CN112347499B - Program self-protection method - Google Patents
Program self-protection method Download PDFInfo
- Publication number
- CN112347499B CN112347499B CN202110020703.0A CN202110020703A CN112347499B CN 112347499 B CN112347499 B CN 112347499B CN 202110020703 A CN202110020703 A CN 202110020703A CN 112347499 B CN112347499 B CN 112347499B
- Authority
- CN
- China
- Prior art keywords
- operation request
- program
- interface
- source
- source program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention provides a method for self-protection of a program, which comprises the steps of designing an encryption interface and a detection interface of a current program based on a mock class, integrating a mock module on a core code of the current program, and generating an execution program; monitoring an operation request of the execution program, and detecting the operation request; determining the source of the operation request according to the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted; determining a source program of the operation request according to the intercepted operation request, and marking the source program; and automatically intercepting all operation requests from the source program according to the mark.
Description
Technical Field
The invention relates to the technical field of software security, in particular to a program self-protection method.
Background
At present, the development of computer and network technologies is rapid, and the computer viruses come along with the endless emergence of computer viruses, and the computer viruses have developed to the present day to seriously affect the normal use of computers by people. Therefore, how to avoid computer virus invasion is becoming an important focus of attention.
With the development of computer technology, the types of viruses become diversified, and the core of virus is always to destroy the software itself and obtain the private information of the software to the detriment of the benefits of computer users.
In the aspect of self-protection of various types of current security software, operations such as deletion and modification of files by viruses are prevented through file monitoring, and the software is monitored by Hook programs based on Hook technology, and the mode of protecting the software by using external programs is exhausted when the software faces more and more complex viruses.
Therefore, in view of the trend of virus development, a software self-protection method based on software itself is urgently needed to protect the software itself from being damaged, so as to ensure that the software can normally run.
Disclosure of Invention
The invention provides a program self-protection method, which is used for solving the problem that a virus avoids security software to directly tamper a program.
A method for program self-protection, comprising:
step 100: designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
step 101: monitoring an operation request of the execution program, and detecting the operation request;
step 102: determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
step 103: determining a source program of the operation request according to the intercepted operation request, and marking the source program;
step 104: and automatically intercepting all operation requests from the source program according to the mark.
As an embodiment of the present invention, the designing an encryption interface and a detection interface of a current program based on a mock class, and integrating a mock module onto a core code of the current program to generate an execution program includes:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
As an embodiment of the present invention, the monitoring an operation request of the execution program, and detecting the operation request includes:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
As an embodiment of the present invention, the determining, according to the detecting of the operation request, a source of the operation request; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
As an embodiment of the present invention, the determining a source program of the operation request according to the intercepted operation request, and marking the source program includes:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring the process name of the source program according to the position of the source program, and determining the process name as marker program information;
and according to the marker information, simulating callback success information return based on the detection interface, returning the marker information to the detection interface, and determining the marker.
As an embodiment of the present invention, the determining to automatically intercept all operation requests from the source program according to the flag includes:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, determining the source of the operation request again according to the detection result, determining the source program of the operation request when the operation request is intercepted, and marking the source program.
As an embodiment of the present invention, the detecting the source program of the operation request includes the following steps:
step (1), acquiring a function of a current operation request, acquiring mark information of the current operation request, directly intercepting the current operation request if the acquired mark information of the current operation request is not empty, and executing step (2) if the acquired mark information of the current operation request is empty;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
As an embodiment of the present invention, the step of detecting the source program of the operation request further includes:
in the step (3), an interface for detecting the callback success information simulating the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
The invention has the beneficial effects that: the invention provides a method for protecting a program based on detection and encryption, so that software is protected from being invaded by viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a method for program self-protection according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Example 1:
as shown in fig. 1, an embodiment of the present invention provides a method for program self-protection, including:
step 100: designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
step 101: monitoring an operation request of the execution program, and detecting the operation request;
step 102: determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
step 103: determining a source program of the operation request according to the intercepted operation request, and marking the source program;
step 104: and automatically intercepting all operation requests from the source program according to the mark.
The working principle of the technical scheme is as follows: based on the security protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, the class of the detection interface is used for judging whether the operation request contains the preset encryption principle when the core program receives the operation request, when the operation request is sent to an execution program, the detection interface judges whether the operation request is sent by protection software according to the encryption principle of the encryption interface, if so, the detection interface allows the operation request to point to a core logic, if not, the operation request is intercepted and points to an abnormal logic, after the operation request of other software is detected, a callback interface of the operation request is found according to the intercepted operation request, and then the detection interface of the protection software simulates the callback interface of the operation request to carry out simulation of successful callback information sending of callback information Sending the callback information to a callback interface of the operation request, finding the position of a program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the callback successful information simulated by a detection interface of the protection program, returning the label information to the detection interface of the protection program by carrying the label information by the callback successful information simulated by the detection interface of the protection program, storing the obtained label information into a detection library by the detection interface of the protection program after receiving the label information, facilitating the next direct call, and directly intercepting and pointing to abnormal logic when the operation request with the label is encountered next time;
the beneficial effects of the above technical scheme are that: the invention provides a method for protecting a program based on detection and encryption, so that software is protected from being invaded by viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Example 2:
in one embodiment, the designing an encryption interface and a detection interface of the current program based on the mock class, and integrating the mock module into the core code of the current program to generate the execution program includes:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
The working principle of the technical scheme is as follows: based on the safety protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, and the class of the detection interface is used for judging whether the operation request contains the preset encryption principle or not by the detection interface when the core program receives the operation request;
the beneficial effects of the above technical scheme are: by designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized.
Example 3:
in one embodiment, the monitoring the operation request of the execution program, and the detecting the operation request includes:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
The working principle of the technical scheme is as follows: monitoring the operation request available for tampering with file information is performed through an I/O processing function of a file system, monitoring the operation request for tampering with a memory is performed through an API for processing a memory call, monitoring the operation request available for controlling a process is performed by intercepting the API for process operation, monitoring the operation request available for tampering with a core code is performed by intercepting an API for modifying a core code, monitoring the operation request available for tampering with a registry is performed by intercepting the API for tampering with a registry, monitoring the operation request available for closing a detection program is performed by intercepting the API for closing a detection program;
the beneficial effects of the above technical scheme are: and judging the function of the encountered operation request, and intercepting the operation request which possibly damages the protection software.
Example 4:
in one embodiment, the source of the operation request is determined according to the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
The working principle of the technical scheme is as follows: analyzing an internal instruction of the operation request according to the obtained operation request, judging whether the internal instruction contains a preset encryption principle of a core program, if the preset encryption principle of the core program exists, judging that the operation request is sent by the core program, namely, allowing the operation request to point to the core logic, and completing a task, and if the internal instruction is detected to have no preset encryption principle of the core program, judging that the operation request is not sent by the core program, namely, intercepting the operation request and enabling the operation request to point to an abnormal logic, and completing the task.
The beneficial effects of the above technical scheme are: by analyzing the internal command of the operation request, whether the operation request contains a preset encryption principle is judged, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly improved, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of illegal software.
Example 5:
in one embodiment, the determining a source program of the operation request according to the intercepted operation request and marking the source program includes:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring the process name of the source program according to the position of the source program, and determining the process name as marker program information;
and according to the marker information, simulating callback success information return based on the detection interface, returning the marker information to the detection interface, and determining the marker.
The working principle of the technical scheme is as follows: after detecting the operation requests of other software, finding a callback interface of the operation request according to the intercepted operation request, then enabling a detection interface of the protection software to simulate the callback interface of the operation request to successfully simulate the callback, sending the information to the callback interface of the operation request, enabling the information that the callback is successfully simulated by the detection interface of the protection software to find the position of the program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the information that the callback is successfully simulated by the detection interface of the protection program, enabling the callback successful information simulated by the detection interface of the protection program to carry mark information to return to the detection interface of the protection program, and enabling the detection interface of the protection program to receive the mark information, the obtained marking information is stored in a detection library, so that the marking information can be directly called next time;
the beneficial effects of the above technical scheme are: and detecting all operation requests sent by the non-protection software, tracking the positions of the operation requests to acquire the software information of the non-protection software, and collecting the software information into a detection interface detection library of the protection software, so that the next calling is facilitated, and the calculation loss is saved.
Example 6:
in one embodiment, said automatically intercepting all operation requests from said source program based on said tag comprises:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, determining the source of the operation request again according to the detection result, determining the source program of the operation request when the operation request is intercepted, and marking the source program.
The working principle of the technical scheme is as follows: after the operation request is obtained, the detection interface compares the operation request with a marking program in a detection interface detection library, and if the same mark exists, the operation request is directly intercepted; if the same marks do not exist, judging whether the operation request is an operation request sent by protection software according to the obtained internal instruction, if so, allowing execution, if not, intercepting the operation request and obtaining the position of a source program of the operation request, obtaining information of the source program for marking, and storing the information into a detection library of a detection interface of the protection program;
the beneficial effects of the above technical scheme are: and software of the unprotected software is marked, so that the software is directly intercepted when sending the operation request again next time, and the calculation loss is saved.
Example 7:
in one embodiment, the detecting the source program of the operation request comprises the following steps:
step (1), acquiring a function of a current operation request, acquiring mark information of the current operation request, directly intercepting the current operation request if the acquired mark information of the current operation request is not empty, and executing step (2) if the acquired mark information of the current operation request is empty;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
The working principle of the technical scheme is as follows: based on the security protection function of the invention, a redesign mode of the core code is adopted, and the self-protection function of the core code is increased. Firstly, designing core functions in a class mode, and dividing a class of an encryption interface and a class of a detection interface, wherein the class of the encryption interface is used for enabling a core program to carry a preset encryption principle when sending an operation request, the class of the detection interface is used for judging whether the operation request contains the preset encryption principle when the core program receives the operation request, when the operation request is sent to an execution program, the detection interface judges whether the operation request is sent by protection software according to the encryption principle of the encryption interface, if so, the detection interface allows the operation request to point to a core logic, if not, the operation request is intercepted and points to an abnormal logic, after the operation request of other software is detected, a callback interface of the operation request is found according to the intercepted operation request, and then the detection interface of the protection software simulates the callback interface of the operation request to carry out simulation of successful callback information sending of callback information Sending the callback information to a callback interface of the operation request, finding the position of a program of the operation request along the callback path in the operation request according to the callback path in the operation request, recording the process name and the process extension name of the program of the operation request by the callback successful information simulated by a detection interface of the protection program, returning the label information to the detection interface of the protection program by carrying the label information by the callback successful information simulated by the detection interface of the protection program, storing the obtained label information into a detection library by the detection interface of the protection program after receiving the label information, facilitating the next direct call, and directly intercepting and pointing to abnormal logic when the operation request with the label is encountered next time;
the beneficial effects of the above technical scheme are: the invention provides a method for protecting a program based on detection and encryption, thereby protecting the software from the invasion of viruses. By designing the encryption interface, each operation request sent by the core program can pass the detection of the encryption interface, and the operation requests sent by other programs can be pointed to the abnormal logic by the detection interface, so that the virus cannot contact the core logic of the protection program, and the self-protection of the program is realized. The detection interface judges whether the operation request contains a preset encryption principle or not by analyzing the internal command of the operation request, if the operation request contains the preset encryption principle, the operation is allowed to be carried out, and if the operation request does not contain the preset encryption principle, the operation is directed to abnormal logic, so that the protection of the core logic of the protected software is greatly promoted, the operation request of other software cannot modify the protected software at all, the intrusion of viruses can be prevented, and the damage of some illegal software to the protected software can be prevented, such as the cracking of the illegal software of software types. The method skillfully utilizes the characteristics of the memory to carry out a series of operations, so that each operation request is detected, the detection interface can perfectly identify the operation request of the protected software in an encryption mode, and the operation requests of other unprotected software are intercepted and recorded, so that the software can be directly intercepted next time when sending the operation request again, the calculation loss is reduced, and the virus cannot contact the core logic of the protected software, thereby achieving the self-protection of the program.
Example 8:
in one embodiment, the step of detecting the source procedure of the operation request further comprises:
in the step (3), an interface for detecting the callback success information simulating the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
The working principle of the technical scheme is as follows: the interface for detecting the callback success information of the interface simulation operation request of the protection program uses a virtual interface, the interface can be deleted by itself after the acquisition of the mark information is not completed, and the acquired mark information comprises the process name and the extension name of the non-protection software;
the beneficial effects of the above technical scheme are: by using the virtual interface, the unprotected software is not easy to perceive that the unprotected software is marked, so that a hidden effect is achieved, and the unprotected software is deleted after completing a task every time, so that a large amount of storage space can be saved.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (8)
1. A method for program self-protection, comprising:
designing an encryption interface and a detection interface of the current program based on the mock class, and integrating a mock module on a core code of the current program to generate an execution program;
monitoring an operation request of the execution program, and detecting the operation request;
determining the source of the operation request according to the detection result; wherein the content of the first and second substances,
if the source program meets the encryption principle, the source program is a core program and allows the operation request;
if the source program does not meet the encryption principle, the source program is the other program, and the operation request is intercepted;
determining a source program of the operation request according to the intercepted operation request, and marking the source program;
and automatically intercepting all operation requests from the source program according to the mark.
2. The method for program self-protection as claimed in claim 1, wherein said designing the encryption interface and detection interface of the current program based on mock class, and integrating mock module into the core code of the current program, generating the execution program, comprises:
acquiring the class of the core code, and determining the class of an encryption interface and the class of a detection interface;
according to the class of the encryption interface, increasing the class of the encryption interface of the core code based on the mock class to generate an encryption principle;
and adding the class of the detection interface to the encryption principle based on the mock class according to the class of the detection interface to generate an executive program.
3. The method of claim 1, wherein the monitoring the operation request of the executing program, and the detecting the operation request comprises:
acquiring an operation request of the execution program; wherein the content of the first and second substances,
the operation request includes: the operation request can be used for tampering file information, the operation request can be used for tampering a memory, the operation request can be used for controlling a process, the operation request can be used for acquiring a core code, the operation request can be used for tampering the core code, the operation request can be used for tampering a registry, and the operation request can be used for closing a detection program.
4. The method of claim 1, wherein the determining the operation request source is based on the detection result; if the source program meets the encryption principle, the source program is a core program and allows the operation request; if the source program does not meet the encryption principle, intercepting the operation request for other programs, including:
acquiring an operation request of the execution program, and determining an internal instruction of the operation request;
judging whether the internal instruction accords with the encryption principle of a core program or not according to the internal instruction of the operation request, and determining the source of the operation request;
if the source of the operation request is a core program, allowing the operation request to point to a core logic and execute;
and if the source of the operation request is other programs, intercepting the operation request and hiding the core logic.
5. The method as claimed in claim 1, wherein the determining a source procedure of the operation request according to the intercepted operation request and marking the source procedure comprises:
determining a callback interface of the operation request according to the intercepted operation request;
according to the callback interface of the operation request, the detection interface simulates the callback success information to return, and the callback path of the callback interface is determined;
determining the position of a source program according to the callback path;
acquiring the process name of the source program according to the position of the source program, and determining the process name as marker program information;
and according to the marker information, simulating callback success information return based on the detection interface, returning the marker information to the detection interface, and determining the marker.
6. The method of claim 1, wherein automatically intercepting all operation requests from the source program based on the flag comprises:
acquiring the source program, and determining whether the source program is the same as a marker program in a detection database;
if the source program is the same as the source program, directly intercepting the operation request of the source program;
if not, determining the source of the operation request again according to the detection result, determining the source program of the operation request when the operation request is intercepted, and marking the source program.
7. The method of claim 1, wherein detecting a source process of the operation request comprises:
step (1), acquiring a function of a current operation request, acquiring mark information of the current operation request, directly intercepting the current operation request if the acquired mark information of the current operation request is not empty, and executing step (2) if the acquired mark information of the current operation request is empty;
step (2), obtaining an internal instruction of the current operation request, judging whether the internal instruction accords with a preset encryption principle, and if so, allowing the operation request to point to a core logic;
step (3), the detection interface intercepts and directs the source program which does not conform to the preset encryption principle to the abnormal logic and simulates callback success information of the operation request to determine a callback path of the operation request;
step (4), obtaining the position information of a source program, and marking the process name of the source program;
step (5), the marking information is stored in callback success information of the operation request simulated by the detection interface, and the callback success information is returned to the detection interface according to a callback path;
and (6) storing the mark information obtained by callback into a detection library of a detection interface, and directly intercepting all operation requests containing the mark information.
8. The method of program self-protection as claimed in claim 7, further comprising:
in the step (3), an interface for detecting the callback success information simulating the operation request is a virtual interface, and the generated interface is unique every time, so that the interface can be destroyed by itself after completing a task;
in step (4), the tagged process name further includes an extension of the process name.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110020703.0A CN112347499B (en) | 2021-01-08 | 2021-01-08 | Program self-protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110020703.0A CN112347499B (en) | 2021-01-08 | 2021-01-08 | Program self-protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112347499A CN112347499A (en) | 2021-02-09 |
| CN112347499B true CN112347499B (en) | 2021-04-30 |
Family
ID=74427715
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110020703.0A Active CN112347499B (en) | 2021-01-08 | 2021-01-08 | Program self-protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112347499B (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8515965B2 (en) * | 2010-05-18 | 2013-08-20 | Lsi Corporation | Concurrent linked-list traversal for real-time hash processing in multi-core, multi-thread network processors |
| RU2617631C2 (en) * | 2015-09-30 | 2017-04-25 | Акционерное общество "Лаборатория Касперского" | Method for detection working malicious software runned from client, on server |
| CN105631355B (en) * | 2015-12-18 | 2019-09-06 | 北京奇虎科技有限公司 | A kind of data processing method and device |
| US11575704B2 (en) * | 2017-05-30 | 2023-02-07 | Cyemptive Technologies, Inc. | Real-time detection of and protection from malware and steganography in a kernel mode |
-
2021
- 2021-01-08 CN CN202110020703.0A patent/CN112347499B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112347499A (en) | 2021-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhou et al. | AppInk: watermarking android apps for repackaging deterrence | |
| JP4518564B2 (en) | Method for preventing unauthorized code execution, program for preventing unauthorized code execution, and recording medium for program for preventing unauthorized code execution | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US7631356B2 (en) | System and method for foreign code detection | |
| US20130247198A1 (en) | Emulator updating system and method | |
| CN113761519B (en) | Method and device for detecting Web application program and storage medium | |
| CN107851155A (en) | For the system and method across multiple software entitys tracking malicious act | |
| CN105393255A (en) | Process evaluation for malware detection in virtual machines | |
| US7607122B2 (en) | Post build process to record stack and call tree information | |
| CN110574028B (en) | Method for protecting software code | |
| Cho et al. | Anti-debugging scheme for protecting mobile apps on android platform | |
| Nikiforakis et al. | HeapSentry: Kernel-assisted protection against heap overflows | |
| CN107330328A (en) | Defend method, device and the server of virus attack | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| CN115688106A (en) | Method and device for detecting Java agent non-file-injection memory horse | |
| CN111625296B (en) | Method for protecting program by constructing code copy | |
| Zeng et al. | Tailored application-specific system call tables | |
| CN112347499B (en) | Program self-protection method | |
| CN112257037A (en) | Process watermarking method and system and electronic equipment | |
| CN110520860B (en) | Method for protecting software code | |
| Petkovic et al. | A host based method for data leak protection by tracking sensitive data flow | |
| EP3945441A1 (en) | Detecting exploitable paths in application software that uses third-party libraries | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| CN107729747A (en) | A kind of heap overflow detection method towards binary program | |
| Aggarwal et al. | Monitoring the security health of software systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |