CN113961240A - Reverse analysis method for virtualization encryption program and related components - Google Patents
Reverse analysis method for virtualization encryption program and related components Download PDFInfo
- Publication number
- CN113961240A CN113961240A CN202111558521.5A CN202111558521A CN113961240A CN 113961240 A CN113961240 A CN 113961240A CN 202111558521 A CN202111558521 A CN 202111558521A CN 113961240 A CN113961240 A CN 113961240A
- Authority
- CN
- China
- Prior art keywords
- frame
- program
- target
- code
- target program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/74—Reverse engineering; Extracting design information from source code
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The application discloses a reverse analysis method, a reverse analysis device, a reverse analysis equipment and a reverse analysis storage medium for a virtualized encrypted program. The method comprises the following steps: acquiring a target program, wherein the target program is a program with an internal framework code protected by virtualization encryption; loading unencrypted object frame codes into the object program through injection; and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed. The object frame code which is not encrypted is loaded into the object program through injection, the object frame code and the object program are grafted, the virtualized encrypted frame code is invalidated, the object frame is reloaded, the program bypasses the virtualized frame content, the frame is communicated with the road of the key point to be analyzed, the object point can be found quickly for reverse analysis, and the virtualized encrypted program can be analyzed quickly and comprehensively.
Description
Technical Field
The invention relates to the technical field of software reverse engineering, in particular to a method, a device, equipment and a storage medium for reversely analyzing a virtualized encrypted program.
Background
Currently, virtualization protection is one of the most difficult analysis methods among various software protection methods. Commercial virtualization protectors are mature and are fully used in the software market, and many software authors choose to encrypt programs using virtualization protection. However, it is common to use virtualized encryption to protect malicious programs, and malicious program authors are more concerned about reverse analysis of programs, and they usually use virtualized encryption with high analysis difficulty to protect malicious programs. Because the frame codes are all solidified and unchangeable, an analyst can quickly find a target point for a familiar frame along the vine, and the encrypted frame is completely useless and cannot be identified by previous experience. Moreover, it is extremely difficult and tedious to analyze the virtualized protected encrypted program, the most important thing of the reverse analysis program is to find the key target point, and the process of trying to find the target point in the virtualized program to analyze is extremely tortuous, because most software authors will virtualize the key frame code (such as the MFC frame message distribution code), and will not find the key function easily.
In the prior art, in the research on virtualization auxiliary analysis, a small-section frame code comparison bypass method is adopted, and because the frame codes are all solidified, the position relationship between the encrypted frame codes and the unencrypted frame codes is compared, so that which section of frame codes is before the encrypted codes can be obtained. The encryption unit of the virtualization encryption protection is based on the unit of each function, an encryptor generally encrypts a core part of the framework code, but the framework code is generally huge, so some encryptors only encrypt several framework functions, and the method can be used under the condition of not wide and deep encryption. However, the method has a poor effect on the frame codes with wider and deeper virtualized encryption, and reverse analysis cannot be realized on the frame codes with the largest size and the largest size from beginning to end.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method, an apparatus, a device and a medium for reverse analysis of a virtualized encrypted program, which can quickly and comprehensively analyze the virtualized encrypted program. The specific scheme is as follows:
in a first aspect, the present application discloses a reverse analysis method for a virtualized encrypted program, including:
acquiring a target program, wherein the target program is a program with an internal framework code protected by virtualization encryption;
loading unencrypted object frame codes into the object program through injection;
and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed.
Optionally, before loading the unencrypted object framework code into the object program through injection, the method further includes:
performing feature extraction on a plurality of program frames of different frame types to obtain frame features corresponding to each type of program frame to obtain a frame feature set; the frame features comprise operation features, key field features and frame structure features of the program frame;
and identifying the target program by using the frame feature set to determine a frame type corresponding to a frame used by the target program, and generating the target frame code according to the frame type.
Optionally, the generating the target frame code according to the frame type includes:
determining frame content contained in a frame of the target program according to a program interface and/or a dynamic library corresponding to the target program;
and creating the target frame code according to the frame type and the frame content.
Optionally, the identifying the target program by using the frame feature set to determine the frame type corresponding to the frame used by the target program includes:
and identifying the frame of the target program according to all the frame structure characteristics in the frame characteristic set so as to determine the frame type used by the target program.
