基于融合编译的软件多样化保护方法

doi:10.11959/j.issn.2096-109x.2020075

摘要/Abstract

摘要：

针对现有主流保护方法存在的特征明显、模式单一等问题，以 LLVM 开源编译框架为基础，提出了一种基于融合编译的软件多样化保护方法，该方法将目标软件进行随机化加密处理，并在编译层面与掩护软件进行深度融合，通过内存执行技术，将加密后的目标软件进行解密处理，进而在内存中以无进程的形式执行，利用掩护代码的多样性、融合策略的随机性来实现目标软件的多样化保护效果。选取了多款常用软件作为测试集，从资源开销、保护效果、对比实验等多个角度对所提方法进行了实例测试，从测试结果可以看出，所提方法资源开销较小，相较于混淆、加壳等传统方法，所提方法在抗静态分析、抗动态调试等方面具有较大优势，能有效对抗主流代码逆向分析和破解手段。

关键词: 软件保护, 多样化, 融合编译, 内存执行, 底层虚拟机, 中间表示

Abstract:

For the obvious characteristics and single mode of the existing common protection methods,with the help of the LLVM framework,a diversity software protection method based on fusion compilation was proposed.In the proposed method,the target software is encrypted randomly,and deeply integrated with the bunker code at the compilation level,and the encrypted target software is decrypted by memory execution technology.Then it is executed in the form of no process in memory,and the diversified protection effect of the target software is realized by the diversity of the bunker and the randomness of the fusion strategies.A number of commonly used software are selected as the test case,and the proposed method is tested from the aspects of resource cost,protection effect,comparative experiment and so on.Compared with the traditional methods such as obfuscation and packing,the proposed method has great advantages in anti-static analysis and anti-dynamic debugging,and can effectively resist the mainstream methods of reverse analyzing and cracking.

Key words: software protection, diversification, fusion compilation, memory execution, LLVM, intermediate representation

中图分类号:

TP393

熊小兵,舒辉,康绯. 基于融合编译的软件多样化保护方法[J]. 网络与信息安全学报, 2020, 6(6): 13-24.

Xiaobing XIONG,Hui SHU,Fei KANG. Method of diversity software protection based on fusion compilation[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 13-24.

图/表 11

图1

图2

图3

图4

表1

图5

图6

图7

表2

表3

表4

参考文献 24

[1]	周国祥, 陆文海 . 基于 BHO 技术的数字版权保护系统的研究与设计[J]. 计算研究与发展, 2010,47(6): 316-320.
	ZHOU G X , LU W H . Application of BHO-based PDF digital management system[J]. Journal of Computing Research and Development, 2010,47(6): 316-320.
[2]	刘芳, 金松根, 卢国强 . 数字版权管理与数字图书馆建设[J]. 图书馆学刊, 2011(4): 105-108.
	LIU F , JIN S G , LU G Q . Digital copyright management and digital library construction[J]. Journal of Library Science, 2011(4): 105-108.
[3]	国务院 . 计算机软件保护条例[J]. 新疆新闻出版, 2013(2): 82-84.
	State Council . Regulations of protecting computer software[J]. Publishing House of Xinjiang News, 2013(2): 82-84.
[4]	刘军 . 基于 CUDA 的软件保护技术研究与实现[D]. 长沙:湖南大学, 2011: 5-25.
	LIU J . The Research and implementation of CUDA-assisted software protection technology[D]. Changsha:Hunan University, 2011: 5-25.
[5]	高艳军 . 数据安全管理系统加壳技术研究与实现[D]. 长沙:国防科学技术大学, 2008: 15-30.
	GAO Y J . Research and Implementation of packing technique for data security management System[D]. Changsha:National University of Defense Technology, 2008: 15-30.
[6]	马珂 . 基于虚拟机的内核模块行为分析技术研究[D]. 湘潭:湘潭大学, 2014: 20-28.
	MA K . Research on the technologies of kernel module behavior analysis based on VMM[D]. Xiangtan:Xiangtan University, 2014: 20-28.
[7]	郝景超 . Windows下软件实名机制的设计与实现[D]. 郑州:解放军信息工程大学, 2008: 24-36.
	HAO J C . Design and realization of the software real name mechanism in windows system[D]. Zhengzhou:PLA Information Engineering University, 2008: 24-36.
[8]	李勇 . 基于 Windows 平台的目标代码混淆[D]. 成都:电子科技大学, 2007: 37-45.
	LI Y . Object code obfuscation based on Windows platform[D]. Chengdu:University of Electronic Science and Technology of China, 2007: 37-45.
[9]	房鼎益, 张恒, 汤战勇 ,等. 一种抗语义攻击的虚拟化软件保护方法[J]. 四川大学学报(工程科学版), 2017,49(1): 159-168.
	FANG D Y , ZHANG H , TANG Z Y ,et al. DAS-VMP:a virtual machine-based software protection method for defending against semantic attacks[J]. Journal of Sichuan University (Engineering Science Edition), 2017,49(1): 159-168.
[10]	TANG Z , LI G , FANG D ,et al. Code virtualized protection system with instruction set randomization[J]. Journal of Huazhong University of Science ＆ Technology, 2016,44(3): 28-33.
[11]	KUANG K , TANG Z , GONG X ,et al. Exploiting dynamic scheduling for VM-based code obfuscation[C]// Proc of the Trustcom/Bigdatase/Ispa. 2017. 489-496.
[12]	COLLBERG C , THOMBORSON C , LOW D . A taxonomy of obfuscating transformations[J]. Department of Computer Science the University of Auckland New Zealand, 1997
[13]	COLLBERG C , THOMBORSON C , LOW D . Manufacturing cheap,resilient,and stealthy Opaque constructs[C]// Proc.25th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages '98. 1998: 184-196.
[14]	BANESCU S , COLLBERG C , GANESH V ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 189-200.
[15]	WANG Z , JIA C F , LIU W J ,et al. Branch obfuscation to combat symbolic execution[J]. Acta Electronica Sinica, 2015,43(5): 870-878.
[16]	潘雁, 祝跃飞, 林伟 . 基于指令交换的代码混淆方法[J]. 软件学报, 2019,30(6): 1778-1792.
	PAN Y , ZHU Y F , LIN W . Code obfuscation based on instructions swapping[J]. Journal of Software, 2019,30(6): 1788-1792.
[17]	BALACHANDRAN V , KEONG N W , EMMANUEL S . Function level control flow obfuscation for software security[C]// Eighth International Conference on Complex,Inteligence and Software Intensive Systems. 2014: 133-140.
[18]	王志 . 二进制代码路径混淆技术研究[D]. 天津:南开大学, 2012.
	WANG Z . Research on binary code path obfuscation[D]. Tianjin:Nankai University, 2012:
[19]	TAMBOLI T , AUSTIN T H , STAMP M . Metamorphic code generation from LLVM bytecode[J]. Journal of Computer Virology ＆Hacking Techniques, 2014,10(3): 177-187.
[20]	章立春 . 一种PE程序文件加载执行方法,CN 104331308 A[P]. 2015.
	ZHANG L C . A method for loading and executing PE program files,CN 104331308 A[P]. 2015.
[21]	ZHOU J . Method and apparatus for bypassing hook:CN 101414338 B[P]. 2012.
[22]	WANG H , FANG D , LI J ,et al. The research and discussion on effectiveness evaluation of software protection[C]// Proc of the Int’l Conf on Computational Intelligence and Security. 2016. 628-632.
[23]	SCHULMAN A . Finding binary clones with opstrings and function digests[J]. Dr.Dobb’s Journal, 2005,30(9): 64-70.
[24]	ZYNAMICS. Sabre BinDiff[EB].

序号	用例名	文件大小	用例说明
1	systeminfo.exe	99 kB	Win10系统自带程序，显示本地或远程机器(包括服务包级别)的操作系统配置的信息
2	net.exe	56 kB	Win10系统自带程序，可用于管理账户、配置服务等
3	help.exe	12 kB	Win10系统自带程序，用户显示Windows下的各种帮助信息
4	telnet.exe	129 kB	Win10系统自带程序，用于连接外部特定主机和端口
5	tskill.exe	24 kB	Win10系统自带程序，用户结束指定的进程
6	where.exe	40 kB	Win10 系统自带程序，显示符合搜索模式的文件位置。在默认情况下，搜索是在当前目录和 PATH环境变量指定的路径中执行的
7	rar.exe	584 kB	Windows系统下常用压缩软件WinRAR 5.7的命令行文件
8	7z.exe	286 kB	Windows系统下常用压缩软件7z的命令行文件
9	server.exe	79 kB	Windows系统下一款常用开源远控软件
10	tcpscanner.exe	56 kB	Windows系统下一款基于TCP的端口扫描软件

用例	基本块相似性	函数相似性
systeminfo	5.3%	3.5%
net	2.4%	1.6%
help	3.1%	2.3%
telnet	5.2%	4.3%
tskill	2.6%	2.1%
where	3.9%	3.3%
rar	3.5%	2.8%
7z	4.3%	3.1%
server	6.2%	5.3%
tcpscanner	5.8%	4.3%

用例	比较维度	掩体A掩体B	掩体C掩体D	掩体E掩体F
tskill	基本块	4.3%	5.4%	4.8%
	函数	3.2%	4.6%	4.2%
7z	基本块	4.7%	5.3%	3.9%
	函数	3.1%	4.8%	3.7%
server	基本块	3.6%	3.9%	4.4%
	函数	3.3%	3.1%	3.7%

测试用例	UPX加壳			ASPack加壳			ASProtect加壳			多样化保护
测试用例	A	B	C	A	B	C	A	B	C	A	B	C
systeminfo	Y	65%	Y	Y	52%	Y	Y	36%	Y	N	0	N
net	Y	53%	Y	Y	46%	Y	Y	38%	Y	N	0	N
help	Y	68%	Y	Y	40%	Y	Y	30%	Y	N	0	N
telnet	Y	48%	Y	Y	56%	Y	Y	42%	Y	N	0	N
tskill	Y	42%	Y	Y	54%	Y	Y	46%	Y	N	0	N
where	Y	42%	Y	Y	38%	Y	Y	36%	Y	N	0	N
rar	Y	51%	Y	Y	42%	Y	Y	30%	Y	N	0	N
7z	Y	54%	Y	Y	46%	Y	Y	28%	Y	N	0	N
server	Y	80%	Y	Y	76%	Y	Y	74%	Y	N	8%	N
tcpscanner	Y	76%	Y	Y	72%	Y	Y	70%	Y	N	4%	N