CN118153078A - General HOOK method and system for mapping memory of Windows system - Google Patents
General HOOK method and system for mapping memory of Windows system Download PDFInfo
- Publication number
- CN118153078A CN118153078A CN202410566935.XA CN202410566935A CN118153078A CN 118153078 A CN118153078 A CN 118153078A CN 202410566935 A CN202410566935 A CN 202410566935A CN 118153078 A CN118153078 A CN 118153078A
- Authority
- CN
- China
- Prior art keywords
- memory
- read
- exception
- data
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013507 mapping Methods 0.000 title claims abstract description 75
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000006870 function Effects 0.000 claims abstract description 84
- 230000002159 abnormal effect Effects 0.000 claims abstract description 28
- 238000012544 monitoring process Methods 0.000 claims abstract description 25
- 238000004088 simulation Methods 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 11
- 230000005856 abnormality Effects 0.000 claims description 13
- 238000004140 cleaning Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 description 11
- 239000008186 active pharmaceutical agent Substances 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 6
- 230000001960 triggered effect Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a general HOOK method and a general HOOK system for mapping a memory of a Windows system, which relate to the technical field of memory mapping and comprise registering an exception handling program in a patch when a program executes and creates a file; when the program executes the memory mapping function, the read-write attribute of the memory area is cleared in the patch to forcedly trigger the exception, the exception monitoring range is modified to cover the memory area, the encryption chain of the current memory area is traversed to inquire whether the current memory area is encrypted by the previous mapping, if so, the current memory area is decrypted according to the sequence, after the memory mapping is finished, the memory mapping enters the exception processing logic in the patch during the read-write operation, whether the current memory area is expected to be abnormal is judged, then the exception triggering type is judged to be read or write, the read-write instruction simulation logic is respectively entered, when the current mapping is closed by calling the memory mapping function, the field is set according to the encryption chain, and the previously decrypted data is encrypted again.
Description
Technical Field
The invention relates to a memory mapping technology, in particular to a general HOOK method and a general HOOK system for mapping a memory of a Windows system.
Background
In a Windows system, a program usually uses a file mapping mode to access a large file, and the mode can map file contents into an address space of a process, so that the program can access file data like accessing a memory, and the efficiency of reading and writing the file is improved. However, file mapping also creates a potential safety hazard for data, and file data residing in memory may be stolen or tampered with by malicious programs.
In order to secure the data in the file map area, a common method is to encrypt the file data. The traditional encryption mode generally encrypts when a file is written into a disk and decrypts when the file is read, and the traditional encryption mode has the defects that the encryption and decryption process can influence the efficiency of file reading and writing and is easy to bypass by malicious programs through code injection and other modes.
Disclosure of Invention
The embodiment of the invention provides a general HOOK method and a general HOOK system for a Windows system mapping memory, which at least can solve part of problems in the prior art.
In a first aspect of an embodiment of the present invention,
The general HOOK method for mapping the memory of the Windows system comprises the following steps:
When the program executes the CreateFile function, registering an exception handler in the patch, and hooking MapViewofFile functions, unMapViewofFile functions and CloseHandle functions by using API HOOK;
When the program executes MapViewOfFile functions, the read-write attribute of the memory area is cleared in the patch to forcedly trigger the exception, the exception monitoring range is modified to cover the memory area, the encryption chain of the current memory area is traversed to inquire whether the current memory area is encrypted by the previous mapping, and if so, the current memory area is decrypted in sequence;
After the memory mapping is finished, the method enters an exception handling logic in the patch during the memory read-write operation, judges whether the memory is an expected exception, then judges whether the exception triggering type is read or write, respectively enters a read-write instruction simulation logic, and encrypts the previously decrypted data again according to an encryption chain setting field when the current mapping is closed by calling UnMapViewOfFile functions.
In an alternative embodiment of the present invention,
Judging whether the abnormal trigger type is expected or not, then judging whether the abnormal trigger type is read or write, and respectively entering the read-write instruction simulation logic, wherein the step comprises the following steps:
in the exception handling logic, judging whether the memory address triggering the exception is in the exception monitoring range set previously, if so, indicating that the memory address triggering the exception is an expected exception, and if not, indicating that the memory address triggering the exception is other exceptions, and returning directly without processing;
If the trigger type is the read operation or the write operation, the trigger type enters the corresponding read instruction simulation logic or write instruction simulation logic respectively.
In an alternative embodiment of the present invention,
The method further comprises the steps of:
In the read instruction simulation logic, firstly, according to the abnormal memory address and read length, inquiring whether the range is included in an encryption chain;
If the data is not contained, the data to be read is not encrypted, and the memory data is directly read and returned to the program;
If decryption is needed, the data to be read is decrypted according to the algorithm and the key information recorded by the encryption chain, the decrypted data is temporarily stored in the patch buffer, the register value of the abnormal site is modified to point to the patch buffer, and then the data is returned.
In an alternative embodiment of the present invention,
The method further comprises the steps of:
In the write instruction simulation logic, if the length of the written data exceeds the length of the existing data in the encryption chain, which indicates that new data needs to be encrypted, the newly written data is encrypted according to an encryption algorithm and a key preset by a program, and encryption information is added into the encryption chain;
if the written data does not exceed the encryption chain length, the written data is encrypted according to the information in the encryption chain and then written into the memory, and after the writing is completed, the register of the abnormal site is modified, so that the program can be continuously executed;
When encrypting data, if the length of the encrypted data does not reach the block size of an encryption algorithm, the data is cached in a patch buffer area and is waited for the subsequent written data to be encrypted together, so that the efficiency is prevented from being reduced due to frequent encryption and decryption.
In an alternative embodiment of the present invention,
After the memory mapping is finished, entering the abnormal processing logic in the patch during the memory read-write operation, wherein the abnormal processing logic comprises the following steps:
Reading a source operand, a destination operand and an operation code of a current instruction by means of a disassembly engine;
judging whether the operation is a writing operation or not, if so, reading the value to be actually written according to the type of the source operand;
Encrypting the value to be written;
Restoring the writable attribute of the abnormal generation address, simulating the writing operation according to the type of the operation code, and writing the encrypted content into the memory;
removing the writable attribute of the memory again;
If the read operation is the read operation, judging whether the memory area of the destination operand is encrypted, if so, decrypting the memory area, and writing the decryption result into the destination operand;
The register value of the exception field is modified to point to the correct address and returned to allow the program to continue execution.
In an alternative embodiment of the present invention,
When the current mapping is closed by calling UnMapViewOfFile functions, setting a site according to an encryption chain, and encrypting the previously decrypted data again, wherein the step comprises the following steps:
When the program calls UnMapViewOfFile functions to close the current memory mapping, encrypting the data in the mapping memory according to the records in the encryption chain, so as to ensure that the data written back to the disk are encrypted;
after encryption is completed, the memory attribute of the encryption buffer is modified according to the encryption chain information to enable the memory attribute to be readable, and the abnormal monitoring range is modified, so that subsequent read-write operations can be normally performed without triggering the abnormality any more, and final field cleaning is completed.
In an alternative embodiment of the present invention,
When the program calls UnMapViewOfFile functions to close the current memory mapping, encrypting the data in the mapping memory according to the record in the encryption chain; after encryption is completed, according to encryption chain information, modifying memory attribute of an encryption buffer area to enable the memory attribute to be readable, and modifying an abnormal monitoring range so that subsequent read-write operations can be normally performed without triggering abnormality any more, and finishing final field cleaning comprises:
for each memory block, according to the encryption algorithm and the key recorded by the encryption chain, calling a corresponding encryption function to encrypt data in the memory block; covering the original plaintext data by the encrypted data;
Modifying the memory page attribute to be readable and writable by using VirtualProtect functions; in the exception handler, the encrypted memory block region is removed from the monitoring range.
In a second aspect of the embodiment of the present invention, there is also provided a general HOOK system for mapping memory of a Windows system, including:
A first unit for registering an exception handler in the patch when the program executes the CreateFile function, and hooking MapViewofFile functions, unMapViewofFile functions, closeHandle functions using API HOOK;
The second unit is used for clearing the read-write attribute of the memory area in the patch to forcedly trigger the exception and modifying the exception monitoring range to cover the memory area when the program executes MapViewOfFile functions, traversing the encryption chain of the current memory area to inquire whether the current memory area is encrypted by the previous mapping, and decrypting according to the sequence if the current memory area is encrypted;
And a third unit for entering the exception handling logic in the patch when the memory read-write operation is completed after the memory mapping is completed, judging whether the memory read-write operation is an expected exception, then judging the exception triggering type as read or write, respectively entering the read-write instruction simulation logic, and encrypting the previously decrypted data again according to the encryption chain setting field when the current mapping is closed by calling UnMapViewOfFile functions.
In a third aspect of an embodiment of the present invention,
There is provided an electronic device including:
A processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to invoke the instructions stored in the memory to perform the method described previously.
In a fourth aspect of an embodiment of the present invention,
There is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method as described above.
The application realizes the comprehensive monitoring of the file mapping process by registering the exception handling program and the API HOOK in the patch, can encrypt the file data at the first time when the file data is mapped to the memory, and dynamically decrypts the file data when the program reads and writes the memory, thereby ensuring the real-time safety of the data. The memory read-write operation is captured by utilizing an exception handling mechanism, the exception is forcedly triggered by clearing the read-write attribute of the memory area, and then the simulation of the read-write instruction and the encryption and decryption of the data are carried out in the exception handling function, so that the transparent interception of the memory operation is realized, and the normal running of the program is not influenced.
By introducing the concept of an encryption chain, the encryption state and sequence of the memory area are recorded, so that the effective processing of multiple encryption of the same memory area is realized, the performance loss caused by repeated encryption is avoided, and the correctness of data is ensured. By re-encrypting the data according to the encryption chain in UnMapViewOfFile functions, the file data is ensured to be stored in a ciphertext form when being written back to the disk, and the safety of the data is further improved. The whole encryption and decryption process is carried out in the patch code, program source codes do not need to be modified, the method has good universality and transparency, and the method can be conveniently applied to various programs using file mapping.
Drawings
FIG. 1 is a flowchart of a general HOOK method for mapping memory in a Windows system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a general HOOK system for mapping memory of a Windows system according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The technical scheme of the invention is described in detail below by specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
Fig. 1 is a flow chart of a general HOOK method for mapping memory of a Windows system according to an embodiment of the present invention, as shown in fig. 1, where the method includes:
S101, when a program executes a CreateFile function, registering an exception handling program in a patch, hooking MapViewofFile functions, unMapViewofFile functions and CloseHandle functions by using an API HOOK, wherein the CreateFile function is used for acquiring a target file handle, the MapViewofFile functions are used for partitioning on the basis of mapping, the functions return to a starting address (pointer) of a certain block (buffer), the UnMapViewofFile functions are used for ending mapping of the certain block, and the CloseHandle functions are used for closing the handle;
S102, when a program executes MapViewOfFile functions, clearing read-write attributes of the memory area in a patch to forcedly trigger an exception, modifying an exception monitoring range to cover the memory area, traversing an encryption chain of the current memory area to inquire whether the encryption chain is encrypted by a previous mapping, and decrypting according to the sequence if the encryption chain is encrypted;
s103, after the memory mapping is finished, entering an exception handling logic in the patch during memory read-write operation, judging whether the memory is an expected exception, then judging whether an exception triggering type is read or write, respectively entering a read-write instruction simulation logic, and when the current mapping is closed by calling UnMapViewOfFile functions, setting a site according to an encryption chain, and encrypting the previously decrypted data again.
In an alternative embodiment of the present invention,
After the memory mapping is finished, the method enters an exception handling logic in the patch during the memory read-write operation, judges whether the memory is an expected exception, then judges that the exception triggering type is read or write, and respectively enters a read-write instruction simulation logic, when the current mapping is closed by calling UnMapViewOfFile functions, the field is set according to an encryption chain, and the re-encryption of the previously decrypted data comprises the following steps:
After the memory mapping is finished, when the program performs read-write operation on the mapped memory, the exception is triggered and enters exception processing logic in the patch due to the fact that the read-write attribute of the memory area is cleared in the patch before;
In the exception handling logic, firstly judging whether the memory address triggering the exception is in the exception monitoring range set previously, if yes, indicating that the memory address is expected to be abnormal, otherwise, indicating that other exceptions are not needed to be handled, and directly returning;
If the trigger type is the read operation or the write operation, the trigger type enters the corresponding read instruction simulation logic or write instruction simulation logic respectively.
In an alternative embodiment of the present invention,
The method further comprises the steps of:
In the read instruction simulation logic, firstly, according to the abnormal memory address and read length, inquiring whether the range is included in an encryption chain;
If the data is not contained, the data to be read is not encrypted, and the memory data is directly read and returned to the program;
If decryption is needed, the data to be read is decrypted according to the algorithm and the key information recorded by the encryption chain, the decrypted data is temporarily stored in the patch buffer, the register value of the abnormal site is modified to point to the patch buffer, and then the data is returned.
In an alternative embodiment of the present invention,
The method further comprises the steps of:
In the write instruction simulation logic, if the length of the written data exceeds the length of the existing data in the encryption chain, which indicates that new data needs to be encrypted, the newly written data is encrypted according to an encryption algorithm and a key preset by a program, and encryption information is added into the encryption chain;
if the written data does not exceed the encryption chain length, the written data is encrypted according to the information in the encryption chain and then written into the memory, and after the writing is completed, the register of the abnormal site is modified, so that the program can be continuously executed;
When encrypting data, if the length of the encrypted data does not reach the block size of an encryption algorithm, the data is cached in a patch buffer area and is waited for the subsequent written data to be encrypted together, so that the efficiency is prevented from being reduced due to frequent encryption and decryption.
In an alternative embodiment of the present invention,
After the memory mapping is finished, the exception handling logic entering the patch during the memory read-write operation comprises:
Reading a source operand, a destination operand and an operation code of a current instruction by means of a disassembly engine;
judging whether the operation is a writing operation or not, if so, reading the value to be actually written according to the type of the source operand;
Encrypting the value to be written;
Restoring the writable attribute of the abnormal generation address, simulating the writing operation according to the type of the operation code, and writing the encrypted content into the memory;
removing the writable attribute of the memory again;
If the read operation is the read operation, judging whether the memory area of the destination operand is encrypted, if so, decrypting the memory area, and writing the decryption result into the destination operand;
The register value of the exception field is modified to point to the correct address and returned to allow the program to continue execution.
In an alternative embodiment of the present invention,
When the current mapping is closed by invoking UnMapViewOfFile functions, setting up the scene according to the encryption chain, re-encrypting the previously decrypted data includes:
When the program calls UnMapViewOfFile functions to close the current memory mapping, encrypting the data in the mapping memory according to the records in the encryption chain, so as to ensure that the data written back to the disk are encrypted;
after encryption is completed, the memory attribute of the encryption buffer is modified according to the encryption chain information to enable the memory attribute to be readable, and the abnormal monitoring range is modified, so that subsequent read-write operations can be normally performed without triggering the abnormality any more, and final field cleaning is completed.
In an alternative embodiment of the present invention,
When the program calls UnMapViewOfFile functions to close the current memory mapping, encrypting the data in the mapping memory according to the record in the encryption chain; after encryption is completed, according to encryption chain information, modifying memory attribute of an encryption buffer area to enable the memory attribute to be readable, and modifying an abnormal monitoring range so that subsequent read-write operations can be normally performed without triggering abnormality any more, and finishing final field cleaning comprises:
for each memory block, according to the encryption algorithm and the key recorded by the encryption chain, calling a corresponding encryption function to encrypt data in the memory block; covering the original plaintext data by the encrypted data;
Modifying the memory page attribute to be readable and writable by using VirtualProtect functions; in the exception handler, the encrypted memory block region is removed from the monitoring range.
One embodiment of the application is as follows:
Specifically, when the target program invokes the CreateFile function to create or open a file, the patch program first performs a series of initialization operations including registering the exception handler and hooking MapViewOfFile functions, unmapViewOfFile functions, and CloseHandle functions using the API HOOK technique. The method comprises the steps of obtaining handles of target files by a CreateFile function, mapping file data to an address space of a process by a MapViewOfFile function, dividing a mapping memory into blocks according to a specified size, returning a starting address of each block, finishing mapping of the specified memory blocks by a UnmapViewOfFile function, and closing the opened file handles by a CloseHandle function.
Then, when the object program calls MapViewOfFile a function to perform memory mapping on the file, the patch program performs special processing on the mapped memory area. First, it will temporarily clear the read-write attribute of the memory area, forcing the triggering of the access exception. Meanwhile, the patch program modifies the abnormal monitoring range and brings the memory area into monitoring so as to carry out subsequent read-write interception. In addition, the patch program traverses an encryption linked list to check whether the current memory area is encrypted by the previous mapping operation, and if so, the data needs to be decrypted according to the encryption sequence to ensure the availability of the data.
After the file data is mapped to the memory successfully, the read-write operation of the target program on the memory area triggers an exception and enters the exception processing logic of the patch program. In the logic, the patch program firstly judges whether the memory address triggering the abnormality is in the monitoring range, if so, the patch program indicates that the memory address triggering the abnormality is an expected abnormality and needs to be further processed, otherwise, the patch program regards the abnormality as other abnormalities and returns the abnormality directly.
If a legal exception is determined, the patch may further determine whether the trigger type of the exception is read or write. If the operation is a read operation, the encryption linked list is queried according to the memory address and the read length, and whether the data to be read is encrypted is judged. If the data is encrypted, the data is decrypted according to the recorded algorithm and key information, the decrypted data is temporarily stored in a patch buffer area, and then the register value of the abnormal site is modified to point to the patch buffer area, so that the target program can read the correct data. If the data is not encrypted, the data is directly read from the memory and returned.
If the operation is a write operation, the patch program compares the length of the written data with the length of the existing data in the encryption chain table. If the written data is longer, the new data needs to be encrypted, the new data is encrypted according to a preset encryption algorithm and a key, the encrypted information is added into an encryption linked list, and if the written data is shorter, the data is directly written into a memory after being encrypted. If the encrypted data is less than one encrypted block, the encrypted data is cached in a patch buffer area and encrypted together with the subsequent written data, so that the efficiency is improved. After the writing is completed, the patch program modifies the abnormal site to enable the target program to continue to execute.
When the target program calls UnmapViewOfFile functions to finish memory mapping, the patch program traverses the encryption linked list again, and encrypts the memory data according to the recorded information so as to ensure that the data written back to the disk are all in a ciphertext form and prevent the data from being leaked. After encryption is completed, the patch program can modify the attribute of the encryption buffer area to enable the encryption buffer area to be readable, and adjust the abnormal monitoring range to enable the subsequent read-write operation to be carried out normally.
In order to achieve accurate interception and simulation of read-write operation, the patch program dynamically analyzes a current instruction when an abnormality occurs by means of a disassembly engine, and extracts key information such as operation codes, source operands, target operands and the like. The information can help the patch program to accurately judge the current memory operation type and carry out corresponding encryption or decryption processing according to the requirement.
In general, the invention utilizes an exception handling mechanism to implement a complete set of memory encryption schemes at the user level. By intercepting the key API and dynamically adjusting the memory attribute, the scheme can carry out real-time encryption protection on the file mapping memory under the condition of not modifying the target program code, and effectively prevent the memory data from being maliciously read or tampered. At the same time, the scheme has little impact on the performance of the target program due to the use of the disassembly engine and the encryption caching mechanism. In addition, since the encryption operation is realized in the patch program, the scheme has good universality and portability, and can be conveniently applied to various programs using file memory mapping.
In addition, in performing API hooks, in addition to using conventional function header modification techniques, more hidden ways of using IAT (import Address Table) hooks or inline hooks, etc., may be considered to avoid detection by anti-debug tools. The IAT hook is based on the principle that the function address in the IAT table is modified to point to the patch function, the inline hook is based on the assembly instruction of the direct modification target function, and a jump statement is inserted into the function to transfer the execution flow to the patch code.
For exception handling mechanisms, a variety of implementations may be considered. For example, in addition to SEH (structured exception handling), VEH (vectorized exception handling) may be used. The advantage of VEH over SEH is that all exceptions to processes and threads can be captured and are not easily bypassed by anti-debug tools. Furthermore, if the injected patch code is located outside the address space of the target process, a hardware breakpoint or page breakpoint may also be used to capture memory access events.
The choice of the encryption algorithm can be determined according to actual requirements. For scenes with high performance requirements, symmetric encryption algorithms such as AES, chaCha20, etc. can be used, and if higher security is required, asymmetric encryption algorithms such as RSA, ECC, etc. can be used. Meanwhile, in order to prevent the secret key from being maliciously analyzed and extracted, a white-box encryption technology can be adopted to protect the secret key, so that the secret key is confused with code logic, and the difficulty of reverse analysis is increased.
To further increase the flexibility and concealment of encryption, some randomization mechanism may be introduced in the encryption process. For example, using different encryption keys or algorithms for different memory blocks makes it impossible for an attacker to easily estimate the complete encryption scheme, for example, inserting random dummy elements into an encryption linked list to disturb the analysis and positioning of real data by the attacker, and considering the replacement and segmentation of encrypted data to store the encrypted data in different memory areas in a scattered manner, so that the storage layout of the data becomes more complex and unpredictable.
During exception handling, some anti-debugging and anti-injection measures may be introduced to prevent patch code from being maliciously analyzed and modified. For example, a debug-free trap is set in the exception handling function to detect whether the current debug state is in, if so, self-destruction or false handling logic is triggered, and if so, the integrity of the memory area where the patch code is located is checked regularly, if the code is found to be tampered, execution is refused or transferred to the standby code area to continue running.
The application realizes the comprehensive monitoring of the file mapping process by registering the exception handling program and the API HOOK in the patch, can encrypt the file data at the first time when the file data is mapped to the memory, and dynamically decrypts the file data when the program reads and writes the memory, thereby ensuring the real-time safety of the data. The memory read-write operation is captured by utilizing an exception handling mechanism, the exception is forcedly triggered by clearing the read-write attribute of the memory area, and then the simulation of the read-write instruction and the encryption and decryption of the data are carried out in the exception handling function, so that the transparent interception of the memory operation is realized, and the normal running of the program is not influenced.
By introducing the concept of an encryption chain, the encryption state and sequence of the memory area are recorded, so that the effective processing of multiple encryption of the same memory area is realized, the performance loss caused by repeated encryption is avoided, and the correctness of data is ensured. By re-encrypting the data according to the encryption chain in UnMapViewOfFile functions, the file data is ensured to be stored in a ciphertext form when being written back to the disk, and the safety of the data is further improved. The whole encryption and decryption process is carried out in the patch code, program source codes do not need to be modified, the method has good universality and transparency, and the method can be conveniently applied to various programs using file mapping.
Compared with the traditional file encryption mode, the method can avoid frequent file IO operation, improves the efficiency of file access, is safer and more controllable and does not affect the stability of a system compared with the encryption scheme of a kernel layer.
Fig. 2 is a schematic structural diagram of a general HOOK system for mapping memory of a Windows system according to an embodiment of the present invention, as shown in fig. 2, where the system includes:
A first unit 21, configured to register an exception handler in a patch when the program executes a CreateFile function, and HOOK MapViewofFile functions, unMapViewofFile functions, and CloseHandle functions using API HOOK, where the CreateFile function is used to obtain a target file handle, the MapViewofFile function is used to partition a block on a mapping basis, the function returns a start address (pointer) of a block (buffer), the UnMapViewofFile function is used to end mapping to the block, and the CloseHandle function is used to close the handle;
A second unit 22, configured to clear the read-write attribute of the memory area in the patch to force to trigger an exception when the program executes MapViewOfFile functions, modify the exception monitoring range to cover the memory area, traverse the encryption chain of the current memory area to see if the encryption chain has been encrypted by the previous mapping, and decrypt the encryption chain in sequence if the encryption chain has been encrypted;
And a third unit 23, configured to enter the exception handling logic in the patch when the memory read-write operation is completed, determine whether the exception is expected, then determine whether the exception trigger type is read or write, respectively enter the read-write instruction simulation logic, and when the current mapping is closed by calling UnMapViewOfFile functions, set a field according to the encryption chain, and encrypt the previously decrypted data again.
In a third aspect of an embodiment of the present invention,
There is provided an electronic device including:
A processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to invoke the instructions stored in the memory to perform the method described previously.
In a fourth aspect of an embodiment of the present invention,
There is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method as described above.
The present invention may be a method, apparatus, system, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for performing various aspects of the present invention.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (10)
1. A general HOOK method for mapping memory of a Windows system, comprising:
When the program executes the CreateFile function, registering an exception handler in the patch, and hooking MapViewofFile functions, unMapViewofFile functions and CloseHandle functions by using API HOOK;
When the program executes MapViewOfFile functions, the read-write attribute of the memory area is cleared in the patch to forcedly trigger the exception, the exception monitoring range is modified to cover the memory area, the encryption chain of the current memory area is traversed to inquire whether the current memory area is encrypted by the previous mapping, and if so, the current memory area is decrypted in sequence;
After the memory mapping is finished, the method enters an exception handling logic in the patch during the memory read-write operation, judges whether the memory is an expected exception, then judges whether the exception triggering type is read or write, respectively enters a read-write instruction simulation logic, and encrypts the previously decrypted data again according to an encryption chain setting field when the current mapping is closed by calling UnMapViewOfFile functions.
2. The method of claim 1, wherein the step of determining whether the exception is expected and then determining whether the exception trigger type is read or write, respectively, includes:
in the exception handling logic, judging whether the memory address triggering the exception is in the exception monitoring range set previously, if so, indicating that the memory address triggering the exception is an expected exception, and if not, indicating that the memory address triggering the exception is other exceptions, and returning directly without processing;
If the trigger type is the read operation or the write operation, the trigger type enters the corresponding read instruction simulation logic or write instruction simulation logic respectively.
3. The method according to claim 2, wherein the method further comprises:
In the read instruction simulation logic, whether the range is included in the encryption chain is inquired according to the abnormal memory address and the read length;
If the data is not contained, the data to be read is not encrypted, and the memory data is directly read and returned to the program;
If decryption is needed, the data to be read is decrypted according to the algorithm and the key information recorded by the encryption chain, the decrypted data is temporarily stored in the patch buffer, the register value of the abnormal site is modified to point to the patch buffer, and then the data is returned.
4. A method according to claim 3, characterized in that the method further comprises:
In the write instruction simulation logic, if the length of the written data exceeds the length of the existing data in the encryption chain, which indicates that new data needs to be encrypted, the newly written data is encrypted according to an encryption algorithm and a key preset by a program, and encryption information is added into the encryption chain;
if the written data does not exceed the encryption chain length, the written data is encrypted according to the information in the encryption chain and then written into the memory, and after the writing is completed, the register of the abnormal site is modified, so that the program can be continuously executed;
When encrypting data, if the length of the encrypted data does not reach the block size of an encryption algorithm, the data is cached in a patch buffer area and is waited for the subsequent written data to be encrypted together, so that the efficiency is prevented from being reduced due to frequent encryption and decryption.
5. The method of claim 1, wherein the exception handling logic that enters the patch during memory read and write operations after the memory mapping is complete comprises:
Reading a source operand, a destination operand and an operation code of a current instruction by means of a disassembly engine;
judging whether the operation is a writing operation or not, if so, reading the value to be actually written according to the type of the source operand;
Encrypting the value to be written;
Restoring the writable attribute of the abnormal generation address, simulating the writing operation according to the type of the operation code, and writing the encrypted content into the memory;
removing the writable attribute of the memory again;
If the read operation is the read operation, judging whether the memory area of the destination operand is encrypted, if so, decrypting the memory area, and writing the decryption result into the destination operand;
The register value of the exception field is modified to point to the correct address and returned to allow the program to continue execution.
6. The method of claim 1, wherein the step of re-encrypting previously decrypted data according to the encryption chain setup field when the call UnMapViewOfFile function closes the current mapping, comprises:
When the program calls UnMapViewOfFile functions to close the current memory mapping, encrypting the data in the mapping memory according to the record in the encryption chain;
after encryption is completed, the memory attribute of the encryption buffer is modified according to the encryption chain information to enable the memory attribute to be readable, and the abnormal monitoring range is modified, so that subsequent read-write operations can be normally performed without triggering the abnormality any more, and final field cleaning is completed.
7. The method of claim 6 wherein when the program calls UnMapViewOfFile a function to close the current memory map, encrypting data in the mapped memory according to a record in an encryption chain; after encryption is completed, according to encryption chain information, modifying memory attribute of an encryption buffer area to enable the memory attribute to be readable, and modifying an abnormal monitoring range so that subsequent read-write operations can be normally performed without triggering abnormality any more, and finishing final field cleaning comprises:
for each memory block, according to the encryption algorithm and the key recorded by the encryption chain, calling a corresponding encryption function to encrypt data in the memory block; covering the original plaintext data by the encrypted data;
Modifying the memory page attribute to be readable and writable by using VirtualProtect functions; in the exception handler, the encrypted memory block region is removed from the monitoring range.
8. A general HOOK system for mapping memory for a Windows system, for implementing the method of any of the preceding claims 1-7, comprising:
A first unit for registering an exception handler in the patch when the program executes the CreateFile function, and hooking MapViewofFile functions, unMapViewofFile functions, closeHandle functions using API HOOK;
The second unit is used for clearing the read-write attribute of the memory area in the patch to forcedly trigger the exception and modifying the exception monitoring range to cover the memory area when the program executes MapViewOfFile functions, traversing the encryption chain of the current memory area to inquire whether the current memory area is encrypted by the previous mapping, and decrypting according to the sequence if the current memory area is encrypted;
And a third unit for entering the exception handling logic in the patch when the memory read-write operation is completed after the memory mapping is completed, judging whether the memory read-write operation is an expected exception, then judging the exception triggering type as read or write, respectively entering the read-write instruction simulation logic, and encrypting the previously decrypted data again according to the encryption chain setting field when the current mapping is closed by calling UnMapViewOfFile functions.
9. An electronic device, comprising:
A processor;
a memory for storing processor-executable instructions;
Wherein the processor is configured to invoke the instructions stored in the memory to perform the method of any of claims 1 to 7.
10. A computer readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410566935.XA CN118153078A (en) | 2024-05-09 | 2024-05-09 | General HOOK method and system for mapping memory of Windows system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410566935.XA CN118153078A (en) | 2024-05-09 | 2024-05-09 | General HOOK method and system for mapping memory of Windows system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118153078A true CN118153078A (en) | 2024-06-07 |
Family
ID=91301610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410566935.XA Pending CN118153078A (en) | 2024-05-09 | 2024-05-09 | General HOOK method and system for mapping memory of Windows system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118153078A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104834835A (en) * | 2015-05-13 | 2015-08-12 | 武汉大学 | Universal digital rights protection method under Windows platform |
| WO2017181968A1 (en) * | 2016-04-20 | 2017-10-26 | 中兴通讯股份有限公司 | Method for processing application file, method and device for accessing application file, and storage medium |
| US20200311268A1 (en) * | 2019-03-29 | 2020-10-01 | Acronis International Gmbh | Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares |
| CN115329351A (en) * | 2022-07-22 | 2022-11-11 | 安徽工程大学 | File protection system and method for Windows system |
| CN115470506A (en) * | 2022-10-28 | 2022-12-13 | 山东华翼微电子技术股份有限公司 | Homomorphic mapping-based secure file system implementation method |
-
2024
- 2024-05-09 CN CN202410566935.XA patent/CN118153078A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104834835A (en) * | 2015-05-13 | 2015-08-12 | 武汉大学 | Universal digital rights protection method under Windows platform |
| WO2017181968A1 (en) * | 2016-04-20 | 2017-10-26 | 中兴通讯股份有限公司 | Method for processing application file, method and device for accessing application file, and storage medium |
| US20200311268A1 (en) * | 2019-03-29 | 2020-10-01 | Acronis International Gmbh | Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares |
| CN115329351A (en) * | 2022-07-22 | 2022-11-11 | 安徽工程大学 | File protection system and method for Windows system |
| CN115470506A (en) * | 2022-10-28 | 2022-12-13 | 山东华翼微电子技术股份有限公司 | Homomorphic mapping-based secure file system implementation method |
Non-Patent Citations (1)
| Title |
|---|
| 沈济南 等: "基于API Hook的进程行为监控系统", 云南大学学报(自然科学版), no. 03, 10 May 2018 (2018-05-10) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fei et al. | Security vulnerabilities of SGX and countermeasures: A survey | |
| US10572689B2 (en) | Method and apparatus for secure execution using a secure memory partition | |
| Wu et al. | Eliminating timing side-channel leaks using program repair | |
| CN111052115B (en) | Data processing apparatus and method of authentication depending on call path | |
| CN104392188B (en) | A kind of secure data store method and system | |
| Lie et al. | Implementing an untrusted operating system on trusted hardware | |
| Zhuang et al. | Hardware assisted control flow obfuscation for embedded processors | |
| US9390264B2 (en) | Hardware-based stack control information protection | |
| CN111865909A (en) | SGX side channel attack defense method, system, medium, program and application | |
| WO2020128413A1 (en) | Integrity tree for memory integrity checking | |
| CN108229190B (en) | Transparent encryption and decryption control method, device, program, storage medium and electronic equipment | |
| CN106326733A (en) | Method and apparatus for managing applications in mobile terminal | |
| CN103186746A (en) | Protection method and system of executable file | |
| CN109325322A (en) | Software Intellectual Property Rights for embedded platform protect system and method | |
| US6675297B1 (en) | Method and apparatus for generating and using a tamper-resistant encryption key | |
| CN118153078A (en) | General HOOK method and system for mapping memory of Windows system | |
| Lee et al. | Classification and analysis of security techniques for the user terminal area in the internet banking service | |
| CN115964758A (en) | TrustZone-based kernel data integrity protection method | |
| US20240080193A1 (en) | Counter integrity tree | |
| US20220407695A1 (en) | Electronic device and control method thereof | |
| CN114297093A (en) | Data storage method, device, equipment and storage medium | |
| WO2016058747A1 (en) | System and method for protecting a device against attacks on procedure calls by encrypting arguments | |
| Vaslin | ‘Hardware Core for Off-Chip Memory Security Management in Embedded Systems | |
| CN118194347A (en) | Database data processing method, system, equipment and storage medium | |
| Compartment | XOM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |