WO2006123875A1 - Method of preventing audio-data capture in windows multimedia system - Google Patents

Method of preventing audio-data capture in windows multimedia system Download PDF

Info

Publication number
WO2006123875A1
WO2006123875A1 PCT/KR2006/001799 KR2006001799W WO2006123875A1 WO 2006123875 A1 WO2006123875 A1 WO 2006123875A1 KR 2006001799 W KR2006001799 W KR 2006001799W WO 2006123875 A1 WO2006123875 A1 WO 2006123875A1
Authority
WO
WIPO (PCT)
Prior art keywords
audio
function
data
code
capture
Prior art date
Application number
PCT/KR2006/001799
Other languages
French (fr)
Inventor
Sung Yub Kim
Original Assignee
Sung Yub Kim
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sung Yub Kim filed Critical Sung Yub Kim
Publication of WO2006123875A1 publication Critical patent/WO2006123875A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/16Sound input; Sound output

Definitions

  • the present invention generally relates to a method of preventing audio-data capture in the Windows multimedia system. More particularly, the present invention relates to a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia Application Programming Interface (API) is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dynamic link library (dll) has been altered, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented, and the interception of data transmitted to an audio adaptor driver can be prevented by controlling an audio mixer.
  • API Application Programming Interface
  • the method includes a method (1) of intercepting data transmitted to the kernel by hooking the multimedia API, a method (2) of intercepting data transmitted to the audio adaptor driver, and a method (3) of intercepting data output from the audio adaptor.
  • the term "DRM” refers to technology and service for protecting the profits and rights of the copyright-related persons by preventing the illegal use of digital contents.
  • the method may include a method of providing a user with specially produced hardware of the adaptor in order for a company that produces the audio adaptor to intercept data, a method of intercepting data at the audio adaptor by employing digital data output from a digital output terminal, such as Sony/Philips Digital interface (SPDIF), to digital devices, and a method of intercepting data by employing digital data output for USB audio devices and 1394 audio devices.
  • a digital output terminal such as Sony/Philips Digital interface (SPDIF)
  • SPDIF Sony/Philips Digital interface
  • Windows multimedia system in such a manner that the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered is used, the output of digital data to drivers, which are found to be dangerous after checking, can be denied by checking connected drivers when outputting digital data, and the audio mixer can be controlled
  • the present invention has been made m view of the above problems occurring in the prior art, and it is an object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered.
  • the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
  • FIG. 1 is a block diagram illustrating a method of intercepting digital data in a
  • FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention
  • FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
  • FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
  • FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention
  • FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
  • FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
  • a method of preventing audio-data capture in a Windows multimedia system wherein a method of protecting import information includes determining which dll will be loaded in order to connect a function upon link, storing the loaded dll in an execution file and allowing a Windows operating system to perform a corresponding process upon execution, and wherein information about dll that will be loaded and stored is recorded into an import region of an execution file.
  • the method of preventing audio-data capture in a Windows multimedia system includes the steps of searching the execution file for a DOS header of the information, searching the DOS header for a NT header, searching a directory region of the NT header for an import descriptor, searching the import descriptor for the name of dll to be loaded, searching function information arrangement of the import descriptor for the name of a function, and recording false information every step.
  • a method of preventing audio-data capture in a Windows multimedia system wherein a method of protecting a function LoadLibrary API and a function GetProc Address API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data.
  • the method of preventing audio-data capture in a Windows multimedia system includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions, if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data, and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed.
  • the step of determining whether the code for executing the code of the capture program is the same as the original code includes the step of directly comparing the code of the original dll and the code of dll loaded within the process can be directly compared, or the step of compa ⁇ ng code parts after generating a verify code using a hash function
  • a method of preventing audio-data capture in a Windows multimedia system wherein a method of preventing recording by intercepting APIs of multimedia dll used for recording includes the steps of interrupting all processes in which a hook event has occurred using a hook function provided by Windows, examining an import region of the process in order to determine whether there is a part that uses a function waveln(), and connecting the part to a code of a capture prevention program in order to have function call for recording failed, or directly knowing an address of waveln() using GetProcAddress API in order to prevent calling.
  • GetProcAddress API in order to prevent calling includes the steps of connecting GetP- rocAddress() to the code of the capture prevention program, and if the capture program wants wavelnQ in the code, providing an address of waveln(), which is provided by the capture prevention program and will be failed.
  • a method of determining whether multimedia dll has been altered includes the step of determining whether contents of a code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of a capture program is not executed by manipulating an import information region, but a desired work is to be performed by inserting the code into a start portion of a function wave ⁇ ut() so that the work can skip to a function for data leakage of the capture program, when intercepting the audio data by manipulating a code of multimedia dll itself.
  • a method of preventing audio-data capture in a Windows multimedia system wherein a method of controlling an audio mixer includes the steps of allowing output programs of a MP3 player to transfer data, which is output to a sound device, to an external device, such as a speaker, through an output mixer, allowing an input mixer to select a microphone, a line-in, and a CD audio input through, digitally sampling the signals and transferring the digitally sampled signals to recording programs, and precluding audio data transferred to a capture application by setting the volume of the input mixer to 0 or using a mute function.
  • FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention.
  • the Windows multimedia system includes a rendering application 10, a capture application 20, multimedia APIs 11, 21, a Windows multimedia a kernel 30, an audio driver 40, an audio adaptor driver 50, an audio adaptor 60, a Digital to Analog (DA) converter 61 , an Analog to Digital (AD) converter 62, a speaker 70, a microphone 80, and so on.
  • DA Digital to Analog
  • AD Analog to Digital
  • the rendering application 10 refers to a user program for outputting audio data and may include MP3 player programs.
  • the capture application 20 refers to a user program for storing audio data received from a microphone, a line-in, and so on, and may include a variety of recording programs.
  • the multimedia APIs 11, 21 are included in the rendering application 10 and the capture application 20.
  • the Windows multimedia kernel 30 is a system region in which multimedia related functions, such as audio and video, are collected in the Windows environment
  • the audio driver 40 is an abstracted system driver of an audio adaptor drive.
  • the audio adaptor driver 50 is a driver for driving audio adaptor hardware and serves to match each audio adaptor to the Windows standards.
  • the audio adaptor 60 is hardware of the sound card. The audio adaptor 60 serves to convert digital data into analog data using the DA converter 61 and output the converted data to the speaker, etc., or to sample analog data using the AD converter 62 in order to produce digital data.
  • the speaker 70 serves to output audio data and input the microphone 80.
  • FIG. 2 wave Pulse Coded Modulation (PCM) shown in FIG. 2 is one of methods of representing audio data through digitization.
  • Analog input is data recorded by measuring a voltage according to a predetermined sampling time interval and analog audio is analog data of the audio.
  • FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
  • modules for example, execution files such as exe and dll
  • modules for example, execution files such as exe and dll
  • One of Windows operating systems to this end determines which dll will be loaded in order to connect the function upon link, stores the loaded dll in an execution file and allowing the Windows operating system to perform a corresponding process upon execution. Information about the loaded dll to be stored is recorded into an import region of the execution file.
  • the information is defined in a Portable Executable (PE) format and can protect import information through the following steps.
  • An execution file is searched for a DOS header of the information (S30).
  • a DOS header is searched for a NT header (S31).
  • An import descriptor is searched for a directory region of the NT header (S32).
  • the name of dll to be loaded is searched for the import descriptor (S33).
  • the name of a function is searched for function information arrangement of the import descriptor (S34). Thereafter, false information is recorded every step (S35).
  • the import descriptor has the arrangement of information of dll to be loaded and each element has a location of function information of dll to be connected.
  • the import information is accessible by all the processes.
  • An audio capture program and a function used for the output by a player using the information can be replaced with its capture function.
  • Such a capture attempt can be prevented by hiding the import information itself.
  • the hiding method can be easily implemented by recording false information every step.
  • FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
  • modules for example, execution files such as exe and dll
  • the capture program can insert a function for capture into a player.
  • the import information protection method may be used to discourage the capture program to replace the functions LoadLibrary and GetProcAddress with its functions. Furthermore, it can be determined whether the functions are original Windows system functions, have been changed to other function or have been modified.
  • a method of protecting the function LoadLibrary API and the function GetProcAddress API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining the addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data.
  • the method of protecting the function LoadLibrary API and the function GetProcAddress API includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions (S40), if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data (S41), and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed (S42).
  • the code of the original dll and the code of dll loaded within the process can be directly compared (S42-1).
  • code parts can be compared after generating a verify code using a hash function (S42-2).
  • the dll is a collection of small programs. Any one of the small programs can be called when it is required in a large program executed in a computer.
  • the file dll may be loaded and executed, if appropriate, thus saving RAM space.
  • FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention.
  • One of APIs which is used for recording by the capture program, is a function wavelnO of winmm.dll.
  • the capture program reads audio data from the sound card using the function. Accordingly, the recording can be failed by hindering the operation of the function.
  • the method of preventing recording by intercepting APIs of the multimedia dll used for recording includes interrupting all processes in which a hook event is generated using a hook function provided by Windows (S50), examining an import region of the process in order to determine whether there is a part that uses the function wavelnO (S51), and connecting the part to the code of the capture prevention program in order to have function call for recording failed (S52) or directly finding the address of wavelnO using GetProc Address API in order to prevent calling (S52-1).
  • step S53 GetProcAddress() is connected to the code of the capture prevention program (S52-1-1). If the capture program wants wavelnQ in the code, an address of waveln(), which is provided by the capture prevention program and will be failed is provided (S52-2-1), thereby deactivating the recording function.
  • the capture program replaces the output function, which is called by a player, with its function so as to intercept the data output, thereby intercepting audio data.
  • the capture prevention program replaces the audio recording function of the capture program with its function so as to intercept the data input, thereby intercepting the recording of original data.
  • FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
  • FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
  • a sound device in general, includes two input and output audio mixers. Each of the mixers serves to select signals received from several audio sources and amplify the selected signals.
  • the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered
  • data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking.
  • the leakage of data which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented
  • the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.

Abstract

The present invention relates to a method of preventing audio-data capture in a Windows multimedia system. The interception of data transmitted to a kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered. Furthermore, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking. Furthermore, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented. In addition, the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.

Description

Description
METHOD OF PREVENTING AUDIO-DATA CAPTURE IN WINDOWS MULTIMEDIA SYSTEM
Technical Field
[1] The present invention generally relates to a method of preventing audio-data capture in the Windows multimedia system. More particularly, the present invention relates to a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia Application Programming Interface (API) is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dynamic link library (dll) has been altered, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented, and the interception of data transmitted to an audio adaptor driver can be prevented by controlling an audio mixer.
[2]
Background Art
[3] In general, in the construction of the Windows multimedia system shown in FIG. 1 , there are several methods of intercepting digital audio data of contents to which Digital Rights Management (DRM) has been applied.
[4] For example, there is a method of intercepting digital audio data within the
Windows system. The method includes a method (1) of intercepting data transmitted to the kernel by hooking the multimedia API, a method (2) of intercepting data transmitted to the audio adaptor driver, and a method (3) of intercepting data output from the audio adaptor. There is a problem in that rightful persons are damaged by the leakage of data, etc. due to the methods. The term "DRM" refers to technology and service for protecting the profits and rights of the copyright-related persons by preventing the illegal use of digital contents.
[5] There is another method of intercepting digital audio data outside the Windows system. The method may include a method of providing a user with specially produced hardware of the adaptor in order for a company that produces the audio adaptor to intercept data, a method of intercepting data at the audio adaptor by employing digital data output from a digital output terminal, such as Sony/Philips Digital interface (SPDIF), to digital devices, and a method of intercepting data by employing digital data output for USB audio devices and 1394 audio devices.
[6] In addition, data can be intercepted using a method of recording analog data output to the speaker or re-mputtmg (look back) the data to a line-in input terminal of the audio adaptor. However, if converted analog data are sampled digitally again, there is a problem in that the sound quality is lost. The SPDIF is one of digital output methods and refers to home digital output specification defined by Sony/Philips
[7] Meanwhile, Microsoft Corporation provides API in which audio data of DRM contents can be transmitted through safe channels separated from common audio data channels due to the problems inherent in the method of intercepting digital audio data withm the Windows system, the method of intercepting digital audio data outside the Windows system, and so on
[8] To prevent the method of intercepting data transmitted to the kernel by hooking the multimedia API, encrypted digital audio data are transmitted between an application and the kernel To prevent the method of intercepting data transmitted to the audio adaptor driver, the method of intercepting data output from the audio adaptor, and the method of providing a user with specially produced hardware of the adaptor in order for a company that produces the audio adaptor to intercept data, there is provided a protection solution for providing DRM audio data only through a driver or an adaptor that has been found that data of DRM contents are not leaked by Microsoft Corporation through authentication.
[9] In addition, when the digital data are output to an external digital device as in the method of intercepting data using digital data output from a digital output terminal of the audio adaptor, such as SPDIF, to digital devices and the method of intercepting data using digital data output for the USB audio device and the 1394 audio devices, a method is proposed in which an adaptor is authenticated and audio data of DRM contents are output in a digital data form only when it is guaranteed that the Windows system confirms the type and characteristic of an external digital device and determines whether the output accordingly will be output. The above-mentioned method by Microsoft Corporation is perfect in implementing the OS level of the DRM system, but has a difficulty until it is available to all the systems.
[10] Accordingly, there is a need for a system for preventing audio data capture in the
Windows multimedia system in such a manner that the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered is used, the output of digital data to drivers, which are found to be dangerous after checking, can be denied by checking connected drivers when outputting digital data, and the audio mixer can be controlled
[H] Disclosure of Invention
Technical Problem
[12] Accordingly, the present invention has been made m view of the above problems occurring in the prior art, and it is an object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered.
[13] It is another object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking.
[14] It is further another object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented. In addition, the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
[15]
Brief Description of the Drawings
[16] Further objects and advantages of the invention can be more fully understood from the following detailed description taken in conjunction with the accompanying drawings in which:
[17] FIG. 1 is a block diagram illustrating a method of intercepting digital data in a
Windows multimedia system in the related art;
[18] FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention;
[19] FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention;
[20] FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
API and a function GetProcAddress API, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention;
[21] FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention;
[22] FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention; and
[23] FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
[24]
Best Mode for Carrying Out the Invention
[25] To accomplish the above objects, according to an aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of protecting import information includes determining which dll will be loaded in order to connect a function upon link, storing the loaded dll in an execution file and allowing a Windows operating system to perform a corresponding process upon execution, and wherein information about dll that will be loaded and stored is recorded into an import region of an execution file. The method of preventing audio-data capture in a Windows multimedia system includes the steps of searching the execution file for a DOS header of the information, searching the DOS header for a NT header, searching a directory region of the NT header for an import descriptor, searching the import descriptor for the name of dll to be loaded, searching function information arrangement of the import descriptor for the name of a function, and recording false information every step.
[26] Furthermore, according to another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of protecting a function LoadLibrary API and a function GetProc Address API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data. The method of preventing audio-data capture in a Windows multimedia system includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions, if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data, and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed.
[27] In the present invention, the step of determining whether the code for executing the code of the capture program is the same as the original code includes the step of directly comparing the code of the original dll and the code of dll loaded within the process can be directly compared, or the step of compaπng code parts after generating a verify code using a hash function
[28] Furthermore, according to further another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of preventing recording by intercepting APIs of multimedia dll used for recording includes the steps of interrupting all processes in which a hook event has occurred using a hook function provided by Windows, examining an import region of the process in order to determine whether there is a part that uses a function waveln(), and connecting the part to a code of a capture prevention program in order to have function call for recording failed, or directly knowing an address of waveln() using GetProcAddress API in order to prevent calling.
[29] In the present invention, the step of directly finding the address using waveln() and
GetProcAddress API in order to prevent calling includes the steps of connecting GetP- rocAddress() to the code of the capture prevention program, and if the capture program wants wavelnQ in the code, providing an address of waveln(), which is provided by the capture prevention program and will be failed.
[30] Furthermore, according to further another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of determining whether multimedia dll has been altered includes the step of determining whether contents of a code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of a capture program is not executed by manipulating an import information region, but a desired work is to be performed by inserting the code into a start portion of a function waveθut() so that the work can skip to a function for data leakage of the capture program, when intercepting the audio data by manipulating a code of multimedia dll itself.
[31] Furthermore, according to further another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of controlling an audio mixer includes the steps of allowing output programs of a MP3 player to transfer data, which is output to a sound device, to an external device, such as a speaker, through an output mixer, allowing an input mixer to select a microphone, a line-in, and a CD audio input through, digitally sampling the signals and transferring the digitally sampled signals to recording programs, and precluding audio data transferred to a capture application by setting the volume of the input mixer to 0 or using a mute function. [32] The present invention will now be described in detail m connection with specific embodiments with reference to the accompanying drawings. [33] FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention. [34] Referring to FIG. 2, the Windows multimedia system according to an embodiment of the present invention includes a rendering application 10, a capture application 20, multimedia APIs 11, 21, a Windows multimedia a kernel 30, an audio driver 40, an audio adaptor driver 50, an audio adaptor 60, a Digital to Analog (DA) converter 61 , an Analog to Digital (AD) converter 62, a speaker 70, a microphone 80, and so on. [35] The function of each of technical means constituting the Windows multimedia system will be described below. [36] The rendering application 10 refers to a user program for outputting audio data and may include MP3 player programs. [37] The capture application 20 refers to a user program for storing audio data received from a microphone, a line-in, and so on, and may include a variety of recording programs. The multimedia APIs 11, 21 are included in the rendering application 10 and the capture application 20. [38] The Windows multimedia kernel 30 is a system region in which multimedia related functions, such as audio and video, are collected in the Windows environment [39] The audio driver 40 is an abstracted system driver of an audio adaptor drive.
[40] The audio adaptor driver 50 is a driver for driving audio adaptor hardware and serves to match each audio adaptor to the Windows standards. [41] The audio adaptor 60 is hardware of the sound card. The audio adaptor 60 serves to convert digital data into analog data using the DA converter 61 and output the converted data to the speaker, etc., or to sample analog data using the AD converter 62 in order to produce digital data.
[42] The speaker 70 serves to output audio data and input the microphone 80.
[43] Furthermore, wave Pulse Coded Modulation (PCM) shown in FIG. 2 is one of methods of representing audio data through digitization. Analog input is data recorded by measuring a voltage according to a predetermined sampling time interval and analog audio is analog data of the audio. [44] FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention. [45] In order for the functions of the system or the functions of other modules to be used, modules (for example, execution files such as exe and dll) that provide corresponding functions must be loaded. One of Windows operating systems to this end determines which dll will be loaded in order to connect the function upon link, stores the loaded dll in an execution file and allowing the Windows operating system to perform a corresponding process upon execution. Information about the loaded dll to be stored is recorded into an import region of the execution file. The information is defined in a Portable Executable (PE) format and can protect import information through the following steps.
[46] An execution file is searched for a DOS header of the information (S30). A DOS header is searched for a NT header (S31). An import descriptor is searched for a directory region of the NT header (S32). The name of dll to be loaded is searched for the import descriptor (S33). The name of a function is searched for function information arrangement of the import descriptor (S34). Thereafter, false information is recorded every step (S35). The import descriptor has the arrangement of information of dll to be loaded and each element has a location of function information of dll to be connected.
[47] For example, if a function waveOutQ of winmm.dll is to be used in a player program, information for loading winmm.dll and information about the function waveOutO are recorded into the player program upon link. Upon execution, a loader of the operating system loads winmm.dll on the player process using the information. A location of the function is set so that the function waveθut() can be used. Accordingly, the function is prepared to use
[48] The import information is accessible by all the processes. An audio capture program and a function used for the output by a player using the information can be replaced with its capture function. Such a capture attempt can be prevented by hiding the import information itself. The hiding method can be easily implemented by recording false information every step.
[49] FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
API and a function GetProcAddress API, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
[50] In order for the functions of the system or the functions of other modules to be used, modules (for example, execution files such as exe and dll) that provide corresponding functions must be loaded. In a method of loading a corresponding dll directly when a program (i.e., the other of the Windows operating systems to this end), the capture program can insert a function for capture into a player.
[51] That is, although a player process loads winmm.dll directly, finds the location of the function waveθut(), and uses the location, the function LoadLibrary API and the function GetProcAddress API must be used in order to perform the process. During the process, if the capture program replaces the function LoadLibrary and the function GetProcAddress with its ones, the function obtained by the player process is the function of the capture program not the original function waveθut(). Accordingly, the capture program can intercept audio data output from the player without change.
[52] Accordingly, to prevent such interception, the import information protection method may be used to discourage the capture program to replace the functions LoadLibrary and GetProcAddress with its functions. Furthermore, it can be determined whether the functions are original Windows system functions, have been changed to other function or have been modified.
[53] In other words, a method of protecting the function LoadLibrary API and the function GetProcAddress API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining the addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data.
[54] The method of protecting the function LoadLibrary API and the function GetProcAddress API includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions (S40), if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data (S41), and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed (S42).
[55] In the step S42, the code of the original dll and the code of dll loaded within the process can be directly compared (S42-1). Alternatively, code parts can be compared after generating a verify code using a hash function (S42-2). The dll is a collection of small programs. Any one of the small programs can be called when it is required in a large program executed in a computer. The file dll may be loaded and executed, if appropriate, thus saving RAM space.
[56] FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention.
[57] One of APIs, which is used for recording by the capture program, is a function wavelnO of winmm.dll. The capture program reads audio data from the sound card using the function. Accordingly, the recording can be failed by hindering the operation of the function.
[58] To this end, if the pointer of the function is replaced with the function waveln() provided by the capture prevention program in all processes that are not operating in the Windows operating system, the leakage of data can be precluded since the function to be used by the capture program cannot be used.
[59] The method of preventing recording by intercepting APIs of the multimedia dll used for recording includes interrupting all processes in which a hook event is generated using a hook function provided by Windows (S50), examining an import region of the process in order to determine whether there is a part that uses the function wavelnO (S51), and connecting the part to the code of the capture prevention program in order to have function call for recording failed (S52) or directly finding the address of wavelnO using GetProc Address API in order to prevent calling (S52-1).
[60] In the step S53, GetProcAddress() is connected to the code of the capture prevention program (S52-1-1). If the capture program wants wavelnQ in the code, an address of waveln(), which is provided by the capture prevention program and will be failed is provided (S52-2-1), thereby deactivating the recording function.
[61] As a result, in order to prevent recording, the capture program replaces the output function, which is called by a player, with its function so as to intercept the data output, thereby intercepting audio data. The capture prevention program replaces the audio recording function of the capture program with its function so as to intercept the data input, thereby intercepting the recording of original data.
[62] FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
[63] There is the method of replacing the function waveθut() (i.e., the audio output function) with the function of the capture program by manipulating the import in formation region or manipulating the operation of the functions LoadLibrary and GetProc Address, as described above with reference to FIGS 3 and 4. Furthermore, there will be a method of intercepting audio data by manipulating a code of the multimedia dll itself as shown in FIG. 6.
[64] When intercepting audio data by manipulating the code of the multimedia dll itself, it is determined whether the contents of the code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of the capture program is not executed by manipulating the import information region, but a desired work is to be performed by inserting the code into the start portion of the function waveθut() so that the work can skip to the function for data leakage of the capture program (S60), thereby preventing the capture of audio data
[65] FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
[66] In general, a sound device includes two input and output audio mixers. Each of the mixers serves to select signals received from several audio sources and amplify the selected signals.
[67] Referring to FIG. 7, in order to prevent the capture of audio data by controlling the audio mixer, output programs of a MP3 player to transfer data, which have been output to a sound device, to an external device, such as a speaker, through the output mixer (S70) The input mixer selects a microphone, a line-m, and a CD audio input (S71). The signals are digitally sampled and are then transferred to recording programs (S72). Thereafter, audio data transferred to a capture application are precluded by setting the volume of the input mixer to 0 or using a mute function (S73).
[68] While the present invention has been described with reference to the particular illustrative embodiments, it is not to be restricted by the embodiments but only by the appended claims. It is to be appreciated that those skilled in the art can change or modify the embodiments without departing from the scope and spirit of the present invention.
[69]
Industrial Applicability
[70] As described above, in accordance with the method of preventing audio-data capture in the Windows multimedia system according to the present invention, the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered
[71] Furthermore, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking.
[72] Furthermore, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented In addition, the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
[73]

Claims

Claims
[1] An audio-data capture preventing method in a Windows multimedia system, comprising a method of protecting import information, in which dll will he loaded and be connected to which function upon link are stored in an execution file, a Windows operating system performs a corresponding task upon execution, and information about the loaded dll is recorded into an import region of the execution file, the method of protecting the import information comprising the steps of: searching the execution file for a DOS header of the information; searching the DOS header for a NT header; searching a directory region of the NT header for an import descriptor; searching the import descriptor for the name of dll to be loaded; searching function information arrangement of the import descriptor for the name of a function; and recording false information every searching step.
[2] An audio-data capture method in a Windows multimedia system, comprising a method of protecting a function LoadLibrary API and a function GetProcAddress API, in which a spy program intercepts the two functions LoadLibrary API and GetProcAddress API by directly obtaining addresses of the functions LoadLibrary API and GetProcAddress API in a Windows kernel from a kernel such that the functions LoadLibrary API and GetProcAddress API perform their codes, preventing the leakage of data, the method of protecting the functions LoadLibrary API and GetProcAddress API comprising the steps of: determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions; if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data; and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed.
[3] The method as claimed in claim 2, wherein the step of determining whether the code for executing the code of the capture program is the same as the original code includes the step of directly comparing the code of the original dll and the code of dll loaded within the process can be directly compared, or the step of comparing code parts after generating a verify code using a hash function.
[4] A method of preventing audio-data capture in a Windows multimedia system, comprising a method of preventing recording by intercepting an API of multimedia dll used for the recording, the method of preventing recording comprising the steps of interrupting all processes in which a hook event has occurred using a hook function provided by Windows, examining an import region of the process in order to determine whether there is a part that uses a function waveln(), and connecting the part to a code of a capture prevention program in order to have function call for recording failed, or directly knowing an address of waveln() using GetProcAddress API in order to prevent calling. [5] The method as claimed in claim 4, wherein the step of directly finding the address using waveln() and GetProcAddress API in order to prevent calling includes the steps of: connecting GetProcAddress() to the code of the capture prevention program; and if the capture program wants waveln() in the code providing an address of wavelnO which is provided by the capture prevention program and will be failed. [6] A method of preventing audio data capture in a Windows multimedia system, comprising a method of determining whether multimedia dll has been altered, comprising the step of determining whether contents of a code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of a capture program is not executed by manipulating an import information region, but a desired work is to be performed by inserting the code into a start portion of a function waveθut() so that the work can skip to a function for data leakage of the capture program, when intercepting the audio data by manipulating a code of multimedia dll itself. [7] A method of preventing audio data capture in a Windows multimedia system, comprising a method of controlling an audio mixer comprising the steps of: allowing output programs of a MP3 player to transfer data, which is output to a sound device, to an external device, such as a speaker, through an output mixer; allowing an input mixer to select a microphone, a line-in, and a CD audio input through, digitally sampling the signals and transferring the digitally sampled signals to recording programs; and precluding audio data transferred to a capture application by setting the volume of the input mixer to 0 or using a mute function.
PCT/KR2006/001799 2005-05-18 2006-05-15 Method of preventing audio-data capture in windows multimedia system WO2006123875A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020050041395A KR100778901B1 (en) 2005-05-18 2005-05-18 Sound capture protecting method for the window multimedia system
KR10-2005-0041395 2005-05-18

Publications (1)

Publication Number Publication Date
WO2006123875A1 true WO2006123875A1 (en) 2006-11-23

Family

ID=37431426

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/001799 WO2006123875A1 (en) 2005-05-18 2006-05-15 Method of preventing audio-data capture in windows multimedia system

Country Status (2)

Country Link
KR (1) KR100778901B1 (en)
WO (1) WO2006123875A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108897994A (en) * 2018-06-19 2018-11-27 广州华多网络科技有限公司 Hide method, apparatus, storage medium and the computer equipment for importing table

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100939076B1 (en) * 2008-03-28 2010-01-28 엔에이치엔비즈니스플랫폼 주식회사 Method and Apparatus for Preventing Modification of Code Using TLS Callback
KR100953355B1 (en) * 2008-04-22 2010-04-20 주식회사 안철수연구소 Method for protecting on-line electronic transaction program
KR101252188B1 (en) 2011-05-31 2013-04-05 주식회사 잉카인터넷 control method of accessing virtual memory data
KR101886311B1 (en) * 2017-08-01 2018-09-10 주식회사 인포바인 Secure call and secure call recording notification system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020062025A (en) * 2001-01-19 2002-07-25 엘지전자 주식회사 Digital audio copy preventing apparatus and method
KR20020088737A (en) * 2001-05-21 2002-11-29 주식회사 비즈모델라인 Method and System for Keeping off Illegal Copy of Digital Contents by using the file system information Data
KR20050001805A (en) * 2003-06-26 2005-01-07 주식회사 케이티 Digital contents roundabout prevention apparatus and method for digital contents protection
US20050086501A1 (en) * 2002-01-12 2005-04-21 Je-Hak Woo Method and system for the information protection of digital content

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020062025A (en) * 2001-01-19 2002-07-25 엘지전자 주식회사 Digital audio copy preventing apparatus and method
KR20020088737A (en) * 2001-05-21 2002-11-29 주식회사 비즈모델라인 Method and System for Keeping off Illegal Copy of Digital Contents by using the file system information Data
US20050086501A1 (en) * 2002-01-12 2005-04-21 Je-Hak Woo Method and system for the information protection of digital content
KR20050001805A (en) * 2003-06-26 2005-01-07 주식회사 케이티 Digital contents roundabout prevention apparatus and method for digital contents protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KOENEN R.H. ET AL.: "The long march to interoperable digital rights management", PROCEEDINGS OF THE IEEE, vol. 92, no. 8, June 2004 (2004-06-01), pages 883 - 897, XP011112815 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108897994A (en) * 2018-06-19 2018-11-27 广州华多网络科技有限公司 Hide method, apparatus, storage medium and the computer equipment for importing table
CN108897994B (en) * 2018-06-19 2022-07-08 广州华多网络科技有限公司 Method and device for hiding import table, storage medium and computer equipment

Also Published As

Publication number Publication date
KR100778901B1 (en) 2007-11-22
KR20060118940A (en) 2006-11-24

Similar Documents

Publication Publication Date Title
US20080216071A1 (en) Software Protection
US7140005B2 (en) Method and apparatus to test an instruction sequence
US9342689B2 (en) File system access for one or more sandboxed applications
US7346781B2 (en) Initiating execution of a computer program from an encrypted version of a computer program
US8745414B2 (en) Switching between unsecure system software and secure system software
US20070271446A1 (en) Application Execution Device and Application Execution Device Application Execution Method
WO2016019893A1 (en) Application installation method and apparatus
US7607122B2 (en) Post build process to record stack and call tree information
US20020112158A1 (en) Executable file protection
US20110055848A1 (en) Launching an midp-based target application from a launcher application
JP2004265422A (en) Compact hardware identification for connecting software package to computer system having tolerance of hardware change
JP2001521654A (en) Digital information self-decoding system and method
US8117451B2 (en) Device controller, method for controlling a device, and program therefor
WO2006123875A1 (en) Method of preventing audio-data capture in windows multimedia system
CN105335197A (en) Starting control method and device for application program in terminal
CN115221524B (en) Service data protection method, device, equipment and storage medium
US20080028462A1 (en) System and method for loading and analyzing files
CN110727941A (en) Private data protection method and device, terminal equipment and storage medium
US8732843B2 (en) Software validity period changing apparatus, method, and installation package
KR101716690B1 (en) Unauthorized data access blocking method and computing apparatus having Unauthorized data access blocking function
US20060191014A1 (en) Changing code execution path using kernel mode redirection
CN111651764B (en) Process monitoring method and device, electronic equipment and storage medium
CN111026609B (en) Information auditing method, system, equipment and computer readable storage medium
CN112905260A (en) Application starting method and device, electronic equipment and storage medium
CN108875372B (en) Code detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS EPO FORM 1205A DATED 19.03.2008.

122 Ep: pct application non-entry in european phase

Ref document number: 06757722

Country of ref document: EP

Kind code of ref document: A1