CN112347499A - Program self-protection method - Google Patents

Program self-protection method Download PDF

Info

Publication number
CN112347499A
CN112347499A CN202110020703.0A CN202110020703A CN112347499A CN 112347499 A CN112347499 A CN 112347499A CN 202110020703 A CN202110020703 A CN 202110020703A CN 112347499 A CN112347499 A CN 112347499A
Authority
CN
China
Prior art keywords
operation request
program
interface
source
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110020703.0A
Other languages
Chinese (zh)
Other versions
CN112347499B (en
Inventor
李彦清
李志鹏
常飞龙
王威凯
李利军
于滨峰
张春林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dongfangtong Software Co ltd
Beijing Tongtech Co Ltd
Original Assignee
Beijing Dongfangtong Software Co ltd
Beijing Tongtech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dongfangtong Software Co ltd, Beijing Tongtech Co Ltd filed Critical Beijing Dongfangtong Software Co ltd
Priority to CN202110020703.0A priority Critical patent/CN112347499B/en
Publication of CN112347499A publication Critical patent/CN112347499A/en
Application granted granted Critical
Publication of CN112347499B publication Critical patent/CN112347499B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

The invention provides a method for self-protection of a program, which comprises the steps of designing an encryption interface and a detection interface of a current program based on a mock class, integrating a mock module on a core code of the current program, and generating an execution program; monitoring an operation request of the execution program, and detecting the operation request; determining the source of the operation request according to the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted; determining a source program of the operation request according to the intercepted operation request, and marking the source program; and automatically intercepting all operation requests from the source program according to the mark.

Description

Program self-protection method
Technical Field
The invention relates to the technical field of software security, in particular to a program self-protection method.
Background
At present, the development of computer and network technologies is rapid, and the computer viruses come along with the endless emergence of computer viruses, and the computer viruses have developed to the present day to seriously affect the normal use of computers by people. Therefore, how to avoid computer virus invasion is becoming an important focus of attention.
With the development of computer technology, the types of viruses become diversified, and the core of virus is always to destroy the software itself and obtain the private information of the software to the detriment of the benefits of computer users.
In the aspect of self-protection of various types of current security software, operations such as deletion and modification of files by viruses are prevented through file monitoring, and the software is monitored by Hook programs based on Hook technology, and the mode of protecting the software by using external programs is exhausted when the software faces more and more complex viruses.
Therefore, in view of the trend of virus development, a software self-protection method based on software itself is urgently needed to protect the software itself from being damaged, so as to ensure that the software can normally run.
Disclosure of Invention
The invention provides a program self-protection method, which is used for solving the problem that a virus avoids security software to directly tamper a program.
A method for program self-protection, comprising:
step 100: designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
step 101: monitoring an operation request of the execution program, and detecting the operation request;
step 102: determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
step 103: determining a source program of the operation request according to the intercepted operation request, and marking the source program;
step 104: and automatically intercepting all operation requests from the source program according to the mark.
As an embodiment of the present invention, the designing an encryption interface and a detection interface of a current program based on a mock class, and integrating a mock module onto a core code of the current program to generate an execution program includes:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
As an embodiment of the present invention, the monitoring an operation request of the execution program, and detecting the operation request includes:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
As an embodiment of the present invention, the determining, according to the detecting of the operation request, a source of the operation request; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
As an embodiment of the present invention, the determining a source program of the operation request according to the intercepted operation request, and marking the source program includes:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring a process name of the source program according to the position of the source program, and determining that the program of the process name is a marker program;
and according to the marker program, simulating callback success information return based on the detection interface, returning the marker program information to the detection interface, and determining the marker program.
As an embodiment of the present invention, the determining to automatically intercept all operation requests from the source program according to the flag includes:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, executing the step 102 and the step 103.
As an embodiment of the present invention, the detecting the source program of the operation request includes the following steps:
step (1), acquiring the function of the current operation request, and acquiring the marking information of the current operation request, wherein the marking information is used for directly intercepting the operation request;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
As an embodiment of the present invention, the step of detecting the source program of the operation request further includes:
in the step (3), the interface for detecting and simulating the callback success information of the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
Preferably, the determining the source of the operation request according to the detection of the operation request includes:
step 1: obtaining request detection information and determining time characteristics of the information
Figure 743861DEST_PATH_IMAGE001
Time of day coefficient
Figure 752269DEST_PATH_IMAGE002
And time coefficient
Figure 274517DEST_PATH_IMAGE003
And constructing a time model:
Figure 51980DEST_PATH_IMAGE004
wherein the content of the first and second substances,
Figure 204744DEST_PATH_IMAGE005
indicating the number of time instants;
Figure 169289DEST_PATH_IMAGE006
represents a time of day; the above-mentioned
Figure 823124DEST_PATH_IMAGE007
Representing a time characteristic mean value;
Figure 455094DEST_PATH_IMAGE008
Figure 778759DEST_PATH_IMAGE009
to represent
Figure 27337DEST_PATH_IMAGE006
Monitoring parameters of the moment;
Figure 94651DEST_PATH_IMAGE010
to represent
Figure 315547DEST_PATH_IMAGE006
The actual detection information of the time of day,
step 2: obtaining request path characteristics
Figure 75693DEST_PATH_IMAGE011
Amount of data requested
Figure 873885DEST_PATH_IMAGE012
And change characteristics of requested data
Figure 10468DEST_PATH_IMAGE013
Determining a path model:
Figure 617030DEST_PATH_IMAGE014
and step 3: determining a request propensity value based on the path model and the time model
Figure 813656DEST_PATH_IMAGE015
:
Figure 974510DEST_PATH_IMAGE016
And 4, step 4: according to the request tendency value, performing source calculation on data and determining operation request characteristics
Figure 649205DEST_PATH_IMAGE017
Sum path coefficient
Figure 703749DEST_PATH_IMAGE018
Determining a path model:
Figure 71276DEST_PATH_IMAGE019
;
wherein, the
Figure 125951DEST_PATH_IMAGE020
Represents the source of the path, said
Figure 463391DEST_PATH_IMAGE017
Is shown as
Figure 778966DEST_PATH_IMAGE021
Request characteristics of a path, said
Figure 786236DEST_PATH_IMAGE018
Is shown as
Figure 46316DEST_PATH_IMAGE021
Coefficients of the individual paths; the above-mentioned
Figure 797235DEST_PATH_IMAGE022
Which is indicative of the number of paths,
Figure 701737DEST_PATH_IMAGE023
the invention has the beneficial effects that: the invention provides a method for protecting a program based on detection and encryption, so that software is protected from being invaded by viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a method for program self-protection according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Example 1:
as shown in fig. 1, an embodiment of the present invention provides a method for program self-protection, including:
step 100: designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
step 101: monitoring an operation request of the execution program, and detecting the operation request;
step 102: determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
step 103: determining a source program of the operation request according to the intercepted operation request, and marking the source program;
step 104: and automatically intercepting all operation requests from the source program according to the mark.
The working principle of the technical scheme is as follows: based on the security protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, the class of the detection interface is used for judging whether the operation request contains the preset encryption principle when the core program receives the operation request, when the operation request is sent to an execution program, the detection interface judges whether the operation request is sent by protection software according to the encryption principle of the encryption interface, if so, the detection interface allows the operation request to point to a core logic, if not, the operation request is intercepted and points to an abnormal logic, after the operation request of other software is detected, a callback interface of the operation request is found according to the intercepted operation request, and then the detection interface of the protection software simulates the callback interface of the operation request to carry out simulation of successful callback information sending of callback information Sending the callback information to a callback interface of the operation request, finding the position of a program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the callback successful information simulated by a detection interface of the protection program, returning the label information to the detection interface of the protection program by carrying the label information by the callback successful information simulated by the detection interface of the protection program, storing the obtained label information into a detection library by the detection interface of the protection program after receiving the label information, facilitating the next direct call, and directly intercepting and pointing to abnormal logic when the operation request with the label is encountered next time;
the beneficial effects of the above technical scheme are that: the invention provides a method for protecting a program based on detection and encryption, so that software is protected from being invaded by viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Example 2:
in one embodiment, the designing an encryption interface and a detection interface of the current program based on the mock class, and integrating the mock module into the core code of the current program to generate the execution program includes:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
according to the class of the detection interface, adding the class of the detection interface to the encryption principle based on the mock class to generate an executive program;
the working principle of the technical scheme is as follows: based on the safety protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, and the class of the detection interface is used for judging whether the operation request contains the preset encryption principle or not by the detection interface when the core program receives the operation request;
the beneficial effects of the above technical scheme are: by designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized.
Example 3:
in one embodiment, the monitoring the operation request of the execution program, and the detecting the operation request includes:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the method comprises the following steps of operating requests which can be used for tampering file information, operating requests which can be used for tampering a memory, operating requests which can be used for controlling a process, operating requests which can be used for acquiring core codes, operating requests which can be used for tampering the core codes, operating requests which can be used for tampering a registry, and operating requests which can be used for closing a detection program;
the working principle of the technical scheme is as follows: monitoring the operation request available for tampering with file information is performed through an I/O processing function of a file system, monitoring the operation request for tampering with a memory is performed through an API for processing a memory call, monitoring the operation request available for controlling a process is performed by intercepting the API for process operation, monitoring the operation request available for tampering with a core code is performed by intercepting an API for modifying a core code, monitoring the operation request available for tampering with a registry is performed by intercepting the API for tampering with a registry, monitoring the operation request available for closing a detection program is performed by intercepting the API for closing a detection program;
the beneficial effects of the above technical scheme are: and judging the function of the encountered operation request, and intercepting the operation request which possibly damages the protection software.
Example 4:
in one embodiment, the source of the operation request is determined according to the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
if the source of the operation request is other programs, intercepting the operation request and hiding the core logic
The working principle of the technical scheme is as follows: analyzing an internal instruction of the operation request according to the obtained operation request, judging whether the internal instruction contains a preset encryption principle of a core program, if the preset encryption principle of the core program exists, judging that the operation request is sent by the core program, namely, allowing the operation request to point to the core logic, and completing a task, and if the internal instruction is detected to have no preset encryption principle of the core program, judging that the operation request is not sent by the core program, namely, intercepting the operation request and enabling the operation request to point to an abnormal logic, and completing the task.
The beneficial effects of the above technical scheme are: by analyzing the internal command of the operation request, whether the operation request contains a preset encryption principle is judged, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly improved, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of illegal software.
Example 5:
in one embodiment, the determining a source program of the operation request according to the intercepted operation request and marking the source program includes:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring a process name of the source program according to the position of the source program, and determining that the program of the process name is a marker program;
according to the marker program, based on the detection interface simulation callback success information return, returning the marker program information to the detection interface, and determining the marker program;
the working principle of the technical scheme is as follows: after detecting the operation requests of other software, finding a callback interface of the operation request according to the intercepted operation request, then enabling a detection interface of the protection software to simulate the callback interface of the operation request to successfully simulate the callback, sending the information to the callback interface of the operation request, enabling the information that the callback is successfully simulated by the detection interface of the protection software to find the position of the program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the information that the callback is successfully simulated by the detection interface of the protection program, enabling the callback successful information simulated by the detection interface of the protection program to carry mark information to return to the detection interface of the protection program, and enabling the detection interface of the protection program to receive the mark information, the obtained marking information is stored in a detection library, so that the marking information can be directly called next time;
the beneficial effects of the above technical scheme are: and detecting all operation requests sent by the non-protection software, tracking the positions of the operation requests to acquire the software information of the non-protection software, and collecting the software information into a detection interface detection library of the protection software, so that the next calling is facilitated, and the calculation loss is saved.
Example 6:
in one embodiment, said automatically intercepting all operation requests from said source program based on said tag comprises:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, executing the step 102 and the step 103.
The working principle of the technical scheme is as follows: after the operation request is obtained, the detection interface compares the operation request with a marking program in a detection interface detection library, and if the same mark exists, the operation request is directly intercepted; if the same marks do not exist, judging whether the operation request is an operation request sent by protection software according to the obtained internal instruction, if so, allowing execution, if not, intercepting the operation request and obtaining the position of a source program of the operation request, obtaining information of the source program for marking, and storing the information into a detection library of a detection interface of the protection program;
the beneficial effects of the above technical scheme are: and software of the unprotected software is marked, so that the software is directly intercepted when sending the operation request again next time, and the calculation loss is saved.
Example 7:
in one embodiment, the detecting the source program of the operation request includes the following steps:
step (1), acquiring the function of the current operation request, and acquiring the marking information of the current operation request, wherein the marking information is used for directly intercepting the operation request;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
step (6), storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information;
the working principle of the technical scheme is as follows: based on the security protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, the class of the detection interface is used for judging whether the operation request contains the preset encryption principle when the core program receives the operation request, when the operation request is sent to an execution program, the detection interface judges whether the operation request is sent by protection software according to the encryption principle of the encryption interface, if so, the detection interface allows the operation request to point to a core logic, if not, the operation request is intercepted and points to an abnormal logic, after the operation request of other software is detected, a callback interface of the operation request is found according to the intercepted operation request, and then the detection interface of the protection software simulates the callback interface of the operation request to carry out simulation of successful callback information sending of callback information Sending the callback information to a callback interface of the operation request, finding the position of a program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the callback successful information simulated by a detection interface of the protection program, returning the label information to the detection interface of the protection program by carrying the label information by the callback successful information simulated by the detection interface of the protection program, storing the obtained label information into a detection library by the detection interface of the protection program after receiving the label information, facilitating the next direct call, and directly intercepting and pointing to abnormal logic when the operation request with the label is encountered next time;
the beneficial effects of the above technical scheme are: the invention provides a method for protecting a program based on detection and encryption, thereby protecting the software from the invasion of viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Example 8:
in one embodiment, the detecting the source of the operation request further comprises:
in the step (3), the interface for detecting and simulating the callback success information of the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in the step (4), the marked process name further comprises an extension name of the process name;
the working principle of the technical scheme is as follows: the interface for detecting the callback success information of the interface simulation operation request of the protection program uses a virtual interface, the interface can be deleted by itself after the acquisition of the mark information is not completed, and the acquired mark information comprises the process name and the extension name of the non-protection software;
the beneficial effects of the above technical scheme are: by using the virtual interface, the unprotected software is not easy to perceive that the unprotected software is marked, so that a hidden effect is achieved, and the unprotected software is deleted after completing a task every time, so that a large amount of storage space can be saved.
Example 9:
preferably, the determining the source of the operation request according to the detection of the operation request includes:
step 1: obtaining request detection information and determining time characteristics of the information
Figure 4542DEST_PATH_IMAGE001
Time of day coefficient
Figure 892864DEST_PATH_IMAGE002
And time coefficient
Figure 181894DEST_PATH_IMAGE003
And constructing a time model:
Figure 65536DEST_PATH_IMAGE004
wherein the content of the first and second substances,
Figure 414609DEST_PATH_IMAGE005
indicating the number of time instants;
Figure 383702DEST_PATH_IMAGE006
represents a time of day; the above-mentioned
Figure 476423DEST_PATH_IMAGE007
Representing a time characteristic mean value;
Figure 480151DEST_PATH_IMAGE008
Figure 734546DEST_PATH_IMAGE009
to represent
Figure 190935DEST_PATH_IMAGE006
Monitoring parameters of the moment;
Figure 821768DEST_PATH_IMAGE010
to represent
Figure 680002DEST_PATH_IMAGE006
The actual detection information of the time of day,
step 2: obtaining request path characteristics
Figure 472395DEST_PATH_IMAGE011
Amount of data requested
Figure 291446DEST_PATH_IMAGE012
And change characteristics of requested data
Figure 585024DEST_PATH_IMAGE013
Determining a path model:
Figure 173131DEST_PATH_IMAGE014
and step 3: determining a request propensity value based on the path model and the time model
Figure 425121DEST_PATH_IMAGE015
:
Figure 731469DEST_PATH_IMAGE016
And 4, step 4: according to the request tendency value, performing source calculation on data and determining operation request characteristics
Figure 828738DEST_PATH_IMAGE017
Sum path coefficient
Figure 536931DEST_PATH_IMAGE018
Determining a path model:
Figure 835188DEST_PATH_IMAGE019
;
wherein, the
Figure 894411DEST_PATH_IMAGE020
Represents the source of the path, said
Figure 529792DEST_PATH_IMAGE017
Is shown as
Figure 92491DEST_PATH_IMAGE021
Request characteristics of a path, said
Figure 420704DEST_PATH_IMAGE018
Is shown as
Figure 701644DEST_PATH_IMAGE021
Coefficients of the individual paths; the above-mentioned
Figure 406295DEST_PATH_IMAGE022
Which is indicative of the number of paths,
Figure 823501DEST_PATH_IMAGE023
the principle of the technical scheme is as follows: the invention determines the request tendency by establishing request detection, requesting the time characteristics of information, including time characteristics and time coefficients, determining a time model, then obtaining the path parameters by calculating the path model through the path characteristics, the quantity of request data in the path and the identification characteristics of the request data, finally determining the source Y of the path through calculating the path,
Figure 322615DEST_PATH_IMAGE020
indicating the source of the path in the case of a change in the path parameters.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (9)

1. A method for program self-protection, comprising:
designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
monitoring an operation request of the execution program, and detecting the operation request;
determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
determining a source program of the operation request according to the intercepted operation request, and marking the source program;
and automatically intercepting all operation requests from the source program according to the mark.
2. The program self-protection method as claimed in claim 1, wherein said designing an encryption interface and a detection interface of the current program based on the mock class, and integrating the mock module into the core code of the current program, to generate the execution program, comprises:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
3. The program self-protection method as claimed in claim 1, wherein said monitoring operation requests of said executing program, and detecting said operation requests comprises:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
4. The method of claim 1, wherein the determining the operation request source is based on the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
5. The method as claimed in claim 1, wherein the determining a source procedure of the operation request according to the intercepted operation request and marking the source procedure comprises:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring a process name of the source program according to the position of the source program, and determining that the program of the process name is a marker program;
and according to the marker program, simulating callback success information return based on the detection interface, returning the marker program information to the detection interface, and determining the marker program.
6. The method of claim 1, wherein automatically intercepting all operation requests from the source program based on the flag comprises:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, performing the method of claims 4-5.
7. The method of claim 1, wherein the detecting the source procedure of the operation request comprises:
step (1), acquiring the function of the current operation request, and acquiring the marking information of the current operation request, wherein the marking information is used for directly intercepting the operation request;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
8. The method of program self-protection as claimed in claim 7, further comprising:
in the step (3), the interface for detecting and simulating the callback success information of the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
9. The method as claimed in claim 1, wherein said determining the source of the operation request based on said detecting the operation request comprises:
step 1: obtaining request detection information and determining time characteristics of the information
Figure 27706DEST_PATH_IMAGE001
Time of day coefficient
Figure 243049DEST_PATH_IMAGE002
And time coefficient
Figure 616262DEST_PATH_IMAGE003
And constructing a time model:
Figure 480313DEST_PATH_IMAGE004
wherein the content of the first and second substances,
Figure 153739DEST_PATH_IMAGE005
indicating the number of time instants;
Figure 336721DEST_PATH_IMAGE006
represents a time of day; the above-mentioned
Figure 72596DEST_PATH_IMAGE007
Representing a time characteristic mean value;
Figure 130551DEST_PATH_IMAGE008
Figure 268271DEST_PATH_IMAGE009
to represent
Figure 855110DEST_PATH_IMAGE006
Monitoring parameters of the moment;
Figure 78281DEST_PATH_IMAGE010
to represent
Figure 612031DEST_PATH_IMAGE006
The actual detection information of the time of day,
step 2: obtaining request path characteristics
Figure 206919DEST_PATH_IMAGE011
Amount of data requested
Figure 371184DEST_PATH_IMAGE012
And change characteristics of requested data
Figure 206285DEST_PATH_IMAGE013
Determining a path model:
Figure 950250DEST_PATH_IMAGE014
and step 3: determining a request propensity value based on the path model and the time model
Figure 390458DEST_PATH_IMAGE015
:
Figure 319100DEST_PATH_IMAGE016
Step (ii) of4: according to the request tendency value, performing source calculation on data and determining operation request characteristics
Figure 782442DEST_PATH_IMAGE017
Sum path coefficient
Figure 956197DEST_PATH_IMAGE018
Determining a path model:
Figure 250912DEST_PATH_IMAGE019
;
wherein, the
Figure 491401DEST_PATH_IMAGE020
Represents the source of the path, said
Figure 301094DEST_PATH_IMAGE017
Is shown as
Figure DEST_PATH_IMAGE021
Request characteristics of a path, said
Figure 245916DEST_PATH_IMAGE018
Is shown as
Figure 67241DEST_PATH_IMAGE021
Coefficients of the individual paths; the above-mentioned
Figure 307992DEST_PATH_IMAGE022
Which is indicative of the number of paths,
Figure 339402DEST_PATH_IMAGE023
CN202110020703.0A 2021-01-08 2021-01-08 Program self-protection method Active CN112347499B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110020703.0A CN112347499B (en) 2021-01-08 2021-01-08 Program self-protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110020703.0A CN112347499B (en) 2021-01-08 2021-01-08 Program self-protection method

Publications (2)

Publication Number Publication Date
CN112347499A true CN112347499A (en) 2021-02-09
CN112347499B CN112347499B (en) 2021-04-30

Family

ID=74427715

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110020703.0A Active CN112347499B (en) 2021-01-08 2021-01-08 Program self-protection method

Country Status (1)

Country Link
CN (1) CN112347499B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120158729A1 (en) * 2010-05-18 2012-06-21 Lsi Corporation Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors
CN105631355A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Data processing method and device
CN106557696A (en) * 2015-09-30 2017-04-05 卡巴斯基实验室股份制公司 System and method for detecting malicious data encipheror
CN111095250A (en) * 2017-05-30 2020-05-01 赛姆普蒂夫技术公司 Real-time detection and protection against malware and steganography in kernel mode

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120158729A1 (en) * 2010-05-18 2012-06-21 Lsi Corporation Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors
CN106557696A (en) * 2015-09-30 2017-04-05 卡巴斯基实验室股份制公司 System and method for detecting malicious data encipheror
CN105631355A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Data processing method and device
CN111095250A (en) * 2017-05-30 2020-05-01 赛姆普蒂夫技术公司 Real-time detection and protection against malware and steganography in kernel mode

Also Published As

Publication number Publication date
CN112347499B (en) 2021-04-30

Similar Documents

Publication Publication Date Title
CN113761519B (en) Method and device for detecting Web application program and storage medium
CN107851155A (en) For the system and method across multiple software entitys tracking malicious act
US7607122B2 (en) Post build process to record stack and call tree information
Choi et al. A static birthmark of binary executables based on API call structure
Cho et al. Anti-debugging scheme for protecting mobile apps on android platform
CN108123956A (en) Password misuse leak detection method and system based on Petri network
CN111967044A (en) Method and system for tracking leaked private data suitable for cloud environment
Bouffard et al. Reversing the operating system of a Java based smart card
US11314856B2 (en) Generating rule-based access control policies using a bytecode instrumentation system
US20230376610A1 (en) Non-Intrusive Method of Detecting Security Flaws of a Computer Program
CN112257037A (en) Process watermarking method and system and electronic equipment
CN112632547A (en) Data processing method and related device
CN112347499B (en) Program self-protection method
CN109241706B (en) Software plagiarism detection method based on static birthmarks
JP2005234661A (en) Access policy creation system, method and program
CN110520860B (en) Method for protecting software code
KR20100125116A (en) System and method for verifying integrity about file
EP3945441A1 (en) Detecting exploitable paths in application software that uses third-party libraries
Nibaldi Proposed Technical Evaluation Criteria for Trusted Computer Systems
KR102541888B1 (en) Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same
TWI728637B (en) Information security protection method and computer-readable medium
CN112784264B (en) Jail-break state detection method, device, equipment and storage medium
CN117828616A (en) Intelligent contract vulnerability detection method and system based on mixed fuzzy test
Yashavant SecSEC: Securing Smart Ethereum Contracts
CN115080980A (en) SELinux operating system security policy integrity model and integrity detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant