112199160A
CN112199160A CN202011110351.XA CN202011110351A CN112199160A CN 112199160 A CN112199160 A CN 112199160A CN 202011110351 A CN202011110351 A CN 202011110351A CN 112199160 A CN112199160 A CN 112199160A
Authority
CN
China
Prior art keywords
instruction
processing function
virtual
virtual machine
register
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011110351.XA
Other languages
Chinese (zh)
Other versions
CN112199160B (en
Inventor
乐德广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changshu Institute of Technology
Original Assignee
Changshu Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changshu Institute of Technology filed Critical Changshu Institute of Technology
Priority to CN202011110351.XA priority Critical patent/CN112199160B/en
Publication of CN112199160A publication Critical patent/CN112199160A/en
Application granted granted Critical
Publication of CN112199160B publication Critical patent/CN112199160B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Executing Machine-Instructions (AREA)

Abstract

The embodiment of the invention discloses a virtual instruction recovery method, a virtual instruction recovery device and a storage medium, wherein the virtual instruction recovery method comprises the following steps: dynamic instruction tracking of the virtual machine; determining the position of a local variable table; processing function identification; determining all register values before and after executing the processing function; determining a register corresponding to a processing function operand stack; determining a register corresponding to a processing function operand stack; and restoring the virtual instruction corresponding to the processing function. Aiming at the detection of malicious codes in programs of malicious users by antivirus software by using a virtual machine protection technology, a virtual machine virtual instruction recovery method based on dynamic instruction tracking record and byte code processing function semantic analysis is provided.

Description

Virtual instruction recovery method, device, equipment and storage medium
Technical Field
The present invention relates to the field of virtual instruction technology, and also relates to the field of information security, software protection and software construction technology, and in particular, to a method, an apparatus, a device and a storage medium for restoring a virtual instruction, and more particularly, to a method, an apparatus, a device and a storage medium for restoring a virtual instruction protected by a virtual machine.
Background
A virtual machine refers to a complete computer system with complete hardware system functionality, which is emulated by software, running in a completely isolated environment. Virtual machine software is software that can provide virtual machine functionality for different operating systems. The virtual machine protection is a double-edged sword, protects user software from being attacked maliciously and threatened by cracking, tampering or piracy, and meanwhile, many malicious programs also utilize the virtual machine protection technology to virtualize and transform malicious codes, so that detection of software such as antivirus or Trojan detection is avoided. Therefore, in addition to the forward research on virtual machine protection, research needs to be performed from the perspective of reverse analysis on virtual machines in order to solve many problems such as malicious code using virtual machine protection evasion detection.
The existing virtual machine reverse analysis technology restores protected code by a method of simplifying virtual instructions through a reverse virtual machine structure, converting the virtual instructions into an intermediate language, and compiling and converting the intermediate language into corresponding X86 instructions. The analysis method based on the virtual machine structure requires that the structure of the virtual machine interpreter meets certain conditions, so that the method is not universal, and in addition, the method is difficult to effectively deal with the use of high-strength reinforced codes in the virtual machine through instruction simplification.
Disclosure of Invention
The embodiment of the invention provides a virtual instruction restoring method, a virtual instruction restoring device, virtual instruction restoring equipment and a storage medium, and provides a virtual instruction restoring method based on dynamic instruction tracking record and byte code processing function semantic analysis, aiming at the problem that malicious users escape virus killing software to detect malicious codes in programs by using a virtual machine protection technology.
The embodiment of the invention provides a virtual instruction restoration method, which comprises the following steps:
dynamic instruction tracking of the virtual machine;
determining the position of a local variable table;
processing function identification;
determining all register values before and after executing the processing function;
determining a register corresponding to a processing function operand stack;
determining a register corresponding to a processing function operand stack;
and restoring the virtual instruction corresponding to the processing function.
Further, the set of memory read traces of the virtual machine is the execution trace of the virtual machine instruction, and is denoted as VMTrace, and the VMTrace record includes the following information:
a fully executed assembler instruction;
a static address of an executed assembly instruction;
the register and its modified value that are modified after each instruction executes.
Further, a cache delay writing method is adopted to record the register value and the memory read-write information of each instruction in the execution period as a VMTrace file.
Further, the processing function identification includes: the virtual machine adopts thread type interpretation execution and realizes the jump of adjacent processing functions in a set mode; the following identification method is performed:
and polling the virtual machine dynamic instruction tracking record, if the ending characteristics of the two processing functions are matched, creating a new processing function instance, and then adding a polled subsequent instruction into the instance until a new characteristic appears, wherein the polled subsequent instruction indicates that the instruction sequence of the instance is ended. By analogy, after the loop is ended, a set of instances of all executed processing functions can be obtained.
Further, the method for determining the values of all registers before and after the processing function is executed includes: and determining the values of the registers before and after the execution of each processing function according to the identified processing function.
Further, the method for processing register determination corresponding to the function operand stack includes: the registers corresponding to the operand stack are first validated prior to entering the virtual machine. And then tracking and analyzing the change condition of the operand stack to further determine the register corresponding to each virtual machine operand stack.
Further, the method for restoring the virtual instruction corresponding to the processing function includes: obtaining 3 important data of the change value of each processing function to the top of an operand stack, the reading times of the operand stack and the reading times of a local variable area; and deducing a virtual instruction corresponding to the processing function according to the three data.
An embodiment of the present invention further provides a virtual instruction recovery apparatus, including:
the tracking module is used for tracking dynamic instructions of the virtual machine;
the determining module is used for determining the position of the local variable table;
the identification module is used for processing function identification;
the execution module is used for processing all register value determinations before and after the function is executed;
the corresponding module is used for processing register determination corresponding to the function operand stack;
the operation module is used for processing register determination corresponding to the function operand stack;
and the restoration module is used for restoring the virtual instruction corresponding to the processing function.
The embodiment of the invention also provides virtual instruction restoring equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the virtual instruction restoring method when executing the program.
The embodiment of the invention also provides a computer-readable storage medium, which stores computer-executable instructions, wherein the computer-executable instructions are used for executing the virtual instruction restoration method.
The embodiment of the invention comprises the following steps: dynamic instruction tracking of the virtual machine; determining the position of a local variable table; processing function identification; determining all register values before and after executing the processing function; determining a register corresponding to a processing function operand stack; determining a register corresponding to a processing function operand stack; and restoring the virtual instruction corresponding to the processing function. The flower instruction for hiding the instruction to be protected constructed in the way can be used for confusing the recursive scanning of the disassembler, and can also be used for resisting the linear scanning of the disassembler and the dynamic trace debugging of an attacker by combining the computation flower instruction and the garbage flower instruction.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
FIG. 1 is a flowchart illustrating an embodiment of a method for restoring a virtual instruction;
FIG. 2 is a schematic diagram of all sequences of assembler instructions executed by the function of the vmtrace record of an embodiment of the invention;
fig. 3 is a structural diagram of the virtual instruction restoring apparatus according to the embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Aiming at the defects of the current analysis method for the virtual machine protection software in the aspect of restoring a virtual instruction, the embodiment of the invention provides a dynamic data flow analysis-based analysis method for the virtual machine protection software. And finally reconstructing the virtual instruction by combining the control flow and the data generation process.
That is, the embodiment of the present invention analyzes the meaning of the assembly instruction on the processing functions by analyzing the dynamic processing function positions of the virtual machine, so as to determine the semantics of the virtual instruction. The virtual machine adopts a stack-based virtual machine, a stack frame of the virtual machine comprises a local variable table and an operand stack, and each instruction can calculate operands in the operand stack and store the operands in a local variable area according to byte codes when being interpreted and executed. The read-write times of different virtual operation instructions to the local variable area and the change to the top of the operand stack have respective characteristics. These features are analyzed to determine their corresponding opcode semantics.
To address the above situation, as shown in fig. 1, an embodiment of the present invention provides a virtual instruction restoring method, including:
step 101, dynamic instruction tracking of the virtual machine.
Wherein the virtual machine dynamic instruction tracking is as follows: for the virtual instruction reverse analysis of the virtual machine, obtaining real and reliable dynamic execution information of the virtual machine is an important basic link. Therefore, the embodiment of the invention records the execution track of the virtual machine by a method of instruction dynamic tracking. An execution trace represents a finite sequence of dynamic instructions (I1;. In) of a program In operation. In one embodiment, the set of memory read traces of the virtual machine is the execution trace of the virtual machine instruction, which is denoted as VMTrace. Fig. 2 shows that when a virtual machine protected function is executed using the vmtrace facility, the vmtrace records all assembly instruction sequences that the function executes.
As can be seen from fig. 2, the VMTrace record mainly contains the following information:
(1) a fully executed assembler instruction;
(2) a static address of an executed assembly instruction;
(3) the register and its modified value that are modified after each instruction executes. Because a large number of obfuscated instructions are added to the processing function of the virtual machine, the number of dynamic instructions actually executed is often large. In order to improve efficiency, in one embodiment, a cache delay write-in method is adopted to record the register value and the memory read-write information of each instruction in the execution period as a VMTrace file.
And step 102, determining the position of the local variable table.
When the executable program after the virtual machine is hardened runs, before the executable program enters the virtual machine, a section of memory is opened up by the program to be used as a local variable table. The memory position of the local variable table does not change before leaving the virtual machine, the virtual machine opens up the memory space of the local variable table through an instruction 'sub esp, esp _ space', so the position of the local variable table is determined by searching the following sentence in the VMTrace before entering the virtual machine:
vm_handler.local_variable_table.addr=[esp]。
step 103, function identification is processed.
In a large number of virtual machine instruction sequences, the virtual machine of the virtual machine may exhibit some inherent characteristic, such as jumping to the instruction fetch position, before completing one interpretation execution. In one embodiment, the processing function identification comprises: the virtual machine adopts clue interpretation execution and realizes the jump of adjacent processing functions in two modes expressed by the following assembly language codes;
mode 1:
xxxx:push reg
xxxx:ret
mode 2:
xxxx:jmp reg
in the above two modes, the value of reg is the address of the next-hop processing function, and the processing function can be divided and identified by matching the two conditions in the dynamic instruction trace record of the virtual machine. In addition, before the execution of each processing function is finished, the esp register points to the position of the local variable table, and the constraint can be used as a reinforced condition for processing function identification, so that the success rate of processing function identification is improved. The pseudo-code logic for identifying a processing function is shown in the following code:
Figure BDA0002728387950000071
Figure BDA0002728387950000081
that is, the following recognition method is performed:
as indicated by the pseudo code above, the virtual machine dynamic instruction trace record is polled, if the ending characteristics of two processing functions are matched, a new processing function instance is created, and then the polled subsequent instructions are added to the instance until a new characteristic appears, which indicates that the instruction sequence of the instance is ended. By analogy, after the loop is ended, a set of instances of all executed processing functions can be obtained.
And 104, determining all register values before and after the processing function is executed.
In one embodiment, the method for determining the values of all registers before and after executing the processing function includes: from the identified processing functions obtained in step 103, the values of the registers before and after execution of each processing function are determined. In the virtual machine dynamic instruction trace record of the processing function, the 1 st line displays the value of each register, and then the last 1 column of each record of the VMTrace records the modified register and the modified value after each instruction is executed. From these two conditions, the values of all registers before and after execution of each processing function can be determined. Here denoted by enter _ status and exit _ status, respectively, as follows:
vm_hanlder.enter_status={…}
vm_hanlder.exit_status={…}
wherein vm _ holder _ status represents values of all registers before execution of the processing function; exit _ status represents the values of all registers after the execution of the handling function;
and 105, determining a register corresponding to the function operand stack.
The register corresponding to the operand stack in the virtual machine is not fixed, and the register stack can be dynamically modified in a register rotation mode. In one embodiment, the method for processing register determination corresponding to a function operand stack includes: the registers corresponding to the operand stack are first validated prior to entering the virtual machine. And then tracking and analyzing the change condition of the operand stack to further determine the register corresponding to each virtual machine operand stack. The virtual machine switches the register corresponding to the operand stack in two ways as expressed in the following assembly language code.
Mode 1:
xxxx:xchg op_stack_reg,reg1
xxxx:mov reg2,reg1
mode 2:
xxxx:mov reg,op_stack_reg
the judgment conditions implemented according to the above two ways are not strong constraints, that is, the condition may be met but the register corresponding to the operand stack is not changed. The accuracy of recognition can be further increased by the range of its variation values, and the pseudo-code logic of the decision algorithm for recognition is as follows:
Figure BDA0002728387950000091
Figure BDA0002728387950000101
Figure BDA0002728387950000111
wherein op _ stack _ chg represents the amount of change in the value of the new register after the condition is detected and the value of the original register, and op _ stack _ reg _ candidate represents the new register to which the condition may be switched when detected. If the amount of change is within the possible range, the new register is used to replace the original register.
And 106, processing register determination corresponding to the function operand stack.
Now, registers corresponding to the operand stack and the local variable table of each processing function are already known, and an instruction set for reading the operand stack and the local variable table in each processing function can be found by taking the registers as search conditions:
vm_handler.op_stack.ins={Is1,Is2,…Isi,…,IsM},1<i<M。
vm_handler.local_var_table.ins={Iv1,Iv2,…Ivj,…,IvN},1<j<N。
in the method, vm _ handler.op _ stack.ins represents an instruction set of an operand stack read operation in a processing function, and vm _ handler.local _ var _ table.ins represents an instruction set of a local variable table read operation in the processing function.
The assembly instruction algorithm pseudo code logic for determining the read and write to the operand stack and the local variable table in the processing function is as follows:
Figure BDA0002728387950000121
as indicated in the above pseudo code, the expression of the 'read operation' at the assembly level is a mov instruction, and data is read from a corresponding operand stack or a local variable table region by using the mov instruction.
Step 107, restoring the virtual instruction corresponding to the processing function.
Based on the above analysis, in an embodiment, the method for restoring the virtual instruction corresponding to the processing function includes: it is possible to obtain:
(1) the change value of each processing function to the top of an operand stack, (2) the number of times of reading the operand stack, (3) 3 important data of the number of times of reading the local variable area; wherein the change value to the top of the operand stack may be calculated in the following manner.
vm_handler.op_stack_chg=vm_handler.exit_status[vm_handler.op_stack_exit_reg]-vm_handler.enter_status[vm_handler.op_stack_entry_reg]
Op _ stack _ chg represents the value of the change of the processing function to the top of the operand stack.
The other two values are known from the instruction set fetched in step 5.
vm_handler.op_stack_read_times=Max[i]
vm_handler.local_var_table_read_times=Max[j]
Op _ stack _ read _ times represents the number of reads to the operand stack. Local _ var _ table _ read _ times represents the number of reads to a local variable region.
From these three data, the virtual instruction corresponding to the processing function can be inferred. According to the standard, as shown in table 1:
TABLE 1
Figure BDA0002728387950000131
Figure BDA0002728387950000141
According to table 1, the pseudo code of the virtual instruction recovery algorithm corresponding to the processing function is as follows:
Figure BDA0002728387950000142
Figure BDA0002728387950000151
the algorithm takes the change value of the top of the operand stack as a main judgment basis, and then further judges other conditions in the algorithm, thereby judging the virtual instruction corresponding to the processing function.
As shown in fig. 3, an embodiment of the present invention further provides a virtual instruction restoring apparatus, including:
a tracking module 71, configured to track a dynamic instruction of a virtual machine;
a determination module 72 for local variable table location determination;
an identification module 73 for processing function identification;
an execution module 74, configured to determine all register values before and after executing the processing function;
a corresponding module 75, configured to process register determination corresponding to the function operand stack;
an operation module 76, configured to process register determination corresponding to the function operand stack;
and a restoring module 77, configured to restore the virtual instruction corresponding to the processing function.
The embodiment of the invention also provides virtual instruction restoring equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the virtual instruction restoring method when executing the program.
The embodiment of the invention also provides a computer-readable storage medium, which stores computer-executable instructions, wherein the computer-executable instructions are used for executing the virtual instruction restoration method.
In this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, or other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or modulated data signals such as a carrier wave or other transport mechanism and includes any information delivery media.

Claims (10)

1. A virtual instruction recovery method, comprising:
dynamic instruction tracking of the virtual machine;
determining the position of a local variable table;
processing function identification;
determining all register values before and after executing the processing function;
determining a register corresponding to a processing function operand stack;
determining a register corresponding to a processing function operand stack;
and restoring the virtual instruction corresponding to the processing function.
2. The method according to claim 1, wherein the set of memory read traces of the virtual machine is an execution trace of a virtual machine instruction, and is denoted as a VMTrace, and the VMTrace record includes the following information:
a fully executed assembler instruction;
a static address of an executed assembly instruction;
the register and its modified value that are modified after each instruction executes.
3. The virtual instruction recovery method according to claim 1, wherein a cache deferred write method is used to record the register value and the memory read-write information of each instruction in the execution period as a VMTrace file.
4. The virtual instruction recovery method of claim 1, wherein the processing function identification comprises: the virtual machine adopts thread type interpretation execution and realizes the jump of adjacent processing functions in a set mode; the following identification method is performed:
and polling the virtual machine dynamic instruction tracking record, if the ending characteristics of the two processing functions are matched, creating a new processing function instance, and then adding a polled subsequent instruction into the instance until a new characteristic appears, wherein the polled subsequent instruction indicates that the instruction sequence of the instance is ended. By analogy, after the loop is ended, a set of instances of all executed processing functions can be obtained.
5. The virtual instruction restoring method according to claim 1, wherein the processing function performs a method of determining all register values before and after execution, including: and determining the values of the registers before and after the execution of each processing function according to the identified processing function.
6. The virtual instruction restoring method according to claim 1, wherein the method for handling the register determination corresponding to the function operand stack comprises: the registers corresponding to the operand stack are first validated prior to entering the virtual machine. And then tracking and analyzing the change condition of the operand stack to further determine the register corresponding to each virtual machine operand stack.
7. The virtual instruction restoring method according to claim 1, wherein the method for restoring the virtual instruction corresponding to the processing function includes: obtaining 3 important data of the change value of each processing function to the top of an operand stack, the reading times of the operand stack and the reading times of a local variable area; and deducing a virtual instruction corresponding to the processing function according to the three data.
8. A virtual instruction restoring apparatus, comprising:
the tracking module is used for tracking dynamic instructions of the virtual machine;
the determining module is used for determining the position of the local variable table;
the identification module is used for processing function identification;
the execution module is used for processing all register value determinations before and after the function is executed;
the corresponding module is used for processing register determination corresponding to the function operand stack;
the operation module is used for processing register determination corresponding to the function operand stack;
and the restoration module is used for restoring the virtual instruction corresponding to the processing function.
9. A virtual instruction restoring apparatus comprising a memory, a processor and a computer program stored in the memory and operable on the processor, wherein the processor implements the virtual instruction restoring method according to any one of claims 1 to 7 when executing the program.
10. A computer-readable storage medium storing computer-executable instructions for performing the virtual instruction recovery method according to any one of claims 1 to 7.
CN202011110351.XA 2020-10-16 2020-10-16 Virtual instruction recovery method, device, equipment and storage medium Active CN112199160B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011110351.XA CN112199160B (en) 2020-10-16 2020-10-16 Virtual instruction recovery method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011110351.XA CN112199160B (en) 2020-10-16 2020-10-16 Virtual instruction recovery method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112199160A true CN112199160A (en) 2021-01-08
CN112199160B CN112199160B (en) 2021-12-28

Family

ID=74009239

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011110351.XA Active CN112199160B (en) 2020-10-16 2020-10-16 Virtual instruction recovery method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112199160B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5446876A (en) * 1994-04-15 1995-08-29 International Business Machines Corporation Hardware mechanism for instruction/data address tracing
US20070226545A1 (en) * 2006-03-22 2007-09-27 Chen Jyhren J Methods and systems for generating and storing computer program execution trace data
CN101156131A (en) * 2005-04-15 2008-04-02 爱特梅尔公司 Microprocessor access of operand stack as a register file using native instructions
CN101976187A (en) * 2010-11-16 2011-02-16 广州迪庆电子科技有限公司 Stack tracing method and device in decompilation process and decompiler
CN105046117A (en) * 2015-06-30 2015-11-11 西北大学 Code virtualization software protection system realizing instruction set randomization
CN105608346A (en) * 2015-12-25 2016-05-25 北京奇虎科技有限公司 ELF file protection method and system based on ARM instruction virtualization
CN106529296A (en) * 2016-11-16 2017-03-22 武汉工程大学 Method for attacking software protection virtual machine based on fuzzy clustering
CN108614960A (en) * 2018-05-11 2018-10-02 西北大学 A kind of JavaScript virtualization guard methods based on front end bytecode technology
CN109189470A (en) * 2018-08-21 2019-01-11 北京奇虎科技有限公司 Code reinforcement means and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5446876A (en) * 1994-04-15 1995-08-29 International Business Machines Corporation Hardware mechanism for instruction/data address tracing
CN101156131A (en) * 2005-04-15 2008-04-02 爱特梅尔公司 Microprocessor access of operand stack as a register file using native instructions
US20070226545A1 (en) * 2006-03-22 2007-09-27 Chen Jyhren J Methods and systems for generating and storing computer program execution trace data
CN101976187A (en) * 2010-11-16 2011-02-16 广州迪庆电子科技有限公司 Stack tracing method and device in decompilation process and decompiler
CN105046117A (en) * 2015-06-30 2015-11-11 西北大学 Code virtualization software protection system realizing instruction set randomization
CN105608346A (en) * 2015-12-25 2016-05-25 北京奇虎科技有限公司 ELF file protection method and system based on ARM instruction virtualization
CN106529296A (en) * 2016-11-16 2017-03-22 武汉工程大学 Method for attacking software protection virtual machine based on fuzzy clustering
CN108614960A (en) * 2018-05-11 2018-10-02 西北大学 A kind of JavaScript virtualization guard methods based on front end bytecode technology
CN109189470A (en) * 2018-08-21 2019-01-11 北京奇虎科技有限公司 Code reinforcement means and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
刘伟伟: "《 Java应用软件的安全加固技术研究》", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 *
房鼎益 等: "《一种抗语义攻击的虚拟化软件保护方法》", 《工程科学与技术》 *
谢鑫 等: "《Handler混淆增强的虚拟机保护方法》", 《计算机工程与应用》 *

Also Published As

Publication number Publication date
CN112199160B (en) 2021-12-28

Similar Documents

Publication Publication Date Title
CN109478217B (en) Kernel-based detection of target application functionality using offset-based virtual address mapping
Hu et al. Binary code clone detection across architectures and compiling configurations
US7886293B2 (en) Optimizing system behavior in a virtual machine environment
KR101081090B1 (en) Register-based instruction optimization for facilitating efficient emulation of an instruction stream
US20080040710A1 (en) Method, computer program and computer for analysing an executable computer file
Brooks Survey of automated vulnerability detection and exploit generation techniques in cyber reasoning systems
US10102373B2 (en) Method and apparatus for capturing operation in a container-based virtualization system
CN104636256A (en) Memory access abnormity detecting method and memory access abnormity detecting device
Kalysch et al. VMAttack: Deobfuscating virtualization-based packed binaries
US10248424B2 (en) Control flow integrity
US10395033B2 (en) System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks
Ghiasi et al. Dynamic malware detection using registers values set analysis
Otsuki et al. Building stack traces from memory dump of Windows x64
KR101979329B1 (en) Method and apparatus for tracking security vulnerable input data of executable binaries thereof
CN111444504A (en) Method and device for automatically identifying malicious codes during software running
CN111931191A (en) Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform
CN112199160B (en) Virtual instruction recovery method, device, equipment and storage medium
US11256786B2 (en) Method to secure a software code
CN112199163B (en) Virtual instruction method, device, equipment and storage medium for analyzing and interpreting routine
Zhu et al. Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs
González Taxi: Defeating code reuse attacks with tagged memory
CN112199159B (en) Method, device, equipment and storage medium for reading and writing operand stack and variable table
CN111898120A (en) Control flow integrity protection method and device
Ruchlejmer Secure Rewind and Discard on ARM Morello
KR102421394B1 (en) Apparatus and method for detecting malicious code using tracing based on hardware and software

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant