CN112347499A - Program self-protection method - Google Patents
Program self-protection method Download PDFInfo
- Publication number
- CN112347499A CN112347499A CN202110020703.0A CN202110020703A CN112347499A CN 112347499 A CN112347499 A CN 112347499A CN 202110020703 A CN202110020703 A CN 202110020703A CN 112347499 A CN112347499 A CN 112347499A
- Authority
- CN
- China
- Prior art keywords
- operation request
- program
- interface
- source
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention provides a method for self-protection of a program, which comprises the steps of designing an encryption interface and a detection interface of a current program based on a mock class, integrating a mock module on a core code of the current program, and generating an execution program; monitoring an operation request of the execution program, and detecting the operation request; determining the source of the operation request according to the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted; determining a source program of the operation request according to the intercepted operation request, and marking the source program; and automatically intercepting all operation requests from the source program according to the mark.
Description
Technical Field
The invention relates to the technical field of software security, in particular to a program self-protection method.
Background
At present, the development of computer and network technologies is rapid, and the computer viruses come along with the endless emergence of computer viruses, and the computer viruses have developed to the present day to seriously affect the normal use of computers by people. Therefore, how to avoid computer virus invasion is becoming an important focus of attention.
With the development of computer technology, the types of viruses become diversified, and the core of virus is always to destroy the software itself and obtain the private information of the software to the detriment of the benefits of computer users.
In the aspect of self-protection of various types of current security software, operations such as deletion and modification of files by viruses are prevented through file monitoring, and the software is monitored by Hook programs based on Hook technology, and the mode of protecting the software by using external programs is exhausted when the software faces more and more complex viruses.
Therefore, in view of the trend of virus development, a software self-protection method based on software itself is urgently needed to protect the software itself from being damaged, so as to ensure that the software can normally run.
Disclosure of Invention
The invention provides a program self-protection method, which is used for solving the problem that a virus avoids security software to directly tamper a program.
A method for program self-protection, comprising:
step 100: designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
step 101: monitoring an operation request of the execution program, and detecting the operation request;
step 102: determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
step 103: determining a source program of the operation request according to the intercepted operation request, and marking the source program;
step 104: and automatically intercepting all operation requests from the source program according to the mark.
As an embodiment of the present invention, the designing an encryption interface and a detection interface of a current program based on a mock class, and integrating a mock module onto a core code of the current program to generate an execution program includes:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
As an embodiment of the present invention, the monitoring an operation request of the execution program, and detecting the operation request includes:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
As an embodiment of the present invention, the determining, according to the detecting of the operation request, a source of the operation request; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
As an embodiment of the present invention, the determining a source program of the operation request according to the intercepted operation request, and marking the source program includes:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring a process name of the source program according to the position of the source program, and determining that the program of the process name is a marker program;
and according to the marker program, simulating callback success information return based on the detection interface, returning the marker program information to the detection interface, and determining the marker program.
As an embodiment of the present invention, the determining to automatically intercept all operation requests from the source program according to the flag includes:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, executing the step 102 and the step 103.
As an embodiment of the present invention, the detecting the source program of the operation request includes the following steps:
step (1), acquiring the function of the current operation request, and acquiring the marking information of the current operation request, wherein the marking information is used for directly intercepting the operation request;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
As an embodiment of the present invention, the step of detecting the source program of the operation request further includes:
in the step (3), the interface for detecting and simulating the callback success information of the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
Preferably, the determining the source of the operation request according to the detection of the operation request includes:
step 1: obtaining request detection information and determining time characteristics of the informationTime of day coefficientAnd time coefficientAnd constructing a time model:
wherein the content of the first and second substances,indicating the number of time instants;represents a time of day; the above-mentionedRepresenting a time characteristic mean value;;to representMonitoring parameters of the moment;to representThe actual detection information of the time of day,
step 2: obtaining request path characteristicsAmount of data requestedAnd change characteristics of requested dataDetermining a path model:
And 4, step 4: according to the request tendency value, performing source calculation on data and determining operation request characteristicsSum path coefficientDetermining a path model:
wherein, theRepresents the source of the path, saidIs shown asRequest characteristics of a path, saidIs shown asCoefficients of the individual paths; the above-mentionedWhich is indicative of the number of paths,。
the invention has the beneficial effects that: the invention provides a method for protecting a program based on detection and encryption, so that software is protected from being invaded by viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a method for program self-protection according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Example 1:
as shown in fig. 1, an embodiment of the present invention provides a method for program self-protection, including:
step 100: designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
step 101: monitoring an operation request of the execution program, and detecting the operation request;
step 102: determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
step 103: determining a source program of the operation request according to the intercepted operation request, and marking the source program;
step 104: and automatically intercepting all operation requests from the source program according to the mark.
The working principle of the technical scheme is as follows: based on the security protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, the class of the detection interface is used for judging whether the operation request contains the preset encryption principle when the core program receives the operation request, when the operation request is sent to an execution program, the detection interface judges whether the operation request is sent by protection software according to the encryption principle of the encryption interface, if so, the detection interface allows the operation request to point to a core logic, if not, the operation request is intercepted and points to an abnormal logic, after the operation request of other software is detected, a callback interface of the operation request is found according to the intercepted operation request, and then the detection interface of the protection software simulates the callback interface of the operation request to carry out simulation of successful callback information sending of callback information Sending the callback information to a callback interface of the operation request, finding the position of a program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the callback successful information simulated by a detection interface of the protection program, returning the label information to the detection interface of the protection program by carrying the label information by the callback successful information simulated by the detection interface of the protection program, storing the obtained label information into a detection library by the detection interface of the protection program after receiving the label information, facilitating the next direct call, and directly intercepting and pointing to abnormal logic when the operation request with the label is encountered next time;
the beneficial effects of the above technical scheme are that: the invention provides a method for protecting a program based on detection and encryption, so that software is protected from being invaded by viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Example 2:
in one embodiment, the designing an encryption interface and a detection interface of the current program based on the mock class, and integrating the mock module into the core code of the current program to generate the execution program includes:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
according to the class of the detection interface, adding the class of the detection interface to the encryption principle based on the mock class to generate an executive program;
the working principle of the technical scheme is as follows: based on the safety protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, and the class of the detection interface is used for judging whether the operation request contains the preset encryption principle or not by the detection interface when the core program receives the operation request;
the beneficial effects of the above technical scheme are: by designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized.
Example 3:
in one embodiment, the monitoring the operation request of the execution program, and the detecting the operation request includes:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the method comprises the following steps of operating requests which can be used for tampering file information, operating requests which can be used for tampering a memory, operating requests which can be used for controlling a process, operating requests which can be used for acquiring core codes, operating requests which can be used for tampering the core codes, operating requests which can be used for tampering a registry, and operating requests which can be used for closing a detection program;
the working principle of the technical scheme is as follows: monitoring the operation request available for tampering with file information is performed through an I/O processing function of a file system, monitoring the operation request for tampering with a memory is performed through an API for processing a memory call, monitoring the operation request available for controlling a process is performed by intercepting the API for process operation, monitoring the operation request available for tampering with a core code is performed by intercepting an API for modifying a core code, monitoring the operation request available for tampering with a registry is performed by intercepting the API for tampering with a registry, monitoring the operation request available for closing a detection program is performed by intercepting the API for closing a detection program;
the beneficial effects of the above technical scheme are: and judging the function of the encountered operation request, and intercepting the operation request which possibly damages the protection software.
Example 4:
in one embodiment, the source of the operation request is determined according to the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
if the source of the operation request is other programs, intercepting the operation request and hiding the core logic
The working principle of the technical scheme is as follows: analyzing an internal instruction of the operation request according to the obtained operation request, judging whether the internal instruction contains a preset encryption principle of a core program, if the preset encryption principle of the core program exists, judging that the operation request is sent by the core program, namely, allowing the operation request to point to the core logic, and completing a task, and if the internal instruction is detected to have no preset encryption principle of the core program, judging that the operation request is not sent by the core program, namely, intercepting the operation request and enabling the operation request to point to an abnormal logic, and completing the task.
The beneficial effects of the above technical scheme are: by analyzing the internal command of the operation request, whether the operation request contains a preset encryption principle is judged, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly improved, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of illegal software.
Example 5:
in one embodiment, the determining a source program of the operation request according to the intercepted operation request and marking the source program includes:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring a process name of the source program according to the position of the source program, and determining that the program of the process name is a marker program;
according to the marker program, based on the detection interface simulation callback success information return, returning the marker program information to the detection interface, and determining the marker program;
the working principle of the technical scheme is as follows: after detecting the operation requests of other software, finding a callback interface of the operation request according to the intercepted operation request, then enabling a detection interface of the protection software to simulate the callback interface of the operation request to successfully simulate the callback, sending the information to the callback interface of the operation request, enabling the information that the callback is successfully simulated by the detection interface of the protection software to find the position of the program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the information that the callback is successfully simulated by the detection interface of the protection program, enabling the callback successful information simulated by the detection interface of the protection program to carry mark information to return to the detection interface of the protection program, and enabling the detection interface of the protection program to receive the mark information, the obtained marking information is stored in a detection library, so that the marking information can be directly called next time;
the beneficial effects of the above technical scheme are: and detecting all operation requests sent by the non-protection software, tracking the positions of the operation requests to acquire the software information of the non-protection software, and collecting the software information into a detection interface detection library of the protection software, so that the next calling is facilitated, and the calculation loss is saved.
Example 6:
in one embodiment, said automatically intercepting all operation requests from said source program based on said tag comprises:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, executing the step 102 and the step 103.
The working principle of the technical scheme is as follows: after the operation request is obtained, the detection interface compares the operation request with a marking program in a detection interface detection library, and if the same mark exists, the operation request is directly intercepted; if the same marks do not exist, judging whether the operation request is an operation request sent by protection software according to the obtained internal instruction, if so, allowing execution, if not, intercepting the operation request and obtaining the position of a source program of the operation request, obtaining information of the source program for marking, and storing the information into a detection library of a detection interface of the protection program;
the beneficial effects of the above technical scheme are: and software of the unprotected software is marked, so that the software is directly intercepted when sending the operation request again next time, and the calculation loss is saved.
Example 7:
in one embodiment, the detecting the source program of the operation request includes the following steps:
step (1), acquiring the function of the current operation request, and acquiring the marking information of the current operation request, wherein the marking information is used for directly intercepting the operation request;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
step (6), storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information;
the working principle of the technical scheme is as follows: based on the security protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, the class of the detection interface is used for judging whether the operation request contains the preset encryption principle when the core program receives the operation request, when the operation request is sent to an execution program, the detection interface judges whether the operation request is sent by protection software according to the encryption principle of the encryption interface, if so, the detection interface allows the operation request to point to a core logic, if not, the operation request is intercepted and points to an abnormal logic, after the operation request of other software is detected, a callback interface of the operation request is found according to the intercepted operation request, and then the detection interface of the protection software simulates the callback interface of the operation request to carry out simulation of successful callback information sending of callback information Sending the callback information to a callback interface of the operation request, finding the position of a program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the callback successful information simulated by a detection interface of the protection program, returning the label information to the detection interface of the protection program by carrying the label information by the callback successful information simulated by the detection interface of the protection program, storing the obtained label information into a detection library by the detection interface of the protection program after receiving the label information, facilitating the next direct call, and directly intercepting and pointing to abnormal logic when the operation request with the label is encountered next time;
the beneficial effects of the above technical scheme are: the invention provides a method for protecting a program based on detection and encryption, thereby protecting the software from the invasion of viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Example 8:
in one embodiment, the detecting the source of the operation request further comprises:
in the step (3), the interface for detecting and simulating the callback success information of the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in the step (4), the marked process name further comprises an extension name of the process name;
the working principle of the technical scheme is as follows: the interface for detecting the callback success information of the interface simulation operation request of the protection program uses a virtual interface, the interface can be deleted by itself after the acquisition of the mark information is not completed, and the acquired mark information comprises the process name and the extension name of the non-protection software;
the beneficial effects of the above technical scheme are: by using the virtual interface, the unprotected software is not easy to perceive that the unprotected software is marked, so that a hidden effect is achieved, and the unprotected software is deleted after completing a task every time, so that a large amount of storage space can be saved.
Example 9:
preferably, the determining the source of the operation request according to the detection of the operation request includes:
step 1: obtaining request detection information and determining time characteristics of the informationTime of day coefficientAnd time coefficientAnd constructing a time model:
wherein the content of the first and second substances,indicating the number of time instants;represents a time of day; the above-mentionedRepresenting a time characteristic mean value;;to representMonitoring parameters of the moment;to representThe actual detection information of the time of day,
step 2: obtaining request path characteristicsAmount of data requestedAnd change characteristics of requested dataDetermining a path model:
And 4, step 4: according to the request tendency value, performing source calculation on data and determining operation request characteristicsSum path coefficientDetermining a path model:
wherein, theRepresents the source of the path, saidIs shown asRequest characteristics of a path, saidIs shown asCoefficients of the individual paths; the above-mentionedWhich is indicative of the number of paths,。
the principle of the technical scheme is as follows: the invention determines the request tendency by establishing request detection, requesting the time characteristics of information, including time characteristics and time coefficients, determining a time model, then obtaining the path parameters by calculating the path model through the path characteristics, the quantity of request data in the path and the identification characteristics of the request data, finally determining the source Y of the path through calculating the path,indicating the source of the path in the case of a change in the path parameters.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (9)
1. A method for program self-protection, comprising:
designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
monitoring an operation request of the execution program, and detecting the operation request;
determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
determining a source program of the operation request according to the intercepted operation request, and marking the source program;
and automatically intercepting all operation requests from the source program according to the mark.
2. The program self-protection method as claimed in claim 1, wherein said designing an encryption interface and a detection interface of the current program based on the mock class, and integrating the mock module into the core code of the current program, to generate the execution program, comprises:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
3. The program self-protection method as claimed in claim 1, wherein said monitoring operation requests of said executing program, and detecting said operation requests comprises:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
4. The method of claim 1, wherein the determining the operation request source is based on the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
5. The method as claimed in claim 1, wherein the determining a source procedure of the operation request according to the intercepted operation request and marking the source procedure comprises:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring a process name of the source program according to the position of the source program, and determining that the program of the process name is a marker program;
and according to the marker program, simulating callback success information return based on the detection interface, returning the marker program information to the detection interface, and determining the marker program.
6. The method of claim 1, wherein automatically intercepting all operation requests from the source program based on the flag comprises:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, performing the method of claims 4-5.
7. The method of claim 1, wherein the detecting the source procedure of the operation request comprises:
step (1), acquiring the function of the current operation request, and acquiring the marking information of the current operation request, wherein the marking information is used for directly intercepting the operation request;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
8. The method of program self-protection as claimed in claim 7, further comprising:
in the step (3), the interface for detecting and simulating the callback success information of the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
9. The method as claimed in claim 1, wherein said determining the source of the operation request based on said detecting the operation request comprises:
step 1: obtaining request detection information and determining time characteristics of the informationTime of day coefficientAnd time coefficientAnd constructing a time model:
wherein the content of the first and second substances,indicating the number of time instants;represents a time of day; the above-mentionedRepresenting a time characteristic mean value;;to representMonitoring parameters of the moment;to representThe actual detection information of the time of day,
step 2: obtaining request path characteristicsAmount of data requestedAnd change characteristics of requested dataDetermining a path model:
Step (ii) of4: according to the request tendency value, performing source calculation on data and determining operation request characteristicsSum path coefficientDetermining a path model:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110020703.0A CN112347499B (en) | 2021-01-08 | 2021-01-08 | Program self-protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110020703.0A CN112347499B (en) | 2021-01-08 | 2021-01-08 | Program self-protection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112347499A true CN112347499A (en) | 2021-02-09 |
CN112347499B CN112347499B (en) | 2021-04-30 |
Family
ID=74427715
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110020703.0A Active CN112347499B (en) | 2021-01-08 | 2021-01-08 | Program self-protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112347499B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120158729A1 (en) * | 2010-05-18 | 2012-06-21 | Lsi Corporation | Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors |
CN105631355A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Data processing method and device |
CN106557696A (en) * | 2015-09-30 | 2017-04-05 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious data encipheror |
CN111095250A (en) * | 2017-05-30 | 2020-05-01 | 赛姆普蒂夫技术公司 | Real-time detection and protection against malware and steganography in kernel mode |
-
2021
- 2021-01-08 CN CN202110020703.0A patent/CN112347499B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120158729A1 (en) * | 2010-05-18 | 2012-06-21 | Lsi Corporation | Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors |
CN106557696A (en) * | 2015-09-30 | 2017-04-05 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious data encipheror |
CN105631355A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Data processing method and device |
CN111095250A (en) * | 2017-05-30 | 2020-05-01 | 赛姆普蒂夫技术公司 | Real-time detection and protection against malware and steganography in kernel mode |
Also Published As
Publication number | Publication date |
---|---|
CN112347499B (en) | 2021-04-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113761519B (en) | Method and device for detecting Web application program and storage medium | |
CN107851155A (en) | For the system and method across multiple software entitys tracking malicious act | |
US7607122B2 (en) | Post build process to record stack and call tree information | |
Choi et al. | A static birthmark of binary executables based on API call structure | |
Cho et al. | Anti-debugging scheme for protecting mobile apps on android platform | |
CN108123956A (en) | Password misuse leak detection method and system based on Petri network | |
CN111967044A (en) | Method and system for tracking leaked private data suitable for cloud environment | |
Bouffard et al. | Reversing the operating system of a Java based smart card | |
US11314856B2 (en) | Generating rule-based access control policies using a bytecode instrumentation system | |
US20230376610A1 (en) | Non-Intrusive Method of Detecting Security Flaws of a Computer Program | |
CN112257037A (en) | Process watermarking method and system and electronic equipment | |
CN112632547A (en) | Data processing method and related device | |
CN112347499B (en) | Program self-protection method | |
CN109241706B (en) | Software plagiarism detection method based on static birthmarks | |
JP2005234661A (en) | Access policy creation system, method and program | |
CN110520860B (en) | Method for protecting software code | |
KR20100125116A (en) | System and method for verifying integrity about file | |
EP3945441A1 (en) | Detecting exploitable paths in application software that uses third-party libraries | |
Nibaldi | Proposed Technical Evaluation Criteria for Trusted Computer Systems | |
KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
TWI728637B (en) | Information security protection method and computer-readable medium | |
CN112784264B (en) | Jail-break state detection method, device, equipment and storage medium | |
CN117828616A (en) | Intelligent contract vulnerability detection method and system based on mixed fuzzy test | |
Yashavant | SecSEC: Securing Smart Ethereum Contracts | |
CN115080980A (en) | SELinux operating system security policy integrity model and integrity detection method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |