KR101671336B1 - Method of unpacking protection with code separation and apparatus thereof - Google Patents

Abstract

The packer according to the prior art has a problem in that it is difficult to analyze the executable file of the analyst by including the decoded code in the packed executable file.
In order to solve this problem, the present invention packs the decoded code into one external program and integrates it into the packed executable file, thereby making it difficult to analyze the analysis, and to control the access of the debugger through process protection, Method can be provided.

Description

METHOD OF UNPACKING PROTECTION WITH CODE SEPARATION AND APPARATUS THEREOF FIELD OF THE INVENTION [0001]

The present invention relates to an unpacking protection method, and more particularly to a more secure unpacking protection method using code separation.

Conventionally, an executable file compression technique has been studied for the purpose of reducing the capacity of an executable file. However, in recent years, along with the development of the Internet, an executable file compression technique has been studied as a method of protecting program analysis and protecting programs, have.

In this regard, the prior art reference 1 (Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, Wenke Lee, "PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware" Nebul Bavishi, "An Executable Packer ", San Jose State University, < RTI ID = 0.0 > 2011) < / RTI & ) Discloses a method for protecting a program and preventing analysis using an Anti Debugging Code, an IAT (Import Address Table) rearrangement, obfuscation and a virtual machine.

In this executable file compression technique, there are two essential functions: unpacking code and unpacking protection function. In order to execute the packed program, the decryption code must be included in the program. Since the file to which the executable file compression technique is applied basically has the code encrypted, the decryption code needs to be executed once to execute the program.

However, even if it is based on the decryption prevention function based on such encryption, the analyst analyzes the packed file in order to find the decoded code, assuming that the decoded code exists in the packed file. Therefore, There is a problem that the code can not be safe.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problem, and it is an object of the present invention to provide an unpacking protection method in which a decryption code is divided into an external file. We propose a packing method / unpacking protection method that enhances security through code separation.

An unpacking protection device to which a code separation according to an embodiment of the present invention is applied may include a detachment execution compression module, and the detachment execution compression module may pack the first execution file, 1 executable file, the generated decrypted program has a packed file structure, and is configured to integrate the packed first executable file and the generated decrypted program as a second executable file, and decrypts The program may be invoked by an independent program for unpacking or by the first executable file. Packing the first executable may also include extracting a predefined section from the first executable file and encrypting the predefined section, and the decrypting program may include decrypting the decrypted predefined section Code, and the decoded code may be encrypted by a separate execution compression module.

The technique disclosed in the present invention can have the following effects. It is to be understood, however, that the scope of the disclosed technology is not to be construed as limited thereby, since the specific embodiments should include all of the following effects or merely include the following effects.

The present invention provides an unpacking protection method to which code separation is applied and can delay analysis time of an executable file by applying various interruption codes using the unpacking protection method of the present invention.

Figure 1 shows a PE (Portable Executable) file structure and memory mapping.
2 shows a packing process using a UPX (Ultimate Packer for eXecutables) packer.
3A is a configuration and a flowchart of an unpacking protection apparatus to which a code separation is applied according to an embodiment of the present invention.
3B is a configuration and a flowchart of a file unpacking apparatus to which a code separation is applied according to an embodiment of the present invention.
4 is a schematic view of a packing method in an unpacking protection method using code separation according to an embodiment of the present invention.
5A is an example of a .text section extraction code according to an embodiment of the present invention.
FIG. 5B is an illustration of a bit operation encryption code according to one embodiment of the present invention.
Fig. 5C shows the structure of the generated packing file.
FIG. 5D shows the file structure of the generated decryption program.
6 is a schematic diagram of an unpacking method in an unpacking protection method applied with code separation according to an embodiment of the present invention.
7A is an example of a code for extracting a decryption program.
7B is an illustration of a process protection code.
7C is an illustration of an access code for a packed area of an executable file.
7D is an example of a code for writing decoded data in an empty memory area.
7E is a schematic diagram of a method of recording decoded data in an empty memory area of an executable file.
8A shows a UPX unpacking process.
FIG. 8B shows a PECompact unpacking process.
8C shows the FSG unpacking process.
FIG. 8D shows an ASProtect unpacking process.
FIG. 8E illustrates a separate running compressed unpacking process according to an embodiment of the present invention.

For the embodiments of the present invention disclosed herein, specific structural and functional descriptions are merely illustrative for purposes of illustrating embodiments of the present invention, and embodiments of the present invention may be embodied in various forms, The present invention should not be construed as limited to the embodiments described in Figs.

The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the text. It should be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprise", "having", and the like are intended to specify the presence of stated features, integers, steps, operations, elements, components, or combinations thereof, , Steps, operations, components, parts, or combinations thereof, as a matter of principle.

Also, the terms " part, "" module, "" module "," block ", and the like described in the specification mean units for processing at least one function or operation, Lt; / RTI >

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

Figure 1 shows a PE (Portable Executable) file structure and memory mapping.

The PE file structure shown in FIG. 1 is a file format that inherits the Common Object File Format (COFF). The COFF format is a file format used by AT & T It is a rule designed by the company. These PE file formats are used in files such as cpl, exe, dll, ocx, vxd, sys, scr, and drv.

Referring to the main sections of the PE file shown in FIG. 1, the .text section is a section that contains main code used for an executable file, and has execute and read permission. A .data section includes a section containing initialized global variables , Which has read and write permissions, and the .reloc section is the section containing default relocation information for the executable file. Among the sections of the PE file, the .text section is a section that is necessarily used in the packing process. The .text section includes the main code used in the executable file and must be protected during the packing process.

2 shows a packing process using a UPX (Ultimate Packer for eXecutables) packer.

Packing refers to the process of selecting a section to be packed through a packer and encrypting the selected section. The packer acts as a medium for compressing an executable file or inserting an interruption code. After the packer has packed, At the time of operation, the decryption code is executed first.

As shown in FIG. 2, the UPX packer loads the executable file 200 to be packed first from the packer, and inserts the code section 204 and the data section 205 to be used in the packed file 210 in the loaded state, And adds it to the space 212. Since added. The code section 204 and the data section 205 existing in the executable file 200 to be packed are encrypted and stored in the space of the packed file 210.

An unpacked executable file can be unpacked by unpacking, where unpacking code is first queued in memory before loading the packed code into memory, and the packed code is read Decrypt the encrypted content. In addition, the decoded code is recorded in the empty space of the execution memory, and after the unpacking is completed, the program moves to the OEP (Original Entry Point) point to execute the program.

Unpacking protection protects the program by delaying analysis in the process of analyzing the program to the analyst. These unpacking protection features include Anti Debugging Code, IAT (Import Address Table) rearrangement, obfuscation, and code virtualization.

First, the disturbance code refers to a disturbance code using a debugger. The disturbance code includes a method of using an API function (e.g., IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess and NtsetInformation Thread, NtQueryInformationProcess, etc.) for checking whether a process is in a debugging state, (For example, checking specific registry information of each debugger, checking whether hardware breakpoints are used, etc.), and analyzer characteristics (e.g., checking the time each line is executed).

In addition, the IAT rearrangement hides the functions used by the decoded code by adding the section and changing the IAT information by the packer. When the IAT rearrangement is performed, the analyzer analyzes the program to find the path of the function used in the executable file It becomes difficult to do.

In addition, obfuscation increases the complexity of the normal code and allows the analyst to require more analysis time than before the obfuscation is applied.

In addition, code virtualization is a way for analysts to spend more time analyzing than interfering code, IAT rearrangement, and obfuscation. Packer builds a virtual machine, ) Is used to protect and hide the decoded code.

However, in spite of these unpacking protection functions, there is a need for an unpacking protection method that makes it difficult for the analyst to analyze. Hereinafter, the unpacking protection method of the present invention will be described with reference to FIGS. 3A and 3B.

3A is a configuration and a flowchart of an unpacking protection apparatus 310 to which a code separation is applied according to an embodiment of the present invention.

3A, the unpacking protection apparatus 310 according to an embodiment of the present invention executes a packing program (S301), and selects an executable file to be packed (S302). The executable file to be packed may be selected based on input from the user or designation of a predetermined file name.

The separation executing compression module 320 packs the selected executable file (S303) and generates a decoding program for unpacking the packed executable file (S304). The generated decrypting program has a packed file structure and has independent arguments for unpacking or specific parameters to be called from the executable file. Therefore, when the decrypting program is extracted and executed as an independent program, the decrypting program is not operated. In addition, the separation executing compression module 320 merges the packed execution file and the generated decoding program as one execution file (S305). When the unification process of the separation executing compression module 320 is completed, the unpacking protection device 310 ends the packing program (S306). The separation execution compression module 320 also packs executable files and generates decryption programs using the above-described unpacking protection functions (e.g., interfering code, IAT rearrangement, obfuscation and / or code virtualization) You may.

3B is a configuration and a flowchart of a file unpacking apparatus 330 to which a code separation is applied according to an embodiment of the present invention.

3B, when the packed program is executed (S311), the separation executing compression / unpacking module 340 extracts the decoding program of the packed structure included in the packed execution file (S312) The decryption program is executed (S313), and the packed executable file is decrypted by the decryption program (S314). At this time, the decoded data is stored in the empty memory area of the packed executable file. When the decoding is completed, the unpacked executable file may be executed (S315).

3A and 3B, it is understood that the unpacking protection device 310 and the unpacking device 330 may further include a processor and / or a processor for executing the above processes. .

Hereinafter, the packing method and the unpacking method in the unpacking protection method applied with code separation according to an embodiment of the present invention will be described in detail with reference to the drawings.

4 is a schematic diagram of a packing method in an unpacking protection method using code separation according to an embodiment of the present invention.

When an executable file to be packed is selected (S401), a .text section of the selected executable file is extracted (S402). Generally, the data in the .text section contains the executable code that the program runs in, so the protection of the .text section should take precedence.

5A is an example of a .text section extraction code according to an embodiment of the present invention. As shown in FIG. 5A, a .text section extraction code uses a PE structure PIMAGE_DOS_HEADER. In the PIMAGE_DOS_HEADER structure, calculate the position of the structure of PIMAGE_NT_HEADERS and check the position of the section header based on the calculated memory address. After the position of the section header is confirmed, it stores BaseOfCode (ie, the offset of the .text section). Computes the stored offset and the starting point of the DOS_Header to determine the actual address of the .text section. The size of the address of the identified .text section is determined by checking the size of the .text section based on the VirtualSize inside the PIMAGE_SECTION_HEADER structure, and then extracting the .text section.

Referring again to FIG. 4, if the .text section is extracted, the .text section is encrypted (S403).

5B is an example of a bit-operation encryption code according to an embodiment of the present invention. As shown in FIG. 5B, the data of the extracted .text section is encrypted using a bit-operation encryption code. The bit-operation encryption may encrypt a .text section based on a key input, wherein the key input may be one or more of an input value from a user, a value generated by a random function, and / . ≪ / RTI >

Referring again to FIG. 4, when the encryption of the .text section is completed, a packing file (i.e., a packed executable file) including the encrypted .text section is generated (S404). Fig. 5C shows the structure of the generated packing file. In order to facilitate the description of the present invention, in FIG. 5C, a part of the constitution of the generated packing file is omitted and is shown as other section and data.

Referring again to FIG. 4, when the encryption of the .text section is completed, a decryption program including a decryption code for decrypting the encrypted section is generated (S405). Since the decryption code is applied to the bit-operation encryption code, a code of the same kind as the code shown in Fig. 5B can be used to generate the decryption program.

FIG. 5D shows the file structure of the generated decryption program. In order to facilitate the description of the present invention, a part of the constitution of the generated decryption program is omitted in FIG. 5D and is shown as other sections and data.

The generated decryption program does not have a separate execution screen, and can not be independently executed because it has independent programs for packing or specific parameters to be called from the executable file as described above, and independent programs or packings for unpacking It is executed only when the executed executable file is called.

Referring to FIG. 4, when the generation of the decoded program is completed, the packed executable file and the generated decoded program are combined as a final executable file (S406).

Figure 5E shows the structure of the final executable file integrated. In Figure 5E, some configuration of the final executable file integrated is omitted and is shown as other sections and data. As shown in FIG. 5E, the decryption program may be stored in the .reloc section of the final executable file. As shown in FIG. 5E, the packed executable file and the generated decoded program are integrated as one final execution file, thereby preventing the decoded program from being omitted when distributing the program.

6 is a schematic diagram of an unpacking method in an unpacking protection method applied with code separation according to an embodiment of the present invention.

First, when the packed executable file is executed (S601), the decoded program of the packed structure is extracted from the executable file (S602).

7A is an example of a code for extracting a decryption program. The extraction of the decryption program includes checking the total capacity of the packed file, checking the capacity of the decryption program extracted from the total capacity, and checking the capacity of the actual packed executable file. Further, after generating a handle for recording the decryption program, the file pointer is moved by the capacity of the actual packed executable file in the total capacity, and then recorded by the capacity of the decryption program.

Referring again to FIG. 6, after the decrypted program is extracted, the packed executable file transfers information of the encrypted .txt section of the executable file packed in the decrypted program (S603). At this time, the decryption program may block access to another debugger.

In this regard, an example of a process protection code is shown in Figure 7B. As shown in FIG. 7B, when occupying a process in the debug mode, a debugger such as ollydbg can not attatch a running packed program. Thus, the decryption program can preempt the process access of other debuggers by preempting the process for the executable file in the debugging mode.

Referring back to FIG. 6, the encrypted .txt section data is received and the encrypted .txt section is decrypted (S604). In this regard, FIG. 7C shows an example of an access code for a packed area of an executable file.

As shown in FIG. 7C, the decryption program obtains full memory access authority to the packed executable file, and confirms the address and size of the .text section. The contents of the identified .text section are copied to a memory and decoded using the bit operation encryption code shown in FIG. 5B.

FIG. 7D is an example of a code for writing decoded data in an empty memory area. In FIG. 7D, an empty memory space of a packed executable file is reserved in a decoding program, the reserved memory is determined, And it operates as a schematic diagram of a method of recording decoded data in an empty memory area of the executable file shown in FIG. 7E.

Referring to FIG. 6 again, when unpacking of the executable file is completed by storing the decoded .txt section, the extracted decoded program is deleted (S605). If a decryption program continues to exist, it can be used for analysis. In addition, when the unpacking of the executable file ends, the unpacked executable file may be executed (S606).

Hereinafter, the protection method using the code separation according to the embodiment of the present invention described above with reference to FIGS. 4 to 5E will be described in comparison with other comparative examples.

The packer according to the embodiment of the present invention was developed using Visual Studio 2010 of Windows 7 Professional Service Pack 1 and the executable packed by the packer of the present invention and the packer packed by the existing packer are transferred to the Windows 7 Professional Service Pack 1 environment by using the ollydbg program.

In the first comparative example, as shown in the UPX unpacking process of Fig. 8A, the unpacking of the packed executable file using the UPX packer causes the decryption program (code) to be executed after the program is executed to proceed decryption. In this process, the IAT is rearranged and when the IAT rearrangement is completed, the program is moved to the OEP point where decoding is completed. The UPX packer did not have the time spent analyzing because the decryption process proceeded with no defense code.

Comparative Example 2 shows that the unpacking of the packed executable file using the PECompact packer causes the obfuscation to proceed after the program is executed as shown in the PECompact unpacking process of Fig. 8B, causing the debugger to be confused, After passing the point, the IAT rearrangement is executed. When the decryption program (code) is executed based on the rearranged IAT and the decryption is completed, it moves to the OEP point. In the case of PECompact, the obfuscation function was further applied as compared to the UPX packer, and the analysis required more time than Comparative Example 1.

In the comparative example 3, unpacking of the packed executable file using the FSG (Fast Small Good) packer causes the IAT rearrangement to proceed after the program is executed, as shown in the FSG unpacking process of FIG. 8C, Obfuscation proceeds at the point when rearrangement is completed. After passing the obfuscation code, the decryption code decrypts the encrypted code. After decryption is completed, it moves to OEP point. Comparative Example 3 took a time similar to Comparative Example 2 for its analysis.

In the comparative example 4, the unpacking of the packed executable file using the ASProtect packer, the IAT re-arrangement is performed after the program is executed as shown in the ASProtect unpacking process of FIG. 8D, Obfuscation progresses. In addition, an interrupting code is activated to check whether the current state is analyzed. After the analysis is confirmed, a virtual machine is created, and the obfuscation code operates in the created virtual machine. After the obfuscation proceeds, the decryption process proceeds to decrypt the encrypted code. When the decoding process is completed, the program is executed after moving to the OEP point of the decoded code. In Comparative Example 4, various unpacking protection methods were applied and more analysis time was required than in Comparative Examples 1 to 3.

Hereinafter, unpacking of separate execution compression according to an embodiment of the present invention (Embodiment 1) will be described. As shown in FIG. 8E, when the program is executed, the IAT rearrangement is performed. When the IAT rearrangement is completed, the obfuscation proceeds, and the obstructive code operates in the obfuscation process, . If the operation of the disturb code is normal, the obfuscation is executed again after the virtual machine is created. This process is the same as in Comparative Example 4. [ However, when the decrypted program is extracted and the decrypted decrypted program is executed, the decrypted program is terminated by the process protection function because the process is already being analyzed by the debugger. Therefore, the analyst can not proceed further analysis.

Even if the other debugger traces the unpacking process through the method of attatching the process, the analysis can be blocked because the access of the debugger is blocked by the process protection function which occupies the process preemptively. As described above, when the separate execution compression method according to the present invention is applied, more analysis time investment is required compared with the analysis time spent in Comparative Examples 1 to 4.

The comparative analysis of the functional application of the packers of Comparative Examples 1 to 4 and Example 1 described above is shown in Table 1 below.

Conventional packers basically contain a decoding code in one file. Even if a conventional unpacking protection method (for example, an interrupt code, IAT rearrangement, obfuscation, or virtualization) is applied, It was not difficult to find the decoded code.

However, in the case of the separate execution compression function according to an embodiment of the present invention, a decryption code exists externally, and a file name and a structure of a decryption program existing outside can be variously generated. As a result, the analyst may have difficulty locating the decoded code and the process protection function may block the currently known debugging process approach in the course of the interaction between the packed program and the decoded program.

In addition, since the separate execution compression technique can apply all the contents presented in the previously-proposed unpacking protection method, the analyst needs to analyze both the packed program and the decryption program at the same time, It consumes a lot of analysis time.

According to the unpacking protection method of the present invention, unpacking protection method can be applied to a file to be packed and a decryption program in a double manner, so that analysis can be delayed and the access of a debugger can be controlled through a process protection technique , The decoding program is separated and the analysis can be delayed by increasing the object of analysis to the analyst.

Alternatively, the invention may be embodied by computer-executable instructions stored on a computer-readable storage medium. The computer-readable storage medium of the present disclosure includes any kind of storage device in which data that can be read by a computer system is stored.

Examples of computer-readable storage media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, etc., and also implementations in the form of carrier waves (e.g., transmission over the Internet) . In addition, the computer-readable storage medium may be distributed over a networked computer system so that computer readable code in a distributed manner may be stored and executed.

The embodiments of the present invention have been described above. It will be understood by those skilled in the art that the present invention may be embodied in various other forms without departing from the spirit or essential characteristics thereof. Therefore, the above-described embodiments should be considered from an illustrative point of view, not from a limiting viewpoint. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and the inventions claimed by the claims and the inventions equivalent to the claimed invention are to be construed as being included in the present invention.

Claims (11)

An unpacking protection device with a code separation comprising a detachable compression module,
Wherein the separation executing compression module comprises:
Packing a first executable file;
Generating a decryption program for unpacking the packed first executable file, the decrypted program having a packed file structure; And
And to integrate the packed first executable file and the generated decoded program as a second executable file,
Wherein the decryption program includes a decryption code for decrypting an encrypted predefined section and is called by an independent program for unpacking or by the second executable file,
Packing the first executable file includes extracting a predefined section from the first executable file and encrypting the predefined section,
The decryption code is encrypted by the separation executing compression module,
The packed first executable file and the generated decryption program have a PE (Portable Executable) file structure, and the encrypted predefined section and the encrypted decryption code are subjected to bit-arithmetic operation Wherein the key input is determined based on at least one of an input value from a user, a value generated by a random function, and a preset value,
And integrating the packed first executable file and the generated decoded program as a second executable file includes inserting the generated decoded program into the .reloc section of the packed first executable file, Applied unpacking protection device. The method according to claim 1,
Wherein the separate execution compression module is further configured to pack the first executable file and generate a decryption program using one or more of an interrupt code, an IAT (Import Address Table) rearrangement, obfuscation and code virtualization, Applied unpacking protection device. delete delete delete delete delete delete delete CLAIMS 1. A packing method of an executable file to which code separation of an unpacking protection device with a code separation including a separation executing compression module is applied,
Extracting and encrypting a predefined section from the first executable file and packing the first executable file;
Generating a decryption program for unpacking the packed first executable file; And
And the detachment executing compression module integrating the packed first executable file and the generated decrypting program as a second executable file,
Wherein packing the first executable file comprises extracting a predefined section from the first executable file, encrypting the predefined section,
The merging as the second executable file includes the generated decoding program in the .reloc section of the packed first executable file,
Wherein the decryption program includes a decryption code for decrypting the encrypted predefined section and is called by an independent program for unpacking or by the second executable file, Wherein the packed first executable file and the generated decryption program have a PE (Portable Executable) file structure, and the encrypted predefined section and the decrypted code are encrypted based on a key input Wherein the key input is based on at least one of an input value from a user, a value generated by a random function, and a preset value, Way. delete

Images