CN116738382A - Code processing method, device, computer equipment and storage medium - Google Patents
Code processing method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116738382A CN116738382A CN202310622401.XA CN202310622401A CN116738382A CN 116738382 A CN116738382 A CN 116738382A CN 202310622401 A CN202310622401 A CN 202310622401A CN 116738382 A CN116738382 A CN 116738382A
- Authority
- CN
- China
- Prior art keywords
- code
- function
- protected
- mapping
- protected code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 238000013507 mapping Methods 0.000 claims abstract description 114
- 230000015654 memory Effects 0.000 claims abstract description 58
- 238000000034 method Methods 0.000 claims abstract description 33
- 230000006870 function Effects 0.000 claims description 132
- 238000012545 processing Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 101100348848 Mus musculus Notch4 gene Proteins 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The application relates to a code processing method, a device, a computer device and a storage medium, comprising: acquiring information of a protected code, wherein the information comprises a starting address of the protected code and the memory size occupied by the protected code; creating a mapping section, and acquiring a handle of the mapping section; according to the handle of the mapping section and the information of the protected code, the protected code is mapped to the mapping section to obtain a protection code; according to the protected code and the protection code, a target file is obtained, the safety of the protected code is improved, and the problem that the code cannot be well protected by an anti-debugging method is solved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a code processing method, a code processing device, a computer device, and a storage medium.
Background
In order to better protect programs or key codes and prevent software copyright from being damaged, a method of shell protection is generally selected to achieve the effect of preventing software from being cracked and analyzed. Although the shelled protection can cause a great degree of obstacle for cracking analysts such as hackers, friends and the like, so as to achieve the purposes of delaying precious time and the like, plays a key role in countermeasure.
Typically, analysis and cracking of programs includes dynamic debugging analysis and static decompilation analysis. Static decompilation is to directly read the data and codes of each section of the program before running, then translate the byte codes into machine instructions and analyze the machine instructions; the dynamic debugging analysis is the process of dynamically observing the changes of CPU registers, stack frames, memories and the like after the program is loaded and operated so as to analyze. During dynamic analysis, the program is required to run to a place which is favorable for analysis and is stopped so as to observe the state of the program, and the running process of the program is known step by step so as to achieve the purpose of cracking and even restoring codes. For example, by using a breakpoint method, a program running to a certain key point is suspended, and a debugger modifies an instruction at a specific code section address of a target program, so that when the program is executed to the address, an int3 debugging instruction is triggered to be abnormal, and the debugger takes over the abnormal processing through abnormal distribution, thereby achieving the purpose of dynamic debugging.
The common anti-debugging technology in the protection of the shell is to encrypt the whole code segment or the key code segment to generate a new program, then decrypt and restore the code of the original program to the designated section position earlier when the new program runs, jump the execution flow of the program to the start point of the decrypted code after the decryption is completed, and then start the normal running of the program, wherein the shell code and the encrypted code segment bring a certain obstacle to the analysis of a hacker, thereby achieving the purpose of anti-debugging. However, the protection of the code by the method is not thorough, and the code encryption logic can be cracked by a breakpoint analysis method as long as a hacker can find the position of the decrypted code. The protection against the addition of a shell is very limited to the barriers that a hacker such as a crack analyzer can create.
Aiming at the problem that the code cannot be well protected by the anti-debugging method in the related technology, no effective solution is proposed at present.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a code processing method, apparatus, computer device, and storage medium capable of improving anti-debugging effects.
In a first aspect, the present application provides a code processing method, the method comprising:
acquiring information of a protected code, wherein the information comprises a starting address of the protected code and the memory size occupied by the protected code;
creating a mapping section, and acquiring a handle of the mapping section;
according to the handle of the mapping section and the information of the protected code, the protected code is mapped to the mapping section to obtain a protection code;
and obtaining the target file according to the protected code and the protection code.
In one embodiment, creating the mapping section includes:
and generating the mapping section according to the attribute of the mapping section, wherein the attribute of the mapping section comprises the authority of the mapping area and the size of the mapping area.
In one embodiment, generating the mapping section according to the attribute of the mapping section includes:
generating a first parameter list according to the authority of the mapping area and the size of the mapping area;
and calling a first function, writing a first parameter list into the first function, and generating the mapping section.
In one embodiment, invoking the first function includes:
acquiring a first address of a first function;
defining a first null pointer conforming to the first function pointer type, and assigning the first address to the first null pointer to obtain the first function pointer;
and calling the first function according to the first function pointer.
In one embodiment, obtaining the first address of the first function includes:
acquiring a handle of a function library, wherein the function library comprises the first function;
and acquiring the first address in the function library according to the handle of the function library.
In one embodiment, mapping the protected code to the mapping section according to the handle of the mapping section and the information of the protected code to obtain the protection code includes:
generating a second parameter list according to the handle of the mapping section and the information of the protected code;
and calling a second function, writing a second parameter list into the second function, and generating the protection code.
In one embodiment, invoking the second function includes:
acquiring a second address of a second function;
defining a second null pointer conforming to the second function pointer type, and assigning the second address to the second null pointer to obtain the second function pointer;
and calling the second function according to the second function pointer.
In one embodiment, obtaining the second address of the second function includes:
acquiring a handle of a function library, wherein the function library comprises the second function;
and acquiring the second address in the function library according to the handle of the function library.
In one embodiment, according to the protected code and the protection code, obtaining the target file further includes:
acquiring an executable file comprising the protected code, and encrypting the protected code;
and adding a new section in the executable file, and adding the protection code into the new section to generate the target file.
In a second aspect, the present application also provides a code processing apparatus, the apparatus comprising:
the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring information of a protected code, and the information comprises a starting address of the protected code and the memory size occupied by the protected code;
the mapping module is used for creating a mapping section and acquiring a handle of the mapping section; according to the handle of the mapping section and the information of the protected code, the protected code is mapped to the mapping section to obtain a protection code;
and the generating module is used for obtaining the target file according to the protected code and the protection code.
In a third aspect, the present application also provides a computer device. The computer device comprising a memory storing a computer program and a processor implementing the steps of the code processing method of the first aspect described above when the processor executes the computer program,
in a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the code processing method of the first aspect described above.
The code processing method, the code processing device, the computer equipment and the storage medium comprise the following steps: acquiring information of a protected code, wherein the information comprises a starting address of the protected code and the memory size occupied by the protected code; creating a mapping section, and acquiring a handle of the mapping section; according to the handle of the mapping section and the information of the protected code, the protected code is mapped to the mapping section to obtain a protection code; according to the protected code and the protection code, a target file is obtained, the safety of the protected code is improved, and the problem that the code cannot be well protected by an anti-debugging method is solved.
Drawings
FIG. 1 is a schematic diagram of a related art anti-debug method;
FIG. 2 is a flow chart of a code processing method according to an embodiment of the application;
FIG. 3 is a schematic diagram of a program shelling process according to one embodiment of the present application;
FIG. 4 is a diagram illustrating an anti-debug method based on memory attributes according to an embodiment of the present application;
FIG. 5 is a block diagram of a code processing apparatus according to an embodiment of the present application;
fig. 6 is an internal structural view of a computer device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Fig. 1 is a schematic diagram of an anti-debugging method in the related art, as shown in fig. 1, when implementing anti-debugging, a new program is generated by encrypting a whole code segment or a key code segment, then the code of the original program is decrypted and restored to a designated section position earlier when the new program runs, the execution flow of the program jumps to the decrypted code starting point after the decryption is completed, then the program starts to run normally, and during the period, the shell code and the encrypted code segment bring a certain obstacle to analysis of a hacker, thereby achieving the purpose of anti-debugging. The anti-debugging method in the related art has lower execution efficiency, and particularly when the content of the code segment is more or the encryption algorithm is more complex, the program executes too many instructions, so that the program execution efficiency is low. Secondly, the protection of the code is not thorough, and after an attacker such as a hacker searches the position of the decrypted code, the code encryption logic can be decrypted by a breakpoint analysis method.
In an embodiment, as shown in fig. 2, a code processing method is provided, where this embodiment is applied to a terminal to illustrate the method, it is understood that the method may also be applied to a server, and may also be applied to a system including the terminal and the server, and implemented through interaction between the terminal and the server. In this embodiment, the method includes the steps of:
in step S201, information of the protected code is obtained, where the information includes a start address of the protected code and a memory size occupied by the protected code. Wherein the protected code is code or key code segments in the PE file. Optionally, the protected code is loaded, and the starting address and the occupied memory size of the protected code after operation are obtained.
Step S202, a mapping section is newly built, and a handle of the mapping section is acquired. The mapping section is stored in the memory of the terminal. The handle of the map section is used to represent the map section. Optionally, the size, authority and other attributes of the mapping section are determined, and a mapping object stored in the memory, that is, the mapping section, is created according to the attributes. In the event that a mapping section is successfully created, a handle is returned to the mapping section, which is used to identify the mapping section.
Step S203, the protected code is mapped to the mapping section according to the handle of the mapping section, the information of the protected code and the view attribute of the protected code, and the protected code is obtained.
Wherein the view properties of the guard code include non-writable view properties. According to the handle of the mapping section, the starting address of the protected code, the memory size occupied by the protected code and the view attribute of the protected code, the protected code stored in the memory is mapped to the newly built mapping section in the memory, so that the remapping of the memory page is realized, and the protected code is obtained. In the protection codes, the starting address, the occupied memory range and the view attribute of the mapped protected codes are modified, so that the mapped protected codes cannot be written in or analyzed, and the safety of the protected codes is improved.
Step S204, obtaining the target file according to the protected code and the protection code. Optionally, the guard code is a cased code of the protected code. And merging the protection code and the protected code, and obtaining the target file according to the merged code. The target file is used for protecting the protected code and realizing the anti-debugging effect.
Through the steps S201 to S204, the protected code is mapped to the newly-built mapping section in the protection code, and the modification of the memory attribute of the protected code is implemented through the mapping of the memory, where the modification of the memory attribute includes the starting address, the memory range and the view attribute of the protected code in the memory. The mapping and attribute modification of the memory pages of the protected code are realized in the protected code, so that the running protected code has the characteristic of being unwritable, thereby preventing hackers and other attackers from performing breakpoint analysis and other debugging operations on the protected code, improving the safety of the protected code, and solving the problem that the code cannot be well protected by the anti-debugging method.
In one embodiment, creating the mapping section includes: and generating a mapping section according to the attribute of the mapping section, wherein the attribute of the mapping section comprises the authority of the mapping area and the size of the mapping area. Wherein, the authority of the mapping area comprises executable, size-extensible, readable and writable access authority. Optionally, the maximum size of the mapping area may be set to be the maximum value of the memory page, or the size of the memory occupied by the protected code may be obtained, and the mapping area is set according to the size of the memory occupied by the protected code, so as to ensure that the protected code may be successfully mapped to the mapping area.
The newly created mapping area further includes: generating a first parameter list according to the authority of the mapping area and the size of the mapping area; and calling a first function, writing a first parameter list into the first function, and generating a mapping section. Specifically, a first function is called, a first parameter list is transmitted into the first function, a return value is received, whether the call is successful is judged according to the return value, and if the call is successful, the handle of the mapping section is obtained while the mapping section is generated.
Illustratively, the first function is an NtCreateSection function, and the first parameter list includes: the method includes the steps of & SectionHandle (mapping SECTION HANDLE variable defined using HANDLE), SECTION_ALL_ACCESS (ACCESS right specifying HANDLE), obj (pointers for specifying attributes such as object name and security properties) & MaximmSize (maximum size specifying mapping SECTION, size of mapping SECTION in bytes), PAGE_EXECUTE_READ (PAGE readable and non-writable), SEC_COMMIT (immediately COMMIT them when allocating PAGEs for memory), NULL (HANDLE not specifying open file object).
Taking as an example setting the maximum size of the mapping area to the maximum value of the memory page, a variable of maximum size is defined using the LARGE_INTEGER (signed INTEGER value) and assigned 0x10000 to its QuadPart field. The access rights of the handle include: the permissions of the mapping area are queried, the mapping area is writable, the mapping area is readable, the mapping area is executable, the size of the mapping area is allowed to be expanded, and the SECTION_ALL_ACCESS indicates that the permissions are ALL set.
The first function NtCreateSection is an API (Application Programming Interface ) not disclosed by windows, and cannot realize direct call of the function. Thus, a first address of the first function needs to be obtained, and the first function is called through the first address.
Acquiring a first address of a first function, comprising: acquiring a handle of a function library, wherein the function library comprises a first function; and acquiring a first address in the function library through the handle of the function library. For better hiding behavior in the guard code, the required APIs are not called directly, but rather "ntdll.dll" (ntdll dynamically linked library) is loaded through LoadLibrary functions and the handle to the dll is obtained. In the case of retrieving a handle to a dynamically linked library, the address of the first function is retrieved. Alternatively, in the case of retrieving a handle to the dynamically linked library, the address of the first function is retrieved through API GetProcAddress.
Invoking a first function via a first address, comprising: acquiring a first address of a first function; defining a first null pointer conforming to the type of the first function pointer, and assigning a first address to the first null pointer to obtain the first function pointer; the first function is called by the first function pointer. Wherein the first null pointer is a pointer conforming to the definition of the first function. And assigning the first address to the first null pointer, and converting the function address into a first function pointer for calling the first function, thereby meeting the writing requirement of the protection code.
Optionally, the parameters used in the NtCreateSection API call are analyzed, the 3 rd parameter of the NtCreateSection API call is POBECT_ATTRIBUTES (pointer to target process handle), and the 3 rd field of the object_ATTRIBUTES structure is PUNICODE_STRING. Determining thereby that the first null pointer NtCreateSection is defined includes: defining an OBJECT of structure type object_ATTRIBUTES, its pointer type is POBECT_ATTRIBUTES; a unicode_string object is defined, whose pointer type is punecode_string.
In one embodiment, mapping the protected code to the mapping section according to the handle of the mapping section and the information of the protected code to obtain the protected code includes: generating a second parameter list according to the handle of the mapping section and the information of the protected code; and calling a second function, writing a second parameter list into the second function, and generating a protection code. Specifically, a second function is called, and a second parameter list is transmitted into the second function, so that the mapping of the protected codes is realized.
Illustratively, the second function is a ZwMapViewOfSection function, and the second parameter list includes: SECTION handle () (get current process), & BaseAddress (start address of protected code), 0 (specify the number of higher order addresses that must be zero in the SECTION view base), 0x10000 (specify the size of the region that the view originally submitted), NULL (pointer to variable that receives an offset from the node's beginning to the view), & view size (specify the region size to be mapped), (septon_inherit) 1,0, page_extract_read (page readable unwritable). After a second parameter list is transmitted into the second function, the protected code realizes mapping and acquires a PAGE_EXECUTE_READ identifier, so that the mapped code segment has executable and readable attributes and has no writable attribute, and the protection of the code is realized. No matter what method is used by an attacker, the writing operation can not be directly realized, so that the purpose of anti-debugging is achieved.
The second function zwmapview ofsection is an API not disclosed by windows, and direct call of the function cannot be realized. Thus, a second address of the second function needs to be obtained, through which the second function is called.
Acquiring a second address of a second function, comprising: acquiring a handle of a function library, wherein the function library comprises a second function; and acquiring a second address in the function library through the handle of the function library. For better hiding behavior in the guard code, the required APIs are not called directly, but "ntdll.dll" is loaded through the LoadLibrary function and the handle of the dll is obtained. In the case of a handle to the dynamically linked library, the address of the second function is obtained. Alternatively, in the case of obtaining the handle of the dynamically linked library, the address of the second function is obtained through API GetProcAddress.
Invoking a second function comprising: acquiring a second address of a second function; defining a second null pointer conforming to the type of the second function pointer, and assigning a second address to the second null pointer to obtain the second function pointer; the second function is called by the second function pointer. Wherein the second null pointer is a pointer conforming to the definition of the second function. And assigning the second address to a second null pointer, and converting the function address into a second function pointer for calling the second function, thereby meeting the writing requirement of the protection code.
Optionally, the parameters used in ZwMapViewOfSection API call are analyzed, the 8 th parameter of ZwMapViewOfSection API call is the seption_inherit type is the enumeration type, and its value may be 1 or 2. Determining thereby to define the second null pointer includes: a seption_inherit type object is defined.
In one embodiment, the obtaining the target file according to the protected code and the protection code further includes: acquiring an executable file comprising the protected code, and encrypting the protected code; and adding a new section in the executable file, and adding the protection code into the new section to generate the target file.
Optionally, the guard code is a shell code. The target file is an anti-debug file. After encrypting the protected code, a new section is added to the executable file including the protected code, and the protected code is migrated to the new section. At this time, the code execution flow is preferentially obtained before the program corresponding to the target file is started, the importing table of the original program is repaired, and if the original program is started with a random base address, the relocation repair is performed on the source program. After the code of the shell is executed, the control right is returned to the original program, and the original program runs normally.
Fig. 3 is a schematic diagram of a program shelling, as shown in fig. 3, comprising: the information of each field of the PE file (Portable Executable, portable executable file) is read and stored, and the protected code segment is subjected to protection operation such as encryption and the like. And acquiring written shell (computer shell) shell codes. The executable OEP (entry point) is modified such that the entry point points to the shell code. And according to the entry point, repositioning the shell codes, so that the shell codes are added into the new section of the PE file, and the PE file with the shell is generated, namely the target file.
Wherein the shell code framework can decrypt the code of the original program in the shell code according to the protection operation performed on the protected code. The method comprises the steps of obtaining a code execution flow before the program is started, repairing an import table (IAT) of an original program, and giving control right to the original program after the code of the shell is executed, wherein the original program runs normally.
In one embodiment, fig. 4 is a schematic diagram of an anti-debug method based on memory attributes, as shown in fig. 4, including:
and writing a shell code framework, and analyzing an NtCreateSection function and a ZwMapViewOfSection function. The first null pointer and the second null pointer are defined according to parameters used by the ntcreateselectionapi call and parameters used by the ZwMapViewOfSection API call.
And loading a system file corresponding to the "ntdll.dll" dynamic link library, and acquiring a handle of the dynamic link library. Comprising the following steps: the borrowing LoadLibrary API loads "ntdll. Dll" and obtains a handle to the dynamically linked library.
And acquiring the NtCreateSection function address to obtain a first address, and assigning the first address to the function pointer, namely a first null pointer. And obtaining the ZwMapViewOfSection function address to obtain a second address, and assigning the second address to the function pointer, namely a second null pointer. Optionally, after obtaining the handle of the dynamic link library, the function address of the NtCreateSection function and the function address of the ZwMapViewOfSection are obtained through GetProcAddress API.
The configuration parameter list calls NtCreateSection. An obj variable is defined and initialized according to the object_attributes structure type. According to the handle of the dynamic link library and the first function pointer, calling a first function NtCreateSection, configuring and sequentially transmitting the first function NtCreateSection into a first parameter list: sectionHandle, SECTION ALL ACCESS, & obj, & MaximumSize, PAGE _EXECUTE_READ, SEC_COMMIT, NULL. Judging whether the call is successful or not through the received return value, and if the call is successful, acquiring a handle of the mapping Section.
And acquiring the starting address and the occupied memory size of the original program code section after loading and running. Wherein the original program code is protected code.
The configuration parameter list calls the zwmapview ofsection function. A pointer BaseAddress is defined using pvoh id (pointer type) and the first address of the protected code segment is assigned to BaseAddress. A ViewSize variable is defined using SIZE_T (variable type). According to the handle of the dynamic link library and the first function pointer, calling a first function NtCreateSection, configuring and sequentially transmitting the first function NtCreateSection into a first parameter list: sectionHandle, SECTION ALL ACCESS, & obj, & MaximumSize, PAGE _EXECUTE_READ, SEC_COMMIT, NULL.
And generating a mapped protected code, and testing whether breakpoint judgment can be carried out on the mapped protected code. If the breakpoint debugging operation can be carried out on the mapped protected code, the test is not in line with the expectation, the code writing is judged to be wrong, and the function pointer and the structure type are redefined; if the breakpoint debugging operation can not be carried out on the mapped protected code, the test meets the expectations, the shell code for anti-debugging is successfully generated, and the shell code is used as the anti-debugging code.
The anti-debugging method based on the memory attribute can be applied to all programs running under windows, has good compatibility, and has high execution efficiency without executing redundant instructions; using windows official unpublished API, the purpose of anti-debugging and anti-hook is achieved by remapping memory pages in the shell code and then modifying memory attributes.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a code processing device for realizing the above related method of the code processing device. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation of one or more embodiments of the code processing apparatus provided below may refer to the limitation of the method of the code processing apparatus, which is not repeated herein.
In one embodiment, as shown in fig. 5, there is provided a code processing apparatus including: the device comprises an acquisition module, a mapping module and a generation module, wherein the acquisition module, the mapping module and the generation module are used for acquiring the data of the data;
the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring information of a protected code, and the information comprises a starting address of the protected code and the memory size occupied by the protected code;
the mapping module is used for creating a mapping section and acquiring a handle of the mapping section; mapping the protected code to the mapping section according to the handle of the mapping section, the information of the protected code and the view attribute of the protected code to obtain the protected code;
and the generating module is used for obtaining the target file according to the protected code and the protection code.
The code processing apparatus may also implement the code processing method in any of the foregoing embodiments. Each of the modules in the above-described code processing apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a code processing apparatus method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 6 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, a computer device is provided, comprising a memory and a processor, the memory storing a computer program, the processor executing the code processing method of any of the embodiments described above when the computer program is executed.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor, provides the code processing method of any of the above embodiments.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (12)
1. A method of code processing, the method comprising:
acquiring information of a protected code, wherein the information comprises a starting address of the protected code and the memory size occupied by the protected code;
creating a mapping section, and acquiring a handle of the mapping section;
mapping the protected code to the mapping section according to the handle of the mapping section, the information of the protected code and the view attribute of the protected code to obtain the protected code;
and obtaining the target file according to the protected code and the protection code.
2. The code processing method of claim 1, wherein creating a mapping section comprises:
and generating the mapping section according to the attribute of the mapping section, wherein the attribute of the mapping section comprises the authority of the mapping area and the size of the mapping area.
3. The code processing method of claim 2, wherein generating the mapping section based on the attribute of the mapping section comprises:
generating a first parameter list according to the authority of the mapping area and the size of the mapping area;
and calling a first function, writing the first parameter list into the first function, and generating the mapping section.
4. A code processing method according to claim 3, wherein invoking the first function comprises:
acquiring a first address of a first function;
defining a first null pointer conforming to the first function pointer type, and assigning the first address to the first null pointer to obtain the first function pointer;
and calling the first function according to the first function pointer.
5. The code processing method of claim 4, wherein obtaining the first address of the first function comprises:
acquiring a handle of a function library, wherein the function library comprises the first function;
and acquiring the first address in the function library according to the handle of the function library.
6. The code processing method according to claim 1, wherein mapping the protected code to the mapping section according to a handle of the mapping section, information of the protected code, and view properties of the protected code, to obtain the protected code, comprises:
generating a second parameter list according to the handle of the mapping section, the information of the protected code and the view attribute of the protection code;
and calling a second function, writing a second parameter list into the second function, and generating the protection code.
7. The code processing method of claim 6, wherein invoking the second function comprises:
acquiring a second address of a second function;
defining a second null pointer conforming to the second function pointer type, and assigning the second address to the second null pointer to obtain the second function pointer;
and calling the second function according to the second function pointer.
8. The code processing method of claim 7, wherein obtaining the second address of the second function comprises:
acquiring a handle of a function library, wherein the function library comprises the second function;
and acquiring the second address in the function library according to the handle of the function library.
9. The code processing method according to claim 1, wherein a target file is obtained from the protected code and the guard code, further comprising:
acquiring an executable file comprising the protected code, and encrypting the protected code;
and adding a new section in the executable file, and adding the protection code into the new section to generate the target file.
10. A code processing apparatus, the apparatus comprising:
the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring information of a protected code, and the information comprises a starting address of the protected code and the memory size occupied by the protected code;
the mapping module is used for creating a mapping section and acquiring a handle of the mapping section; mapping the protected code to the mapping section according to the handle of the mapping section, the information of the protected code and the view attribute of the protected code to obtain the protected code;
and the generating module is used for obtaining the target file according to the protected code and the protection code.
11. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the code processing method of any of claims 1 to 9 when the computer program is executed.
12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the code processing method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310622401.XA CN116738382A (en) | 2023-05-29 | 2023-05-29 | Code processing method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310622401.XA CN116738382A (en) | 2023-05-29 | 2023-05-29 | Code processing method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116738382A true CN116738382A (en) | 2023-09-12 |
Family
ID=87917889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310622401.XA Pending CN116738382A (en) | 2023-05-29 | 2023-05-29 | Code processing method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116738382A (en) |
-
2023
- 2023-05-29 CN CN202310622401.XA patent/CN116738382A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111052115B (en) | Data processing apparatus and method of authentication depending on call path | |
| CN106203006A (en) | Android application reinforcement means based on dex Yu so file Dynamic Execution | |
| US11822654B2 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
| US10586026B2 (en) | Simple obfuscation of text data in binary files | |
| US20160275019A1 (en) | Method and apparatus for protecting dynamic libraries | |
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| EP2891104B1 (en) | Detecting a malware process | |
| CN109598107B (en) | Code conversion method and device based on application installation package file | |
| CN104318155A (en) | Dynamic loading method capable of guarding against reverse APK file | |
| CN106845167A (en) | The reinforcement means and device of a kind of APK, and dynamic loading method and device | |
| US20210089684A1 (en) | Controlled access to data stored in a secure partition | |
| CN104834838B (en) | Prevent the method and device of DEX file unloading from internal memory | |
| US20150186681A1 (en) | Method of encryption and decryption for shared library in open operating system | |
| Zhang et al. | A code protection scheme by process memory relocation for android devices | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| CN107122656A (en) | It is a kind of that the outside method and apparatus debugged are prevented by Self-debugging | |
| CN112035803B (en) | Protection method and device based on Windows platform software | |
| US11947666B2 (en) | Systems and methods for exploit prevention and malicious code neutralization using non-predictable results for JavaScript-enabled applications | |
| RU2467389C1 (en) | Method of protecting software and dataware from unauthorised use | |
| CN110298175A (en) | A kind of processing method and relevant apparatus of dll file | |
| CN116738382A (en) | Code processing method, device, computer equipment and storage medium | |
| CN104615935B (en) | A kind of hidden method towards Xen virtual platforms | |
| US20190163885A1 (en) | Apparatus and method of providing security and apparatus and method of executing security for common intermediate language | |
| KR101556908B1 (en) | Apparatus For Protecting Binary Code | |
| KR102615080B1 (en) | Device for hiding application code, method for hiding application code and computer program stored in a recording medium to execute the method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |