WO2006123875A1 - Method of preventing audio-data capture in windows multimedia system - Google Patents
Method of preventing audio-data capture in windows multimedia system Download PDFInfo
- Publication number
- WO2006123875A1 WO2006123875A1 PCT/KR2006/001799 KR2006001799W WO2006123875A1 WO 2006123875 A1 WO2006123875 A1 WO 2006123875A1 KR 2006001799 W KR2006001799 W KR 2006001799W WO 2006123875 A1 WO2006123875 A1 WO 2006123875A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- audio
- function
- data
- code
- capture
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000013481 data capture Methods 0.000 title claims abstract description 32
- 230000008676 import Effects 0.000 claims abstract description 34
- 230000008569 process Effects 0.000 claims description 18
- 230000002265 prevention Effects 0.000 claims description 11
- 238000005070 sampling Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 13
- 239000008186 active pharmaceutical agent Substances 0.000 description 5
- 238000009877 rendering Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6281—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/16—Sound input; Sound output
Definitions
- the present invention generally relates to a method of preventing audio-data capture in the Windows multimedia system. More particularly, the present invention relates to a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia Application Programming Interface (API) is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dynamic link library (dll) has been altered, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented, and the interception of data transmitted to an audio adaptor driver can be prevented by controlling an audio mixer.
- API Application Programming Interface
- the method includes a method (1) of intercepting data transmitted to the kernel by hooking the multimedia API, a method (2) of intercepting data transmitted to the audio adaptor driver, and a method (3) of intercepting data output from the audio adaptor.
- the term "DRM” refers to technology and service for protecting the profits and rights of the copyright-related persons by preventing the illegal use of digital contents.
- the method may include a method of providing a user with specially produced hardware of the adaptor in order for a company that produces the audio adaptor to intercept data, a method of intercepting data at the audio adaptor by employing digital data output from a digital output terminal, such as Sony/Philips Digital interface (SPDIF), to digital devices, and a method of intercepting data by employing digital data output for USB audio devices and 1394 audio devices.
- a digital output terminal such as Sony/Philips Digital interface (SPDIF)
- SPDIF Sony/Philips Digital interface
- Windows multimedia system in such a manner that the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered is used, the output of digital data to drivers, which are found to be dangerous after checking, can be denied by checking connected drivers when outputting digital data, and the audio mixer can be controlled
- the present invention has been made m view of the above problems occurring in the prior art, and it is an object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered.
- the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
- FIG. 1 is a block diagram illustrating a method of intercepting digital data in a
- FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention
- FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
- FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
- FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention
- FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
- FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
- a method of preventing audio-data capture in a Windows multimedia system wherein a method of protecting import information includes determining which dll will be loaded in order to connect a function upon link, storing the loaded dll in an execution file and allowing a Windows operating system to perform a corresponding process upon execution, and wherein information about dll that will be loaded and stored is recorded into an import region of an execution file.
- the method of preventing audio-data capture in a Windows multimedia system includes the steps of searching the execution file for a DOS header of the information, searching the DOS header for a NT header, searching a directory region of the NT header for an import descriptor, searching the import descriptor for the name of dll to be loaded, searching function information arrangement of the import descriptor for the name of a function, and recording false information every step.
- a method of preventing audio-data capture in a Windows multimedia system wherein a method of protecting a function LoadLibrary API and a function GetProc Address API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data.
- the method of preventing audio-data capture in a Windows multimedia system includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions, if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data, and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed.
- the step of determining whether the code for executing the code of the capture program is the same as the original code includes the step of directly comparing the code of the original dll and the code of dll loaded within the process can be directly compared, or the step of compa ⁇ ng code parts after generating a verify code using a hash function
- a method of preventing audio-data capture in a Windows multimedia system wherein a method of preventing recording by intercepting APIs of multimedia dll used for recording includes the steps of interrupting all processes in which a hook event has occurred using a hook function provided by Windows, examining an import region of the process in order to determine whether there is a part that uses a function waveln(), and connecting the part to a code of a capture prevention program in order to have function call for recording failed, or directly knowing an address of waveln() using GetProcAddress API in order to prevent calling.
- GetProcAddress API in order to prevent calling includes the steps of connecting GetP- rocAddress() to the code of the capture prevention program, and if the capture program wants wavelnQ in the code, providing an address of waveln(), which is provided by the capture prevention program and will be failed.
- a method of determining whether multimedia dll has been altered includes the step of determining whether contents of a code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of a capture program is not executed by manipulating an import information region, but a desired work is to be performed by inserting the code into a start portion of a function wave ⁇ ut() so that the work can skip to a function for data leakage of the capture program, when intercepting the audio data by manipulating a code of multimedia dll itself.
- a method of preventing audio-data capture in a Windows multimedia system wherein a method of controlling an audio mixer includes the steps of allowing output programs of a MP3 player to transfer data, which is output to a sound device, to an external device, such as a speaker, through an output mixer, allowing an input mixer to select a microphone, a line-in, and a CD audio input through, digitally sampling the signals and transferring the digitally sampled signals to recording programs, and precluding audio data transferred to a capture application by setting the volume of the input mixer to 0 or using a mute function.
- FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention.
- the Windows multimedia system includes a rendering application 10, a capture application 20, multimedia APIs 11, 21, a Windows multimedia a kernel 30, an audio driver 40, an audio adaptor driver 50, an audio adaptor 60, a Digital to Analog (DA) converter 61 , an Analog to Digital (AD) converter 62, a speaker 70, a microphone 80, and so on.
- DA Digital to Analog
- AD Analog to Digital
- the rendering application 10 refers to a user program for outputting audio data and may include MP3 player programs.
- the capture application 20 refers to a user program for storing audio data received from a microphone, a line-in, and so on, and may include a variety of recording programs.
- the multimedia APIs 11, 21 are included in the rendering application 10 and the capture application 20.
- the Windows multimedia kernel 30 is a system region in which multimedia related functions, such as audio and video, are collected in the Windows environment
- the audio driver 40 is an abstracted system driver of an audio adaptor drive.
- the audio adaptor driver 50 is a driver for driving audio adaptor hardware and serves to match each audio adaptor to the Windows standards.
- the audio adaptor 60 is hardware of the sound card. The audio adaptor 60 serves to convert digital data into analog data using the DA converter 61 and output the converted data to the speaker, etc., or to sample analog data using the AD converter 62 in order to produce digital data.
- the speaker 70 serves to output audio data and input the microphone 80.
- FIG. 2 wave Pulse Coded Modulation (PCM) shown in FIG. 2 is one of methods of representing audio data through digitization.
- Analog input is data recorded by measuring a voltage according to a predetermined sampling time interval and analog audio is analog data of the audio.
- FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
- modules for example, execution files such as exe and dll
- modules for example, execution files such as exe and dll
- One of Windows operating systems to this end determines which dll will be loaded in order to connect the function upon link, stores the loaded dll in an execution file and allowing the Windows operating system to perform a corresponding process upon execution. Information about the loaded dll to be stored is recorded into an import region of the execution file.
- the information is defined in a Portable Executable (PE) format and can protect import information through the following steps.
- An execution file is searched for a DOS header of the information (S30).
- a DOS header is searched for a NT header (S31).
- An import descriptor is searched for a directory region of the NT header (S32).
- the name of dll to be loaded is searched for the import descriptor (S33).
- the name of a function is searched for function information arrangement of the import descriptor (S34). Thereafter, false information is recorded every step (S35).
- the import descriptor has the arrangement of information of dll to be loaded and each element has a location of function information of dll to be connected.
- the import information is accessible by all the processes.
- An audio capture program and a function used for the output by a player using the information can be replaced with its capture function.
- Such a capture attempt can be prevented by hiding the import information itself.
- the hiding method can be easily implemented by recording false information every step.
- FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
- modules for example, execution files such as exe and dll
- the capture program can insert a function for capture into a player.
- the import information protection method may be used to discourage the capture program to replace the functions LoadLibrary and GetProcAddress with its functions. Furthermore, it can be determined whether the functions are original Windows system functions, have been changed to other function or have been modified.
- a method of protecting the function LoadLibrary API and the function GetProcAddress API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining the addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data.
- the method of protecting the function LoadLibrary API and the function GetProcAddress API includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions (S40), if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data (S41), and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed (S42).
- the code of the original dll and the code of dll loaded within the process can be directly compared (S42-1).
- code parts can be compared after generating a verify code using a hash function (S42-2).
- the dll is a collection of small programs. Any one of the small programs can be called when it is required in a large program executed in a computer.
- the file dll may be loaded and executed, if appropriate, thus saving RAM space.
- FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention.
- One of APIs which is used for recording by the capture program, is a function wavelnO of winmm.dll.
- the capture program reads audio data from the sound card using the function. Accordingly, the recording can be failed by hindering the operation of the function.
- the method of preventing recording by intercepting APIs of the multimedia dll used for recording includes interrupting all processes in which a hook event is generated using a hook function provided by Windows (S50), examining an import region of the process in order to determine whether there is a part that uses the function wavelnO (S51), and connecting the part to the code of the capture prevention program in order to have function call for recording failed (S52) or directly finding the address of wavelnO using GetProc Address API in order to prevent calling (S52-1).
- step S53 GetProcAddress() is connected to the code of the capture prevention program (S52-1-1). If the capture program wants wavelnQ in the code, an address of waveln(), which is provided by the capture prevention program and will be failed is provided (S52-2-1), thereby deactivating the recording function.
- the capture program replaces the output function, which is called by a player, with its function so as to intercept the data output, thereby intercepting audio data.
- the capture prevention program replaces the audio recording function of the capture program with its function so as to intercept the data input, thereby intercepting the recording of original data.
- FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
- FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
- a sound device in general, includes two input and output audio mixers. Each of the mixers serves to select signals received from several audio sources and amplify the selected signals.
- the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered
- data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking.
- the leakage of data which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented
- the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
Abstract
The present invention relates to a method of preventing audio-data capture in a Windows multimedia system. The interception of data transmitted to a kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered. Furthermore, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking. Furthermore, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented. In addition, the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
Description
Description
METHOD OF PREVENTING AUDIO-DATA CAPTURE IN WINDOWS MULTIMEDIA SYSTEM
Technical Field
[1] The present invention generally relates to a method of preventing audio-data capture in the Windows multimedia system. More particularly, the present invention relates to a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia Application Programming Interface (API) is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dynamic link library (dll) has been altered, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented, and the interception of data transmitted to an audio adaptor driver can be prevented by controlling an audio mixer.
[2]
Background Art
[3] In general, in the construction of the Windows multimedia system shown in FIG. 1 , there are several methods of intercepting digital audio data of contents to which Digital Rights Management (DRM) has been applied.
[4] For example, there is a method of intercepting digital audio data within the
Windows system. The method includes a method (1) of intercepting data transmitted to the kernel by hooking the multimedia API, a method (2) of intercepting data transmitted to the audio adaptor driver, and a method (3) of intercepting data output from the audio adaptor. There is a problem in that rightful persons are damaged by the leakage of data, etc. due to the methods. The term "DRM" refers to technology and service for protecting the profits and rights of the copyright-related persons by preventing the illegal use of digital contents.
[5] There is another method of intercepting digital audio data outside the Windows system. The method may include a method of providing a user with specially produced hardware of the adaptor in order for a company that produces the audio adaptor to intercept data, a method of intercepting data at the audio adaptor by employing digital data output from a digital output terminal, such as Sony/Philips Digital interface
(SPDIF), to digital devices, and a method of intercepting data by employing digital data output for USB audio devices and 1394 audio devices.
[6] In addition, data can be intercepted using a method of recording analog data output to the speaker or re-mputtmg (look back) the data to a line-in input terminal of the audio adaptor. However, if converted analog data are sampled digitally again, there is a problem in that the sound quality is lost. The SPDIF is one of digital output methods and refers to home digital output specification defined by Sony/Philips
[7] Meanwhile, Microsoft Corporation provides API in which audio data of DRM contents can be transmitted through safe channels separated from common audio data channels due to the problems inherent in the method of intercepting digital audio data withm the Windows system, the method of intercepting digital audio data outside the Windows system, and so on
[8] To prevent the method of intercepting data transmitted to the kernel by hooking the multimedia API, encrypted digital audio data are transmitted between an application and the kernel To prevent the method of intercepting data transmitted to the audio adaptor driver, the method of intercepting data output from the audio adaptor, and the method of providing a user with specially produced hardware of the adaptor in order for a company that produces the audio adaptor to intercept data, there is provided a protection solution for providing DRM audio data only through a driver or an adaptor that has been found that data of DRM contents are not leaked by Microsoft Corporation through authentication.
[9] In addition, when the digital data are output to an external digital device as in the method of intercepting data using digital data output from a digital output terminal of the audio adaptor, such as SPDIF, to digital devices and the method of intercepting data using digital data output for the USB audio device and the 1394 audio devices, a method is proposed in which an adaptor is authenticated and audio data of DRM contents are output in a digital data form only when it is guaranteed that the Windows system confirms the type and characteristic of an external digital device and determines whether the output accordingly will be output. The above-mentioned method by Microsoft Corporation is perfect in implementing the OS level of the DRM system, but has a difficulty until it is available to all the systems.
[10] Accordingly, there is a need for a system for preventing audio data capture in the
Windows multimedia system in such a manner that the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered is used, the output of digital data to drivers, which are found to be dangerous after checking, can be denied by checking connected drivers when outputting digital data, and the audio mixer can be controlled
[H]
Disclosure of Invention
Technical Problem
[12] Accordingly, the present invention has been made m view of the above problems occurring in the prior art, and it is an object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered.
[13] It is another object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking.
[14] It is further another object of the present invention to provide a method of preventing audio-data capture in the Windows multimedia system, in which the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented. In addition, the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
[15]
Brief Description of the Drawings
[16] Further objects and advantages of the invention can be more fully understood from the following detailed description taken in conjunction with the accompanying drawings in which:
[17] FIG. 1 is a block diagram illustrating a method of intercepting digital data in a
Windows multimedia system in the related art;
[18] FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention;
[19] FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention;
[20] FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
API and a function GetProcAddress API, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention;
[21] FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia
dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention;
[22] FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention; and
[23] FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
[24]
Best Mode for Carrying Out the Invention
[25] To accomplish the above objects, according to an aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of protecting import information includes determining which dll will be loaded in order to connect a function upon link, storing the loaded dll in an execution file and allowing a Windows operating system to perform a corresponding process upon execution, and wherein information about dll that will be loaded and stored is recorded into an import region of an execution file. The method of preventing audio-data capture in a Windows multimedia system includes the steps of searching the execution file for a DOS header of the information, searching the DOS header for a NT header, searching a directory region of the NT header for an import descriptor, searching the import descriptor for the name of dll to be loaded, searching function information arrangement of the import descriptor for the name of a function, and recording false information every step.
[26] Furthermore, according to another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of protecting a function LoadLibrary API and a function GetProc Address API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data. The method of preventing audio-data capture in a Windows multimedia system includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions, if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data, and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted
into the portion although the address has not been changed.
[27] In the present invention, the step of determining whether the code for executing the code of the capture program is the same as the original code includes the step of directly comparing the code of the original dll and the code of dll loaded within the process can be directly compared, or the step of compaπng code parts after generating a verify code using a hash function
[28] Furthermore, according to further another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of preventing recording by intercepting APIs of multimedia dll used for recording includes the steps of interrupting all processes in which a hook event has occurred using a hook function provided by Windows, examining an import region of the process in order to determine whether there is a part that uses a function waveln(), and connecting the part to a code of a capture prevention program in order to have function call for recording failed, or directly knowing an address of waveln() using GetProcAddress API in order to prevent calling.
[29] In the present invention, the step of directly finding the address using waveln() and
GetProcAddress API in order to prevent calling includes the steps of connecting GetP- rocAddress() to the code of the capture prevention program, and if the capture program wants wavelnQ in the code, providing an address of waveln(), which is provided by the capture prevention program and will be failed.
[30] Furthermore, according to further another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of determining whether multimedia dll has been altered includes the step of determining whether contents of a code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of a capture program is not executed by manipulating an import information region, but a desired work is to be performed by inserting the code into a start portion of a function waveθut() so that the work can skip to a function for data leakage of the capture program, when intercepting the audio data by manipulating a code of multimedia dll itself.
[31] Furthermore, according to further another aspect of the present invention, there is provided a method of preventing audio-data capture in a Windows multimedia system, wherein a method of controlling an audio mixer includes the steps of allowing output programs of a MP3 player to transfer data, which is output to a sound device, to an external device, such as a speaker, through an output mixer, allowing an input mixer to select a microphone, a line-in, and a CD audio input through, digitally sampling the signals and transferring the digitally sampled signals to recording programs, and precluding audio data transferred to a capture application by setting the volume of the
input mixer to 0 or using a mute function. [32] The present invention will now be described in detail m connection with specific embodiments with reference to the accompanying drawings. [33] FIG. 2 is a block diagram illustrating a Windows multimedia system according to an embodiment of the present invention. [34] Referring to FIG. 2, the Windows multimedia system according to an embodiment of the present invention includes a rendering application 10, a capture application 20, multimedia APIs 11, 21, a Windows multimedia a kernel 30, an audio driver 40, an audio adaptor driver 50, an audio adaptor 60, a Digital to Analog (DA) converter 61 , an Analog to Digital (AD) converter 62, a speaker 70, a microphone 80, and so on. [35] The function of each of technical means constituting the Windows multimedia system will be described below. [36] The rendering application 10 refers to a user program for outputting audio data and may include MP3 player programs. [37] The capture application 20 refers to a user program for storing audio data received from a microphone, a line-in, and so on, and may include a variety of recording programs. The multimedia APIs 11, 21 are included in the rendering application 10 and the capture application 20. [38] The Windows multimedia kernel 30 is a system region in which multimedia related functions, such as audio and video, are collected in the Windows environment [39] The audio driver 40 is an abstracted system driver of an audio adaptor drive.
[40] The audio adaptor driver 50 is a driver for driving audio adaptor hardware and serves to match each audio adaptor to the Windows standards. [41] The audio adaptor 60 is hardware of the sound card. The audio adaptor 60 serves to convert digital data into analog data using the DA converter 61 and output the converted data to the speaker, etc., or to sample analog data using the AD converter 62 in order to produce digital data.
[42] The speaker 70 serves to output audio data and input the microphone 80.
[43] Furthermore, wave Pulse Coded Modulation (PCM) shown in FIG. 2 is one of methods of representing audio data through digitization. Analog input is data recorded by measuring a voltage according to a predetermined sampling time interval and analog audio is analog data of the audio. [44] FIG. 3 is a block diagram illustrating a method of protecting import information, of a method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention. [45] In order for the functions of the system or the functions of other modules to be used, modules (for example, execution files such as exe and dll) that provide corresponding functions must be loaded. One of Windows operating systems to this end determines
which dll will be loaded in order to connect the function upon link, stores the loaded dll in an execution file and allowing the Windows operating system to perform a corresponding process upon execution. Information about the loaded dll to be stored is recorded into an import region of the execution file. The information is defined in a Portable Executable (PE) format and can protect import information through the following steps.
[46] An execution file is searched for a DOS header of the information (S30). A DOS header is searched for a NT header (S31). An import descriptor is searched for a directory region of the NT header (S32). The name of dll to be loaded is searched for the import descriptor (S33). The name of a function is searched for function information arrangement of the import descriptor (S34). Thereafter, false information is recorded every step (S35). The import descriptor has the arrangement of information of dll to be loaded and each element has a location of function information of dll to be connected.
[47] For example, if a function waveOutQ of winmm.dll is to be used in a player program, information for loading winmm.dll and information about the function waveOutO are recorded into the player program upon link. Upon execution, a loader of the operating system loads winmm.dll on the player process using the information. A location of the function is set so that the function waveθut() can be used. Accordingly, the function is prepared to use
[48] The import information is accessible by all the processes. An audio capture program and a function used for the output by a player using the information can be replaced with its capture function. Such a capture attempt can be prevented by hiding the import information itself. The hiding method can be easily implemented by recording false information every step.
[49] FIG. 4 is a block diagram illustrating a method of protecting a function LoadLibrary
API and a function GetProcAddress API, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention.
[50] In order for the functions of the system or the functions of other modules to be used, modules (for example, execution files such as exe and dll) that provide corresponding functions must be loaded. In a method of loading a corresponding dll directly when a program (i.e., the other of the Windows operating systems to this end), the capture program can insert a function for capture into a player.
[51] That is, although a player process loads winmm.dll directly, finds the location of the function waveθut(), and uses the location, the function LoadLibrary API and the function GetProcAddress API must be used in order to perform the process. During the process, if the capture program replaces the function LoadLibrary and the function
GetProcAddress with its ones, the function obtained by the player process is the function of the capture program not the original function waveθut(). Accordingly, the capture program can intercept audio data output from the player without change.
[52] Accordingly, to prevent such interception, the import information protection method may be used to discourage the capture program to replace the functions LoadLibrary and GetProcAddress with its functions. Furthermore, it can be determined whether the functions are original Windows system functions, have been changed to other function or have been modified.
[53] In other words, a method of protecting the function LoadLibrary API and the function GetProcAddress API includes allowing a spy program to intercept the two API functions and to execute its code, using a method of directly obtaining the addresses of the function LoadLibrary API and the function GetProcAddress API in a Windows kernel from the kernel, thus preventing the leakage of data.
[54] The method of protecting the function LoadLibrary API and the function GetProcAddress API includes the steps of determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions (S40), if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data (S41), and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed (S42).
[55] In the step S42, the code of the original dll and the code of dll loaded within the process can be directly compared (S42-1). Alternatively, code parts can be compared after generating a verify code using a hash function (S42-2). The dll is a collection of small programs. Any one of the small programs can be called when it is required in a large program executed in a computer. The file dll may be loaded and executed, if appropriate, thus saving RAM space.
[56] FIG. 5 is a block diagram illustrating a method of intercepting API of multimedia dll used for recording in order to prevent recording, of the method of preventing audio- data capture in the Windows multimedia system according to an embodiment of the present invention.
[57] One of APIs, which is used for recording by the capture program, is a function wavelnO of winmm.dll. The capture program reads audio data from the sound card using the function. Accordingly, the recording can be failed by hindering the operation of the function.
[58] To this end, if the pointer of the function is replaced with the function waveln() provided by the capture prevention program in all processes that are not operating in the Windows operating system, the leakage of data can be precluded since the function
to be used by the capture program cannot be used.
[59] The method of preventing recording by intercepting APIs of the multimedia dll used for recording includes interrupting all processes in which a hook event is generated using a hook function provided by Windows (S50), examining an import region of the process in order to determine whether there is a part that uses the function wavelnO (S51), and connecting the part to the code of the capture prevention program in order to have function call for recording failed (S52) or directly finding the address of wavelnO using GetProc Address API in order to prevent calling (S52-1).
[60] In the step S53, GetProcAddress() is connected to the code of the capture prevention program (S52-1-1). If the capture program wants wavelnQ in the code, an address of waveln(), which is provided by the capture prevention program and will be failed is provided (S52-2-1), thereby deactivating the recording function.
[61] As a result, in order to prevent recording, the capture program replaces the output function, which is called by a player, with its function so as to intercept the data output, thereby intercepting audio data. The capture prevention program replaces the audio recording function of the capture program with its function so as to intercept the data input, thereby intercepting the recording of original data.
[62] FIG. 6 is a block diagram illustrating a method of determining whether multimedia dll has been altered, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
[63] There is the method of replacing the function waveθut() (i.e., the audio output function) with the function of the capture program by manipulating the import in formation region or manipulating the operation of the functions LoadLibrary and GetProc Address, as described above with reference to FIGS 3 and 4. Furthermore, there will be a method of intercepting audio data by manipulating a code of the multimedia dll itself as shown in FIG. 6.
[64] When intercepting audio data by manipulating the code of the multimedia dll itself, it is determined whether the contents of the code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of the capture program is not executed by manipulating the import information region, but a desired work is to be performed by inserting the code into the start portion of the function waveθut() so that the work can skip to the function for data leakage of the capture program (S60), thereby preventing the capture of audio data
[65] FIG. 7 is a block diagram illustrating a method of controlling an audio mixer, of the method of preventing audio-data capture in the Windows multimedia system according to an embodiment of the present invention
[66] In general, a sound device includes two input and output audio mixers. Each of the
mixers serves to select signals received from several audio sources and amplify the selected signals.
[67] Referring to FIG. 7, in order to prevent the capture of audio data by controlling the audio mixer, output programs of a MP3 player to transfer data, which have been output to a sound device, to an external device, such as a speaker, through the output mixer (S70) The input mixer selects a microphone, a line-m, and a CD audio input (S71). The signals are digitally sampled and are then transferred to recording programs (S72). Thereafter, audio data transferred to a capture application are precluded by setting the volume of the input mixer to 0 or using a mute function (S73).
[68] While the present invention has been described with reference to the particular illustrative embodiments, it is not to be restricted by the embodiments but only by the appended claims. It is to be appreciated that those skilled in the art can change or modify the embodiments without departing from the scope and spirit of the present invention.
[69]
Industrial Applicability
[70] As described above, in accordance with the method of preventing audio-data capture in the Windows multimedia system according to the present invention, the interception of data transmitted to the kernel after multimedia API is hooked can be prevented using the technology of hiding an import table of an execution program so that multimedia API hooking is impossible and of determining whether multimedia dll has been altered
[71] Furthermore, data transmitted to an audio adaptor driver can be intercepted and data output from the audio adaptor can be intercepted, by denying the output of digital data to drivers, which are found to be dangerous after checking.
[72] Furthermore, the leakage of data, which is incurred since specially fabricated adaptor hardware is provided to a user in order for a company that manufactures the audio adaptor to intercept data, can be prevented In addition, the interception of data transmitted to the audio adaptor driver can be prevented by controlling the audio mixer.
[73]
Claims
[1] An audio-data capture preventing method in a Windows multimedia system, comprising a method of protecting import information, in which dll will he loaded and be connected to which function upon link are stored in an execution file, a Windows operating system performs a corresponding task upon execution, and information about the loaded dll is recorded into an import region of the execution file, the method of protecting the import information comprising the steps of: searching the execution file for a DOS header of the information; searching the DOS header for a NT header; searching a directory region of the NT header for an import descriptor; searching the import descriptor for the name of dll to be loaded; searching function information arrangement of the import descriptor for the name of a function; and recording false information every searching step.
[2] An audio-data capture method in a Windows multimedia system, comprising a method of protecting a function LoadLibrary API and a function GetProcAddress API, in which a spy program intercepts the two functions LoadLibrary API and GetProcAddress API by directly obtaining addresses of the functions LoadLibrary API and GetProcAddress API in a Windows kernel from a kernel such that the functions LoadLibrary API and GetProcAddress API perform their codes, preventing the leakage of data, the method of protecting the functions LoadLibrary API and GetProcAddress API comprising the steps of: determining whether the addresses of the functions LoadLibrary and GetProcAddress are addresses located within kernel32.dll in normal conditions; if it is determined that the address points at other places not the inside of kernel32.dll, stopping the output of audio data; and determining whether a portion at which the two functions begin is the same as an original code because a code for executing the code of the capture program could have been inserted into the portion although the address has not been changed.
[3] The method as claimed in claim 2, wherein the step of determining whether the code for executing the code of the capture program is the same as the original code includes the step of directly comparing the code of the original dll and the code of dll loaded within the process can be directly compared, or the step of comparing code parts after generating a verify code using a hash function.
[4] A method of preventing audio-data capture in a Windows multimedia system,
comprising a method of preventing recording by intercepting an API of multimedia dll used for the recording, the method of preventing recording comprising the steps of interrupting all processes in which a hook event has occurred using a hook function provided by Windows, examining an import region of the process in order to determine whether there is a part that uses a function waveln(), and connecting the part to a code of a capture prevention program in order to have function call for recording failed, or directly knowing an address of waveln() using GetProcAddress API in order to prevent calling. [5] The method as claimed in claim 4, wherein the step of directly finding the address using waveln() and GetProcAddress API in order to prevent calling includes the steps of: connecting GetProcAddress() to the code of the capture prevention program; and if the capture program wants waveln() in the code providing an address of wavelnO which is provided by the capture prevention program and will be failed. [6] A method of preventing audio data capture in a Windows multimedia system, comprising a method of determining whether multimedia dll has been altered, comprising the step of determining whether contents of a code have been changed by comparing a code part of a corresponding function and a corresponding part of a file state in the case where the function of a capture program is not executed by manipulating an import information region, but a desired work is to be performed by inserting the code into a start portion of a function waveθut() so that the work can skip to a function for data leakage of the capture program, when intercepting the audio data by manipulating a code of multimedia dll itself. [7] A method of preventing audio data capture in a Windows multimedia system, comprising a method of controlling an audio mixer comprising the steps of: allowing output programs of a MP3 player to transfer data, which is output to a sound device, to an external device, such as a speaker, through an output mixer; allowing an input mixer to select a microphone, a line-in, and a CD audio input through, digitally sampling the signals and transferring the digitally sampled signals to recording programs; and precluding audio data transferred to a capture application by setting the volume of the input mixer to 0 or using a mute function.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020050041395A KR100778901B1 (en) | 2005-05-18 | 2005-05-18 | Sound capture protecting method for the window multimedia system |
KR10-2005-0041395 | 2005-05-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006123875A1 true WO2006123875A1 (en) | 2006-11-23 |
Family
ID=37431426
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2006/001799 WO2006123875A1 (en) | 2005-05-18 | 2006-05-15 | Method of preventing audio-data capture in windows multimedia system |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR100778901B1 (en) |
WO (1) | WO2006123875A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108897994A (en) * | 2018-06-19 | 2018-11-27 | 广州华多网络科技有限公司 | Hide method, apparatus, storage medium and the computer equipment for importing table |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100939076B1 (en) * | 2008-03-28 | 2010-01-28 | 엔에이치엔비즈니스플랫폼 주식회사 | Method and Apparatus for Preventing Modification of Code Using TLS Callback |
KR100953355B1 (en) * | 2008-04-22 | 2010-04-20 | 주식회사 안철수연구소 | Method for protecting on-line electronic transaction program |
KR101252188B1 (en) | 2011-05-31 | 2013-04-05 | 주식회사 잉카인터넷 | control method of accessing virtual memory data |
KR101886311B1 (en) * | 2017-08-01 | 2018-09-10 | 주식회사 인포바인 | Secure call and secure call recording notification system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20020062025A (en) * | 2001-01-19 | 2002-07-25 | 엘지전자 주식회사 | Digital audio copy preventing apparatus and method |
KR20020088737A (en) * | 2001-05-21 | 2002-11-29 | 주식회사 비즈모델라인 | Method and System for Keeping off Illegal Copy of Digital Contents by using the file system information Data |
KR20050001805A (en) * | 2003-06-26 | 2005-01-07 | 주식회사 케이티 | Digital contents roundabout prevention apparatus and method for digital contents protection |
US20050086501A1 (en) * | 2002-01-12 | 2005-04-21 | Je-Hak Woo | Method and system for the information protection of digital content |
-
2005
- 2005-05-18 KR KR1020050041395A patent/KR100778901B1/en not_active IP Right Cessation
-
2006
- 2006-05-15 WO PCT/KR2006/001799 patent/WO2006123875A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20020062025A (en) * | 2001-01-19 | 2002-07-25 | 엘지전자 주식회사 | Digital audio copy preventing apparatus and method |
KR20020088737A (en) * | 2001-05-21 | 2002-11-29 | 주식회사 비즈모델라인 | Method and System for Keeping off Illegal Copy of Digital Contents by using the file system information Data |
US20050086501A1 (en) * | 2002-01-12 | 2005-04-21 | Je-Hak Woo | Method and system for the information protection of digital content |
KR20050001805A (en) * | 2003-06-26 | 2005-01-07 | 주식회사 케이티 | Digital contents roundabout prevention apparatus and method for digital contents protection |
Non-Patent Citations (1)
Title |
---|
KOENEN R.H. ET AL.: "The long march to interoperable digital rights management", PROCEEDINGS OF THE IEEE, vol. 92, no. 8, June 2004 (2004-06-01), pages 883 - 897, XP011112815 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108897994A (en) * | 2018-06-19 | 2018-11-27 | 广州华多网络科技有限公司 | Hide method, apparatus, storage medium and the computer equipment for importing table |
CN108897994B (en) * | 2018-06-19 | 2022-07-08 | 广州华多网络科技有限公司 | Method and device for hiding import table, storage medium and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
KR100778901B1 (en) | 2007-11-22 |
KR20060118940A (en) | 2006-11-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20080216071A1 (en) | Software Protection | |
US7140005B2 (en) | Method and apparatus to test an instruction sequence | |
US9342689B2 (en) | File system access for one or more sandboxed applications | |
US7346781B2 (en) | Initiating execution of a computer program from an encrypted version of a computer program | |
US8745414B2 (en) | Switching between unsecure system software and secure system software | |
US20070271446A1 (en) | Application Execution Device and Application Execution Device Application Execution Method | |
WO2016019893A1 (en) | Application installation method and apparatus | |
US7607122B2 (en) | Post build process to record stack and call tree information | |
US20020112158A1 (en) | Executable file protection | |
US20110055848A1 (en) | Launching an midp-based target application from a launcher application | |
JP2004265422A (en) | Compact hardware identification for connecting software package to computer system having tolerance of hardware change | |
JP2001521654A (en) | Digital information self-decoding system and method | |
US8117451B2 (en) | Device controller, method for controlling a device, and program therefor | |
WO2006123875A1 (en) | Method of preventing audio-data capture in windows multimedia system | |
CN105335197A (en) | Starting control method and device for application program in terminal | |
CN115221524B (en) | Service data protection method, device, equipment and storage medium | |
US20080028462A1 (en) | System and method for loading and analyzing files | |
CN110727941A (en) | Private data protection method and device, terminal equipment and storage medium | |
US8732843B2 (en) | Software validity period changing apparatus, method, and installation package | |
KR101716690B1 (en) | Unauthorized data access blocking method and computing apparatus having Unauthorized data access blocking function | |
US20060191014A1 (en) | Changing code execution path using kernel mode redirection | |
CN111651764B (en) | Process monitoring method and device, electronic equipment and storage medium | |
CN111026609B (en) | Information auditing method, system, equipment and computer readable storage medium | |
CN112905260A (en) | Application starting method and device, electronic equipment and storage medium | |
CN108875372B (en) | Code detection method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS EPO FORM 1205A DATED 19.03.2008. |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06757722 Country of ref document: EP Kind code of ref document: A1 |