JP2021530014A - Java Debugger blocking method and system for program protection - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a Java debugger blocking method and a system for program protection. A method of blocking the Java debugger executed by a processor of a computer is defined in Java from among the threads currently running on the computer at the stage of acquiring the handle of the Java virtual machine currently running on the computer. It includes a step of confirming a thread that operates according to the debug convention, and a step of separating the confirmed thread from the acquired Java virtual machine handle and terminating it. [Selection diagram] Fig. 3

Description

The following description describes a Java debugger blocking method for program protection, a Java debugger blocking system that executes the Java debugger blocking method, and a computer-readable recording medium that is combined with a computer to allow the computer to execute the Java debugger blocking method. Regarding recorded computer programs and their recording media.

Since the operation method of the application distributed to the client terminal can be grasped by reverse engineering (reversing), the application function can be stolen by such a technology. In addition, by modifying the function of the application to make it operate differently from the original intention of the application, the reliability of the service provided by the application and the system providing the corresponding service may be adversely affected.

In the process of analyzing an application by such reverse engineering, it is essential to utilize debugging. Debugging means the act of checking and correcting errors in a program, and the program used for such an act is called a debugger. Such debugging can be performed even for a normal program without errors. In such a case, not only the behavior originally intended by the program is changed, but also the principle of the behavior inside the program is grasped. It may also be used as a malicious purpose for.

Traditionally, obfuscation techniques have been used to protect the built-in programs, changing the original behavior or encrypting some of them to make it difficult to modify the code and understand the behavior. Has been done. For example, Korean Registered Patent No. 10-1328012 relates to an application code obfuscation device and its method, and among the codes used in an application, the important code and the calling code for calling the important code are in the native code form. The technology to convert to is disclosed.

However, such prior art requires additional execution time to execute obfuscated code, and the original code must be loaded into memory at a particular point in time to perform the original operation. There was a problem that it did not become.

Korean Registered Patent No. 10-1328012

Java debugger blocking method that can block the influence of the debugger on the Java application by terminating the thread that operates according to the debug convention that defines the communication between the Java application and the debugger, and the Java debugger blocking system that executes the Java debugger blocking method. Provided are a computer program recorded on a computer-readable recording medium and the recording medium thereof in order to combine with a computer and cause the computer to execute a Java debugger blocking method.

A method of blocking the Java debugger executed by a computer processor, which is a stage of acquiring the handle of a Java virtual machine currently running on the computer, and is predefined in Java from among the threads currently running on the computer. Provided is a Java debugger blocking method including a step of confirming a thread operating according to a debug rule and a step of separating the confirmed thread from the handle of the acquired Java virtual machine and terminating it.

Provided is a computer program recorded on a computer-readable recording medium for computer execution of the Java debugger blocking method in combination with a computer.

Provided is a computer-readable recording medium, characterized in that a computer program for causing a computer to execute the Java debugger blocking method is recorded.

Includes at least one processor implemented to execute computer-readable instructions, which obtains the handle of a Java virtual machine currently running on the computer and currently runs on the computer. Provided is a computer device that confirms a thread that operates according to a debug rule defined in Java from among the threads in the inside, separates the confirmed thread from the handle of the acquired Java virtual machine, and terminates the confirmed thread.

The effect of the debugger on the Java application can be blocked by terminating the thread that operates according to the debug convention that defines the communication between the Java application and the debugger.

It is a figure which showed the example of the network environment in one Embodiment of this invention. It is a block diagram for demonstrating the internal structure of an electronic device and a server in one Embodiment of this invention. It is a figure which showed the example of the process of shutting off a Java debugger in one Embodiment of this invention. It is a flowchart which showed the example of the Java debugger blocking method in one Embodiment of this invention. It is a flowchart which showed the example of the process of separating a thread from a handle of a Java virtual machine in one Embodiment of this invention.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings.

As an example, the Java debugger blocking system according to the embodiment of the present invention may be realized by a computer such as the computer device 200 described with reference to FIG. 2, and the Java debugger blocking method according to the embodiment of the present invention is executed by the computer. May be done. For example, in a computer, a computer program according to an embodiment of the present invention (for example, an application installed in a computer device to receive a specific service provision) may be executed, and the computer may execute the executed computer program. The Java debugger blocking method according to the embodiment of the present invention may be executed according to the control of the above. The computer program described above may be recorded on a computer-readable recording medium in order to combine with the computer to cause the computer to execute the Java debugger blocking method.

FIG. 1 is a diagram showing an example of a network environment according to an embodiment of the present invention. The network environment of FIG. 1 shows an example including a plurality of electronic devices 110, 120, 130, 140, a plurality of servers 150, 160, and a network 170. Such FIG. 1 is merely an example for explaining the invention, and the number of electronic devices and the number of servers are not limited as in FIG.

The plurality of electronic devices 110, 120, 130, 140 may be fixed terminals or mobile terminals realized by a computer device. Examples of a plurality of electronic devices 110, 120, 130, 140 include smartphones, mobile phones, navigation systems, PCs (personal computers), notebook pancons, digital broadcasting terminals, PDAs (Personal Digital Assistants), and PMPs (Portable Multimedia Players). ), Tablets, etc. As an example, FIG. 1 shows a smartphone as an example of the electronic device 1 (110), but in the embodiment of the present invention, the electronic device 1 (110) substantially uses a wireless or wired communication method. It may mean one of a variety of physical computer devices capable of communicating with other electronic devices 120, 130, 140 and / or servers 150, 160 via network 170.

The communication method is not limited, and not only the communication method using the communication network (for example, mobile communication network, wired Internet, wireless Internet, broadcasting network) that can be included in the network 170, but also the short distance between devices. Wireless communication may be included. For example, the network 170 includes a PAN (personal area network), a LAN (local area network), a CAN (campus area network), a MAN (metropolitan area network), a WAN (wide network), etc. It may include any one or more of the networks. Further, network 170 may include, but is limited to, any one or more of network topologies including bus networks, star networks, ring networks, mesh networks, star-bus networks, tree or hierarchical networks, and the like. Will not be done.

Each of the servers 150, 160 is realized by one or more computer devices that communicate with a plurality of electronic devices 110, 120, 130, 140 via a network 170 to provide instructions, codes, files, contents, services, and the like. good. For example, the server 150 may be a system that provides the first service to a plurality of electronic devices 110, 120, 130, 140 connected via the network 170, and the server 160 may also be a plurality of systems connected via the network 170. It may be a system that provides a second service to electronic devices 110, 120, 130, 140. As a more specific example, the server 150 may provide a service linked with an application (computer program) installed in a plurality of electronic devices 110, 120, 130, 140 as the first service. As another example, the server 160 may provide a service for providing the application installation file for the first service to the plurality of electronic devices 110, 120, 130, 140 as the second service.

FIG. 2 is a block diagram showing an example of a computer device according to an embodiment of the present invention. Each of the plurality of electronic devices 110, 120, 130, 140 and the servers 150, 160 described above may be realized by the computer device 200 shown in FIG. For example, in the computer device 200, the computer program according to the embodiment may be installed and executed, and the computer device 200 may block the Java debugger according to the embodiment of the present invention under the control of the computer program to be executed. May be executed.

Such a computer device 200 may include a memory 210, a processor 220, a communication interface 230, and an input / output interface 240, as shown in FIG. The memory 210 is a computer-readable recording medium and may include a permanent large-capacity recording device such as a RAM (random access memory), a ROM (read only memory), and a disk drive. Here, a permanent large-capacity recording device such as a ROM or a disk drive may be included in the computer device 200 as another permanent recording device that is separated from the memory 210. Further, the memory 210 may record an operating system and at least one program code. Such software components may be loaded into memory 210 from a computer-readable recording medium separate from memory 210. Such other computer readable recording media may include computer readable recording media such as floppy drives, discs, tapes, DVD / CD-ROM drives, memory cards and the like. In other embodiments, software components may be loaded into memory 210 through a communication interface 230 that is not a computer-readable recording medium. For example, software components may be loaded into memory 210 of computer equipment 200 based on a computer program installed by a file received over network 170.

Processor 220 may be configured to process instructions in a computer program by performing basic arithmetic, logic, and I / O operations. Instructions may be provided to processor 220 by memory 210 or communication interface 230. For example, the processor 220 may be configured to execute instructions received according to program code recorded in a recording device such as memory 210.

The communication interface 230 may provide a function for the computer device 200 to communicate with another device (for example, the recording device described above) via the network 170. As an example, requests, instructions, data, files, etc. generated by the processor 220 of the computer device 200 according to the program code recorded in the recording device such as the memory 210 are sent via the network 170 under the control of the communication interface 230. May be transmitted to the device of. On the contrary, signals, instructions, data, files and the like from other devices may be received by the computer device 200 via the communication interface 230 of the computer device 200 via the network 170. Signals, instructions, data and the like received through the communication interface 230 may be transmitted to the processor 220 and the memory 210, and files and the like may be transferred to a recording medium (the above-mentioned permanent recording device) that can be further included in the computer device 200. May be recorded.

The input / output interface 240 may be a means for an interface with the input / output device 250. For example, the input device may include a device such as a microphone, keyboard, or microphone, and the output device may include a device such as a display, speaker. As another example, the input / output interface 240 may be a means for an interface with a device such as a touch screen in which functions for input and output are integrated into one. The input / output device 250 may be composed of a computer device 200 and one device.

Also, in other embodiments, the computer device 200 may include fewer or more components than the components of FIG. However, it is not necessary to clearly illustrate most of the prior art components. For example, the computer device 200 may be implemented to include at least a portion of the input / output devices 250 described above, or may further include other components such as transceivers, databases, and the like.

FIG. 3 is a diagram showing an example of a process of shutting off the Java debugger in one embodiment of the present invention. The computer device 200 may include a Java Virtual Machine 300. The Java virtual machine 300 is a virtual computer that interprets and executes a program written in the Java language. A program written in the Java language is converted into intermediate code such as bytecode by the Java compiler. At this time, the Java virtual machine 300 may be a software module that interprets and executes such bytecode. .. Java is an object-oriented programming language that provides debugging conventions that define communication between Java applications and debugger processes, such as the ^{JDWP (Java TM DevWire Protocol), for debugging Java applications.} At this time, there may be a thread that operates according to such a debugging convention. FIG. 3 shows n threads 310 attached to the Java virtual machine 300, and of the n threads 310, thread n320 is shown as a thread that operates according to the debug convention. At this time, the thread n320 generally uses JDWP as a name, and by executing a function according to a debug standard such as JDWP, the debugger 330, which is other software installed in the computer device 200, communicates with the Java application. It works as you can. For example, thread n320 may provide a function that allows the debugger 330 to communicate with other threads of the n threads 310 by the Java application.

If the debugger 330 cannot be linked to the thread n320, it cannot communicate with other threads by the Java application. Therefore, in the present embodiment, the debugger tries to debug the Java application by terminating the thread n320. Block 330. FIG. 3 shows an example in which the debugger 330 is blocked by terminating and disabling the thread n320, which is a JDWP thread attached to the Java virtual machine 300, by using a processing function such as “pthread_exit ()” 340. ..

FIG. 4 is a flowchart showing an example of the Java debugger blocking method according to the embodiment of the present invention. The Java debugger blocking method according to the present embodiment may be executed by the computer device 200 described above. For example, the processor 220 of the computer device 200 may be implemented to execute a control instruction by the code of the operating system included in the memory 210 and / or the code of at least one program. For example, the above-mentioned program code may be the code of the Java application to be debugged. In other words, the Java application may include code for blocking the Java debugger, and the processor 220 controls the computer device 200 according to the control instructions provided by the code of the Java application recorded in the computer device 200. The computer device 200 may be controlled to perform steps 410 to 430 included in the method. Depending on the embodiment, the code of the program may be provided by a program other than the Java application to be debugged.

At step 410, the computer device 200 may acquire the handle of the currently running Java virtual machine. All threads that execute Java code are attached to the Java virtual machine, so if you want to terminate such threads immediately using a function such as "pthread_exit ()", use the Java virtual machine. Collision may occur. Therefore, the computer device 200 uses a function such as "DetachCurentThread ()" to separate (detach) the function to be terminated from the Java virtual machine in advance when attempting to terminate the thread later, and then the thread. May be terminated, and for this purpose, the handle of the Java virtual machine may be acquired in advance. Therefore, in some embodiments, step 410 may be performed between steps 420 and 430, as an example, before separating the thread from the Java virtual machine.

The computer device 200 may record the handle of the Java virtual machine called by a function such as "JNI_OnLoad ()". For example, the handle of the virtual machine is an address pointer value for accessing the object of the currently running Java virtual machine, and the function "JNI_OnLoad ()" described prior to the time when the Java virtual machine loads the native library. The handle that is called when the function "JNI_OnLoad ()" is called (the first that is generally transmitted to "JNI_OnLoad ()" as a pointer value to the Java virtual machine instance itself of the currently running processor). The parameter "JavaVM * vm") may be recorded. The recorded handle may be utilized to call the function "DetachCurentThread ()" for thread separation when the thread is separated later. However, any method that can import the handle of the Java virtual machine running on the computer can be used without being limited to the above-mentioned function "JNI_OnLoad ()".

At step 420, the computer device 200 may identify the threads that are currently running and that operate according to the Java predefined debugging conventions. The debug convention may include a JDWP that defines the communication between the Java application and the debugger process, as described above. Since JDWP is generally used as it is for the name of the thread that operates according to such a debug convention, the computer device 200 operates according to the debug convention by confirming the identifier of the thread whose name is JDWP among the threads. You may check the thread to do. As another embodiment, the computer device 200 may confirm the thread that operates according to the debugging standard by confirming the identifier of the thread that executes the JDWP function from among the threads. As another embodiment, the computer device 200 acquires the task information of each thread, and confirms the identifier of the thread having the task information corresponding to JDWP based on the task information, so that the thread that operates according to the debug convention can be obtained. You may check. As an example, a computer device 200 using Unix may access process information currently running in the PROC file system and import task information. At this time, the computer device 200 may confirm the thread identifier by the task corresponding to JDWP.

At step 430, the computer device 200 may separate and terminate the identified thread from the handle of the acquired Java virtual machine. By terminating the thread that operates according to the debugging convention in this way, the Java debugger (as an example, the debugger 330 described with reference to FIG. 3) cannot communicate with the Java application to be debugged, thereby. , Java debugger can be blocked.

On the other hand, if the thread is simply terminated, a collision may occur. Therefore, the computer device 200 can safely terminate the thread by separating the thread from the handle of the Java virtual machine.

FIG. 5 is a flowchart showing an example of a process of separating a thread from the handle of the Java virtual machine in one embodiment of the present invention. Steps 510 to 520 of FIG. 5 are included in step 430 described with reference to FIG. 4 and may be performed by the computer apparatus 200.

In step 510, the computer device 200 registers a processing function that controls the first thread so that the first thread notifies the Java virtual machine that the first thread having the confirmed thread identifier is terminated. You can do it. Such processing functions may be included in a computer program for controlling the computer device 200 to perform the steps of FIGS. 4 and 5, where the computer device 200 is a control instruction by the code of such a computer program. Therefore, the processing function included in the computer program may be registered in the Java virtual machine.

Such a processing function means that when the thread confirmed in stage 420, in other words, the thread operating according to the debug convention (JDWP thread as an example) executes the processing function, the JDWP thread itself terminates immediately. A code may be included to notify the Java virtual machine, an environment may be created in which the JDWP thread can be terminated normally by such notification, and the JDWP thread may be separated from the handle of the Java virtual machine. In addition, the processing function may further include code for causing the JDWP thread to terminate itself, and the JDWP thread that executes the processing function may terminate itself.

At step 520, the computer device 200 may control the first thread to execute a processing function. As described above, by executing the processing function by the first thread, it is possible to control the Java virtual machine to terminate itself after notifying the Java virtual machine that the first thread itself terminates voluntarily.

At this time, in order to allow the first thread to execute the processing function, the computer device 200 may further register a user-defined signal in step 510 that controls each thread to call the processing function, step 520. You may control the thread to call a processing function by calling a user-defined signal. As a more specific example, in the case of a computer device 200 that uses a Unix-series operating system, a user-defined signal (signal number) and handler (processing function) can be used by using a function such as "sigaction ()". ) May be registered on the system (operating system). For example, the computer device 200 may call the "sigaction ()" function under the control of the computer program, and may register the user-defined signals and handlers included in the computer program in the computer device 200. After that, according to the control of the computer program, the computer device 200 calls the user-defined signal registered in the system by using the "kill ()" function, so that each thread included in the Java virtual machine is registered as a handler. The processing function) will be called and executed. At this time, the processing function may go through the process of confirming whether the thread that called itself is the JDWP thread, and the confirmed JDWP thread (first thread) terminates itself by using the function included in the processing function. You may go through the process of getting it done. In other words, the computer device 200 compares the identifier of the thread that processes the called user-defined signal with the identifier of the JDWP thread identified in step 420 to see if the thread matches the identified JDWP thread. If the thread is a JDWP thread, the JDWP thread executes a processing function to notify the Java virtual machine that it will terminate, and separates itself from the Java virtual machine and terminates itself. You may control it.

As described above, when the JDWP thread is terminated, it becomes impossible for the Java debugger such as the debugger 330 described with reference to FIG. 3 to communicate with the Java application to be debugged. Therefore, the Java debugger is used as the Java application. Can be blocked from. Even if the Java debugger has already been attached to the Java application, the Java debugger will be detached from the Java application because further communication between the Java debugger and the Java application will not be possible due to the termination of the JDWP thread. It is blocked.

As described above, according to the embodiment of the present invention, the influence of the debugger on the Java application can be blocked by terminating the thread that operates according to the debug convention that defines the communication between the Java application and the debugger.

The system or device described above may be implemented by a hardware component, a software component, or a combination of the hardware component and the software component. For example, the apparatus and components described in the embodiments include, for example, a processor, a controller, an ALU (arithmetic logic unit), a digital signal processor, a microprocessor, an FPGA (field programgate array), a PLU (programmable log unit), and a microprocessor. It may be implemented utilizing one or more general purpose computers or special purpose computers, such as a processor or various devices capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the OS. The processing device may also respond to the execution of the software, access the data, and record, manipulate, process, and generate the data. For convenience of understanding, one processing device may be described as being used, but one of ordinary skill in the art may indicate that the processing device may include a plurality of processing elements and / or a plurality of types of processing elements. You can understand. For example, the processing device may include multiple processors or one processor and one controller. Other processing configurations, such as parallel processors, are also possible.

The software may include computer programs, code, instructions, or a combination of one or more of these, configuring the processing equipment to operate at will, or instructing the processing equipment independently or collectively. You may do it. The software and / or data is embodied in any type of machine, component, physical device, virtual device, computer recording medium or device for interpretation based on the processing device or for providing instructions or data to the processing device. May be converted. The software is distributed on a networked computer system and may be recorded or executed in a distributed state. The software and data may be recorded on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed by various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the embodiment or may be usable known to those skilled in the art of computer software. Examples of computer-readable recording media include hard disks, floppy disks, and magnetic media such as magnetic tapes, optical media such as CD-ROMs and DVDs, and optical magnetic media such as floptic discs. , And hardware devices specially configured to record and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language code, such as those generated by a compiler, but also high-level language code, which is executed by a computer using an interpreter or the like.

As described above, the embodiments have been described based on the limited embodiments and drawings, but those skilled in the art will be able to make various modifications and modifications from the above description. For example, the techniques described may be performed in a different order than the methods described, and / or components such as the systems, structures, devices, circuits described may be in a form different from the methods described. Appropriate results can be achieved even if they are combined or combined, or confronted or replaced by other components or equivalents.

Therefore, even if the embodiments are different, they belong to the attached claims as long as they are equal to the claims.

Claims (15)

A computer program that causes a computer to execute the Java debugger blocking method.
The Java debugger blocking method is
Obtaining the handle of the Java virtual machine currently running on the computer,
The stage of confirming the thread that operates according to the debug convention defined in Java from the threads currently running on the computer, and the step of separating the confirmed thread from the handle of the acquired Java virtual machine and terminating it. A computer program that includes stages. The computer program according to claim 1, wherein the debug convention includes a JDWP that defines communication between a Java application and a debugger process. The stage of checking the thread is
The computer program according to claim 1, further comprising a step of confirming an identifier of a thread whose name is JDWP among the threads. The stage of checking the thread is
The computer program according to claim 1, further comprising a step of confirming the identifier of the thread that executes the JDWP function among the threads. The stage of checking the thread is
The computer program according to claim 1, further comprising a step of confirming an identifier of a thread having task information corresponding to JDWP based on the task information of each thread. The step of separating and terminating the confirmed thread is
A step of registering a processing function that controls the first thread so that the first thread notifies the Java virtual machine that the first thread having the confirmed thread identifier is terminated, and the above. Including the step of controlling the first thread to execute the processing function.
The computer program according to claim 1, wherein the first thread separates from the Java virtual machine and terminates by executing the registered processing function. The registration stage is
Further register a user-defined signal that controls each of the threads to call the processing function.
The control step is
The computer program according to claim 6, wherein the user-defined signal is called to control the thread to call the processing function. A method of blocking the Java debugger executed by the computer processor.
Getting the handle of the Java virtual machine currently running on your computer,
At the stage of confirming the thread that operates according to the debug convention defined in Java from the threads currently running on the computer, and separating the confirmed thread from the handle of the acquired Java virtual machine and terminating it. Java Debugger blocking method, including steps. The Java debugger blocking method according to claim 8, wherein the debug convention includes a JDWP that defines communication between a Java application and a debugger process. The stage of checking the thread is
The Java debugger blocking method according to claim 8, further comprising a step of confirming the identifier of the thread whose name is JDWP among the threads. The stage of checking the thread is
The Java debugger blocking method according to claim 8, further comprising a step of confirming the identifier of the thread that executes the JDWP function among the threads. The stage of checking the thread is
The Java debugger blocking method according to claim 8, further comprising a step of confirming an identifier of a thread having task information corresponding to JDWP based on the task information of each thread. The step of separating and terminating the confirmed thread is
A step of registering a processing function that controls the first thread so that the first thread notifies the Java virtual machine that the first thread having the confirmed thread identifier is terminated, and the above. Including the step of controlling the first thread to execute the processing function.
The Java debugger blocking method according to claim 8, wherein the first thread separates from the Java virtual machine and terminates by executing the registered processing function. The registration stage is
Further register a user-defined signal that controls each of the threads to call the processing function.
The control step is
The Java debugger blocking method according to claim 13, wherein the user-defined signal is called to control the thread to call the processing function. A computer-readable recording medium on which the computer program according to any one of claims 1 to 7 is recorded.

Images