Optionally, the identifying the target program by using the frame feature set to determine the frame type corresponding to the frame used by the target program includes:
capturing an operation event of the target program in an operation process by using a debugger, and identifying the operation event according to all the operation features in the frame feature set so as to determine a frame type used by the target program;
and/or identifying the character strings associated with the target program according to all the key field characteristics in the frame characteristic set so as to determine the frame type used by the target program.
Optionally, the loading the unencrypted object framework code into the object program by injection includes:
packaging the unencrypted target frame code according to a preset packaging form to obtain a packaged target frame code; the preset packaging mode comprises any one of a dynamic link library form, a shellcode form and a memory data form;
and loading the packaged target frame code into the target program through injection.
Optionally, the grafting the target frame code and the target program to obtain the heavily-loaded target program to be analyzed by the frame includes:
determining the initial address of the frame code which is subjected to virtualization encryption in the target program according to the virtualization encryption characteristics;
and modifying the starting address into a target starting address corresponding to the target frame code so as to realize grafting of the target frame code and the target program and obtain the target program to be analyzed after the frame is overloaded.
In a second aspect, the present application discloses a virtualized encrypted program reverse analysis device, including:
the target program acquisition module is used for acquiring a target program, wherein the target program is a program of which the internal main body frame code is protected by virtualization encryption;
the object frame code injection module is used for loading the unencrypted object frame code into the object program through injection;
and the program grafting module is used for grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so that reverse analysis can be performed on the basis of the target program to be analyzed.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the reverse analysis method of the virtualization encryption program.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements the virtualized cryptographic program reverse analysis method described above.
In the application, a target program is obtained, wherein the target program is a program with an internal framework code protected by virtualization encryption; loading unencrypted object frame codes into the object program through injection; and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed. Therefore, the unencrypted target frame code is loaded into the target program through injection, the target frame code and the target program are grafted, the virtualized encrypted frame code is invalidated, the program bypasses the virtualized frame content through the heavy-load frame, the frame is communicated with the road of the key point to be analyzed, the target point can be found quickly for reverse analysis, and the virtualized encrypted program can be analyzed quickly and comprehensively.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a reverse analysis method for a virtualized cryptographic program according to the present application;
FIG. 2 is a diagram illustrating a specific program structure after virtualization encryption according to the present application;
FIG. 3 is a schematic diagram of a specific reload framework for restoring virtualized content according to the present application;
FIG. 4 is a diagram illustrating a grafting principle according to a specific procedure provided herein;
fig. 5 is a schematic structural diagram of a virtualized cryptographic program reverse analysis device according to the present application;
fig. 6 is a block diagram of an electronic device provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, the position relation between the encrypted frame code and the unencrypted frame code is compared to determine which frame code is before the encrypted code, but the method has a poor effect on the frame code with wider and deeper virtualized encryption, and reverse analysis cannot be realized on the virtualized encryption frame code from beginning to end. In order to overcome the technical problem, the application provides a reverse analysis method for a virtualized encrypted program, which can quickly and comprehensively analyze the virtualized encrypted program.
The embodiment of the application discloses a reverse analysis method for a virtualized encrypted program, which is shown in fig. 1 and can comprise the following steps:
step S11: and acquiring a target program, wherein the target program is a program of which the internal framework code is protected by virtualization encryption.
In this embodiment, a target program to be reversely analyzed is first obtained, an internal frame code of the target program is protected by virtualization encryption, and at this time, the frame code protected by virtualization encryption in the target program may be a main frame of the program or an individual frame function, which is not limited specifically. The virtualization encryption protection is also called virtual machine protection technology, and is used for translating codes into a string of pseudo code byte streams which cannot be recognized by both a machine and a human; during specific execution, the pseudo codes are translated and interpreted one by one, and are gradually restored into original codes and executed; this subroutine for translating the pseudo code and responsible for the concrete execution is called a virtual machine VM (like an abstract CPU); it usually exists in the form of a function, and the parameter of the function is the memory address of the bytecode. There are VMProtect, Themida, etc. protections that apply virtual machine protection encryption to commerce.
Step S12: and loading the unencrypted object frame code into the object program through injection.
In this embodiment, after the target program that needs to be reversely analyzed is obtained, the unencrypted target frame code is loaded into the target program through injection, and it can be understood that the target frame code is the unencrypted frame code that matches the target program.
In this embodiment, the loading the unencrypted object framework code into the object program by injection may include: packaging the unencrypted target frame code according to a preset packaging form to obtain a packaged target frame code; the preset packaging mode comprises any one of a dynamic link library form, a shellcode form and a memory data form; and loading the packaged target frame code into the target program through injection. After the target frame code is determined, in order to inject the target frame code into the target program, an easy-to-use form is required to encapsulate the target frame code, the specific preset encapsulation mode can be a Dynamic Link Library (DLL) form, a shellcode form or a simple memory data form, preferentially, the DLL form can be selected for encapsulation, and the DLL form is easy to encapsulate and inject. The injection manner may include, but is not limited to, remote thread injection, EIP register injection, APC injection, hijacking, and the like. Taking the injection mode of performing encapsulation according to a DLL encapsulation form and injecting according to a remote thread as an example, the injection process comprises the following steps:
(1) the debugger runs an original program, namely the target program, and obtains an original program process handle (referred to as an H handle herein) by using an OpenProcess function;
(2) applying for a memory (called M memory here) in the original program process by using a VirtualAllocEx function, wherein the size of the memory is 1 page (4096 bytes);
(3) setting the M memory to be readable, writable and executable by using a VirtualProtectEx function;
(4) writing the DLL path character string into the M memory by using the WriteProcessMemory;
(5) acquiring a loadlibry function address (referred to as an LD function address herein) in kernel32.dll using GetProcAddress;
(6) and taking the H handle, the LD function address and the M memory address as parameters, and creating a remote thread by using createRemoteThread. The encapsulated DLL is thus successfully injected into the original program process.
In this embodiment, before loading the unencrypted object framework code into the object program by injection, the method may further include: performing feature extraction on a plurality of program frames of different frame types to obtain frame features corresponding to each type of program frame to obtain a frame feature set; the frame features comprise operation features, key field features and frame structure features of the program frame; and identifying the target program by using the frame feature set to determine a frame type corresponding to a frame used by the target program, and generating the target frame code according to the frame type. It will be appreciated that to implement a reload framework, it is first necessary to determine what type of framework the target program was developed using. Although the target program is virtualized and encrypted with the frame main body content, the development frames are huge platforms, so that the characteristics are quite large, and the frames of the target program can be accurately identified by utilizing unique characteristic identification of each frame. The above-mentioned framework features may include any one or more of operation features, key field features and framework structure features of the program framework. And after the frame type is determined, generating the target frame code based on a standard program frame corresponding to the frame type.
In this embodiment, the identifying the target program by using the frame feature set to determine the frame type corresponding to the frame used by the target program may include: and identifying the frame of the target program according to all the frame structure characteristics in the frame characteristic set so as to determine the frame type used by the target program. It can be understood that each frame has a unique structure of its own frame, and by using these unique structures as templates, these structures are searched in the program memory, and the frame of the program can be identified by observing the characteristics; for example, there is an MsgMap-related structure in the MFC (Microsoft Foundation Classes) framework and a signal sink-related structure in the Qt framework.
In this embodiment, the identifying the target program by using the frame feature set to determine the frame type corresponding to the frame used by the target program may include: capturing an operation event of the target program in an operation process by using a debugger, and identifying the operation event according to all the operation features in the frame feature set so as to determine a frame type used by the target program; and/or identifying the character strings associated with the target program according to all the key field characteristics in the frame characteristic set so as to determine the frame type used by the target program. It can be understood that no matter how powerful the virtualization is, the virtualization only can strongly encrypt code and not data, and the data must be decrypted during the operation, so that the program is operated by a debugger, and the frame type of the program can be judged according to the information released during the operation of the program. Programs such as MFCs are run using the DLL of the MFC as necessary, so the type of program framework can be determined by these special run events. In addition, there is a lot of character string information with distinct characteristics such as "Dlg" in the static compiled MFC program; there are a lot of Chinese character strings irrelevant to the function of the easy language program and a lot of character strings 'invalidxxxxx' unique to the easy language. Therefore, the frame type can be identified by using the character string contained in the target program or the character string related to the runtime.
In this embodiment, the generating the target frame code according to the frame type may include: determining frame content contained in a frame of the target program according to a program interface and/or a dynamic library corresponding to the target program; and creating the target frame code according to the frame type and the frame content. It can be understood that the minimum requirement for encapsulating the frame code is that some part of functions of the frame cannot be lacked, otherwise, after reloading the frame, the original program will be mistaken due to the lacked frame content, so as to avoid the problem of resource waste caused by injecting all the contents of the frame, and also avoid the problem that the reloading of the frame cannot be realized due to the lacked part of the frame functions. I.e. what content of the frame is used by the observation target, e.g. whether multiple documents or a single document is used, whether a dialog box is used, etc. The general principle is how much or not little the framework in the DLL is. Taking the framework type as the MFC as an example, the creation process of the target framework code includes:
(1) establishing an MFC DLL project by using VS;
(2) if the target program uses a single document, opening another VS to newly create an MFC single document project, and copying a source file and a resource of the project into a DLL project, so that the DLL project can have a framework of the MFC single document;
(3) if the target program uses the dialog box, directly establishing a new dialog box in the DLL project; other conditions are not exemplified, and the principle is similar;
(4) the MFC DLL is statically compiled if the target program is statically compiled, and the DLL is dynamically compiled if the target program is dynamically compiled. The static compiling and the dynamic compiling of the target program can be judged by observing whether the target program uses a DLL (delay locked loop) library of an MFC (micro-functional logic), if the target program uses the DLL library, the dynamic compiling can be judged, and if the target program does not use the DLL library, the dynamic compiling can be judged as the static compiling. This completes the creation of the object frame code.
Step S13: and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed.
In this embodiment, after the target frame code is loaded into the target program, the target frame code is grafted with the target program to obtain the target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed. For example, fig. 2 shows a program structure diagram after virtualization encryption, and fig. 3 shows a schematic diagram of reloading a framework to recover virtualized content, it can be understood that reverse analysis is a process of repeatedly analyzing and debugging, and cannot be done at once, and this embodiment provides a general method and idea. Although the difference between different frames is large, the method is irrelevant to virtualization encryption and the frame reloading work, because the code of each frame is solidified and the idea of reloading the frame is the same no matter what frame. The purpose of this embodiment is to load the unencrypted frame code into the process of the encrypted program, and to disassociate the program from the original encrypted frame code, and to graft the loaded unencrypted frame code to the original program, so that the encrypted frame is recovered naturally, bypassing the virtualization encryption. Moreover, the embodiment has wide applicability, is compatible with common development frameworks such as Qt, MFC, Delphi, easy language and the like, is compatible with most virtualized programs, can be conveniently written into a debugger plug-in, realizes heavy load of an automatic framework, and reduces the difficulty of analyzing the virtualized programs.
In this embodiment, the grafting the target frame code and the target program to obtain the heavily loaded target program to be analyzed may include: determining the initial address of the frame code which is subjected to virtualization encryption in the target program according to the virtualization encryption characteristics; and modifying the starting address into a target starting address corresponding to the target frame code so as to realize grafting of the target frame code and the target program and obtain the target program to be analyzed after the frame is overloaded.
For example, in a specific program grafting schematic diagram shown in fig. 3, after an original program is run under a debugger and injected into a DLL, grafting is performed, and first, an entry where a target program starts to be virtualized is found, and the entry must be a function, because virtualization protection is based on a function unit, an entry of a virtualization function is generally a pushword, call xxxx or simply a JMP xxxx, and thus a virtualization function can be identified by such virtualization encryption features. After entering the call, the virtualized disassembly code is very obvious, and no macroscopic logic and no huge contrast are generated between the logic and the unencrypted code; further, returning to the entry code, the assembly code will typically enter the framework code in the form of a CALL, modified here directly to [ CALL DLL framework start address ]; then, only the program entry code needs to be grafted to the non-virtualized frame code, and the program exit code does not need to be grafted manually, and the non-virtualized frame code automatically returns to the program exit after finishing due to call, so that the frame reloading is completed. At the moment, all message circulation and window response processes in the framework are taken over by the overloaded non-virtualized framework DLL, no matter button messages or mouse and keyboard messages pass through the DLL, and when program functions are used, the functions written by an author can be called naturally. Therefore, the analyst can easily perform positioning analysis without having to deal with the encrypted framework code.
As can be seen from the above, in this embodiment, a target program is obtained, where the target program is a program whose internal framework code is protected by virtualization encryption; loading unencrypted object frame codes into the object program through injection; and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed. Therefore, the unencrypted target frame code is loaded into the target program through injection, the target frame code and the target program are grafted, the virtualized encrypted frame code is invalidated, the program bypasses the virtualized frame content through the heavy-load frame, the frame is communicated with the road of the key point to be analyzed, the target point can be found quickly for reverse analysis, the virtualized encrypted program can be analyzed quickly and comprehensively, and tiling is added for the reverse analysis technology.
Correspondingly, an embodiment of the present application further discloses a reverse analysis device for a virtualized encrypted program, as shown in fig. 5, the device includes:
an object program obtaining module 11, configured to obtain an object program, where the object program is a program in which an internal body frame code is protected by virtualization encryption;
an object frame code injection module 12, configured to load unencrypted object frame code into the object program through injection;
and the program grafting module 13 is configured to graft the target frame code and the target program to obtain a target program to be analyzed after a frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed.
In this embodiment, a target program is obtained, where the target program is a program whose internal framework code is protected by virtualization encryption; loading unencrypted object frame codes into the object program through injection; and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed. Therefore, the unencrypted target frame code is loaded into the target program through injection, the target frame code and the target program are grafted, the virtualized encrypted frame code is invalidated, the program bypasses the virtualized frame content through the heavy-load frame, the frame is communicated with the road of the key point to be analyzed, the target point can be found quickly for reverse analysis, and the virtualized encrypted program can be analyzed quickly and comprehensively.
In some embodiments, the virtualized cryptographic program reverse analysis device may specifically include:
the frame characteristic set generating unit is used for extracting the characteristics of a plurality of program frames of different frame types to obtain the frame characteristics corresponding to each type of program frame so as to obtain a frame characteristic set; the frame features comprise operation features, key field features and frame structure features of the program frame;
and the frame type determining unit is used for identifying the target program by using the frame feature set so as to determine a frame type corresponding to a frame used by the target program, and generating the target frame code according to the frame type.
In some specific embodiments, the frame type determining unit may specifically include:
the frame content determining unit is used for determining the frame content contained in the frame of the target program according to the program interface and/or the dynamic library corresponding to the target program;
and the object frame code creating unit is used for creating the object frame code according to the frame type and the frame content.
In some specific embodiments, the frame type determining unit may specifically include:
and the first frame type determining unit is used for identifying the frame of the target program according to all the frame structure characteristics in the frame characteristic set so as to determine the frame type used by the target program.
In some specific embodiments, the frame type determining unit may specifically include:
the second framework type determining unit is used for capturing an operation event of the target program in the operation process by using a debugger, and identifying the operation event according to all the operation features in the framework feature set so as to determine the framework type used by the target program;
and a third frame type determining unit, configured to identify, according to all the key field features in the frame feature set, a character string associated with the target program, so as to determine a frame type used by the target program.
In some specific embodiments, the object framework code injection module 12 may specifically include:
the packaging unit is used for packaging the unencrypted target frame code according to a preset packaging form to obtain a packaged target frame code; the preset packaging mode comprises any one of a dynamic link library form, a shellcode form and a memory data form;
and the code injection unit is used for loading the packaged target frame code into the target program through injection.
In some embodiments, the program grafting module 13 may specifically include:
a starting address determining unit, configured to determine a starting address of a frame code that is virtually encrypted in the target program according to a virtualization encryption feature;
and the program grafting unit is used for modifying the starting address into a target starting address corresponding to the target frame code so as to realize grafting of the target frame code and the target program and obtain the target program to be analyzed after the frame is overloaded.
Further, the embodiment of the present application also discloses an electronic device, which is shown in fig. 6, and the content in the drawing cannot be considered as any limitation to the application scope.
Fig. 6 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the virtualized encrypted program reverse analysis method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon include an operating system 221, a computer program 222, data 223 including object framework code, etc., and the storage may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the mass data 223 in the memory 22 by the processor 21, and may be Windows Server, Netware, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the virtualized encrypted program inverse analysis method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
Further, an embodiment of the present application further discloses a computer storage medium, where computer-executable instructions are stored in the computer storage medium, and when the computer-executable instructions are loaded and executed by a processor, the steps of the virtualized encryption program reverse analysis method disclosed in any of the foregoing embodiments are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the apparatus, the device and the medium for reverse analysis of the virtualized encrypted program provided by the present invention are described in detail above, and a specific example is applied in the present document to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for reverse analysis of a virtualized cryptographic program, comprising:
acquiring a target program, wherein the target program is a program with an internal framework code protected by virtualization encryption;
loading unencrypted object frame codes into the object program through injection;
and grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so as to perform reverse analysis based on the target program to be analyzed.
2. The method according to claim 1, wherein before loading the unencrypted object frame code into the object program by injection, the method further comprises:
performing feature extraction on a plurality of program frames of different frame types to obtain frame features corresponding to each type of program frame to obtain a frame feature set; the frame features comprise operation features, key field features and frame structure features of the program frame;
and identifying the target program by using the frame feature set to determine a frame type corresponding to a frame used by the target program, and generating the target frame code according to the frame type.
3. The virtualization cryptographic program reverse analysis method according to claim 2, wherein the generating the object frame code according to the frame type includes:
determining frame content contained in a frame of the target program according to a program interface and/or a dynamic library corresponding to the target program;
and creating the target frame code according to the frame type and the frame content.
4. The method for reversely analyzing a virtualized encrypted program according to claim 2, wherein the identifying the target program by using the frame feature set to determine a frame type corresponding to a frame used by the target program includes:
and identifying the frame of the target program according to all the frame structure characteristics in the frame characteristic set so as to determine the frame type used by the target program.
5. The method for reversely analyzing a virtualized encrypted program according to claim 4, wherein the identifying the target program by using the frame feature set to determine a frame type corresponding to a frame used by the target program includes:
capturing an operation event of the target program in an operation process by using a debugger, and identifying the operation event according to all the operation features in the frame feature set so as to determine a frame type used by the target program;
and/or identifying the character strings associated with the target program according to all the key field characteristics in the frame characteristic set so as to determine the frame type used by the target program.
6. The method for reverse analysis of the virtualized encrypted program according to claim 1, wherein the loading the unencrypted object frame code into the object program by injection comprises:
packaging the unencrypted target frame code according to a preset packaging form to obtain a packaged target frame code; the preset packaging mode comprises any one of a dynamic link library form, a shellcode form and a memory data form;
and loading the packaged target frame code into the target program through injection.
7. The reverse analysis method for the virtualized encrypted program according to any one of claims 1 to 6, wherein the grafting of the object frame code and the object program to obtain the object program to be analyzed after the frame reloading includes:
determining the initial address of the frame code which is subjected to virtualization encryption in the target program according to the virtualization encryption characteristics;
and modifying the starting address into a target starting address corresponding to the target frame code so as to realize grafting of the target frame code and the target program and obtain the target program to be analyzed after the frame is overloaded.
8. A virtualized cryptographic program reverse analysis device, comprising:
the target program acquisition module is used for acquiring a target program, wherein the target program is a program of which the internal main body frame code is protected by virtualization encryption;
the object frame code injection module is used for loading the unencrypted object frame code into the object program through injection;
and the program grafting module is used for grafting the target frame code and the target program to obtain a target program to be analyzed after the frame is overloaded, so that reverse analysis can be performed on the basis of the target program to be analyzed.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the virtualized cryptographic program inverse analysis method of any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements a virtualized cryptographic program reverse analysis method as defined in any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111558521.5A CN113961240B (en) | 2021-12-20 | 2021-12-20 | Reverse analysis method for virtualization encryption program and related components |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111558521.5A CN113961240B (en) | 2021-12-20 | 2021-12-20 | Reverse analysis method for virtualization encryption program and related components |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113961240A true CN113961240A (en) | 2022-01-21 |
| CN113961240B CN113961240B (en) | 2022-04-08 |
Family
ID=79473280
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111558521.5A Active CN113961240B (en) | 2021-12-20 | 2021-12-20 | Reverse analysis method for virtualization encryption program and related components |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113961240B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7284274B1 (en) * | 2001-01-18 | 2007-10-16 | Cigital, Inc. | System and method for identifying and eliminating vulnerabilities in computer software applications |
| US8112636B1 (en) * | 2007-11-06 | 2012-02-07 | Lockheed Martin Corporation | Protection of code or data from exposure by use of code injection service |
| CN103838573A (en) * | 2014-01-03 | 2014-06-04 | 浙江宇天科技股份有限公司 | Application program generation method and device |
| CN106681923A (en) * | 2016-12-29 | 2017-05-17 | 广州华多网络科技有限公司 | Software evaluation method and device |
| CN107577925A (en) * | 2017-08-11 | 2018-01-12 | 西北大学 | Based on the virtual Android application program guard methods of dual ARM instruction |
| CN110929234A (en) * | 2019-11-28 | 2020-03-27 | 施羊梦燊 | Python program encryption protection system and method based on code virtualization |
| US20200128134A1 (en) * | 2014-11-01 | 2020-04-23 | Somos, Inc. | Toll-free telecommunications and data management platform |
| CN112214736A (en) * | 2020-11-02 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Code encryption method and related assembly |
| CN113568680A (en) * | 2021-07-23 | 2021-10-29 | 杭州网易智企科技有限公司 | Dynamic link library protection method, device, equipment and medium for application program |
| CN113703859A (en) * | 2020-05-08 | 2021-11-26 | 腾讯科技(深圳)有限公司 | Dynamic link library injection method, device, equipment and storage medium |
-
2021
- 2021-12-20 CN CN202111558521.5A patent/CN113961240B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7284274B1 (en) * | 2001-01-18 | 2007-10-16 | Cigital, Inc. | System and method for identifying and eliminating vulnerabilities in computer software applications |
| US8112636B1 (en) * | 2007-11-06 | 2012-02-07 | Lockheed Martin Corporation | Protection of code or data from exposure by use of code injection service |
| CN103838573A (en) * | 2014-01-03 | 2014-06-04 | 浙江宇天科技股份有限公司 | Application program generation method and device |
| US20200128134A1 (en) * | 2014-11-01 | 2020-04-23 | Somos, Inc. | Toll-free telecommunications and data management platform |
| CN106681923A (en) * | 2016-12-29 | 2017-05-17 | 广州华多网络科技有限公司 | Software evaluation method and device |
| CN107577925A (en) * | 2017-08-11 | 2018-01-12 | 西北大学 | Based on the virtual Android application program guard methods of dual ARM instruction |
| CN110929234A (en) * | 2019-11-28 | 2020-03-27 | 施羊梦燊 | Python program encryption protection system and method based on code virtualization |
| CN113703859A (en) * | 2020-05-08 | 2021-11-26 | 腾讯科技(深圳)有限公司 | Dynamic link library injection method, device, equipment and storage medium |
| CN112214736A (en) * | 2020-11-02 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Code encryption method and related assembly |
| CN113568680A (en) * | 2021-07-23 | 2021-10-29 | 杭州网易智企科技有限公司 | Dynamic link library protection method, device, equipment and medium for application program |
Non-Patent Citations (3)
| Title |
|---|
| LUCA WILKE等: "SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions", 《2020 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP)》 * |
| 王思泰: "基于安卓的智能蓝牙锁APP安全性研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
| 蒋永康: "恶意代码脱壳及同源判定技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113961240B (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108932406B (en) | Virtualization software protection method and device | |
| KR101920597B1 (en) | Dynamic code extraction based automatic anti-analysis evasion and code logic analysis Apparatus | |
| KR101328012B1 (en) | Apparatus for tamper protection of application code and method thereof | |
| CN108491235B (en) | DEX protection method combining dynamic loading and function Native | |
| US10372444B2 (en) | Android dynamic loading file extraction method, recording medium and system for performing the method | |
| US20160239671A1 (en) | Method and device for protecting an application and method and device for executing a protected application thus protected | |
| US11765165B2 (en) | Web-browser extension analysis and enhancement | |
| WO2016054880A1 (en) | Apk file application expanding method and device | |
| EP2990942A1 (en) | Service extraction and application composition | |
| KR101861341B1 (en) | Deobfuscation apparatus of application code and method of deobfuscating application code using the same | |
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| US10482221B2 (en) | Protecting a computer program against reverse engineering | |
| CN107291485B (en) | Dynamic link library reinforcing method, operation method, reinforcing device and safety system | |
| KR101926142B1 (en) | Apparatus and method for analyzing programs | |
| CN108763924B (en) | Method for controlling access authority of untrusted third party library in android application program | |
| CN111737718A (en) | Encryption and decryption method and device for jar packet, terminal equipment and storage medium | |
| CN108229147B (en) | Memory detection device and method based on Android virtual container | |
| Ntousakis et al. | Detecting third-party library problems with combined program analysis | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
| CN113961240B (en) | Reverse analysis method for virtualization encryption program and related components | |
| Al-Sharif et al. | The Effects of Platforms and Languages on the Memory Footprint of the Executable Program: A Memory Forensic Approach. | |
| CN112052461A (en) | Code processing method based on instruction injection, terminal and storage medium | |
| Sun et al. | Selwasm: A code protection mechanism for webassembly | |
| Lanet et al. | Memory forensics of a java card dump | |
| Al-Sharif et al. | Towards the memory forensics of oop execution behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |