基于代码碎片化的软件保护技术

doi:10.11959/j.issn.2096-109x.2020063

摘要/Abstract

摘要：

针对当前软件保护技术存在的不足，提出一种代码碎片化技术，该技术是一种以函数为单元，对函数进行代码shell化、内存布局随机化、执行动态链接化的新型软件保护技术，代码shell化实现代码碎片的位置无关变形，内存布局随机化实现代码碎片的随机内存加载，动态链接化实现对代码碎片的动态执行，通过上述3个环节实现对程序的碎片化处理。实验表明，代码碎片化技术不仅能实现程序执行过程中函数碎片内存位置的随机化，还能实现函数碎片的动态链接执行，增加程序静态逆向分析和动态逆向调试的难度，提高程序的抗逆向分析能力。

关键词: 代码碎片化, 软件保护, 分离, 动态链接

Abstract:

Aiming at the shortcomings of the current software protection technology,a code fragmentation technology was proposed.This technology is a new software protection technology that takes functions as units,shells functions,randomizes memory layout,and performs dynamic linking.The code shellization realizes the position-independent morphing of code fragments,the memory layout randomizes the random memory loading of the code fragments,the dynamic linking realizes the dynamic execution of the code fragments,and the program fragmentation processing is achieved through the above three links.The experiments show that the code fragmentation technology can not only realize the randomization of the memory location of function fragments during program execution,but also the dynamic link execution of function fragments,increasing the difficulty of static reverse analysis and dynamic reverse debugging of the program,and improving the anti-reverse analysis ability of the program.

Key words: code fragmentation, software protection, separation, dynamic linking

中图分类号:

TP309.5

郭京城,舒辉,熊小兵,康绯. 基于代码碎片化的软件保护技术[J]. 网络与信息安全学报, 2020, 6(6): 57-68.

Jingcheng GUO,Hui SHU,Xiaobing XIONG,Fei KANG. Software protection technology based on code fragmentation[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 57-68.

图/表 15

图1

表1

函数fi中各元素定义　Table 1 Definition of element in fi"

标识符	定义
G_di	f _i 中所使用的全局变量的集合
LC_di	f _i 中所使用的局部变量的集合
T_i	f _i 的导入表
I_i	f _i 中所有指令的集合
$Q_{I_{i} \to G_{d i}}$	指令与全局变量的关系
$Q_{I_{i} \to L C_{d i}}$	指令与局部变量的关系
$Q_{I_{i} \to L C_{d i}}$	指令与导入函数的关系
P_i	调用 f_i 的所有函数的集合
$L_{P_{i} \to f_{i}}$	调用 f_i 的函数与 f_i 的调用关系
C_i	f _i 调用的所有函数的集合
$L_{f_{i} \to C_{i}}$	f _i 与 f_i 调用的函数的调用关系
$M_{f_{i}}$	f_i 在PE文件中的内存布局

表1

表2

代码shell化各映射关系定义　Table 2 The definition of mapping relationship in code shellization"

标识符	定义
S₁	G_di→G_{new di}
S₂	T_i→T_{new i}
S₃	I_i→I _newi
S₄	$Q_{I_{i} \to G_{d i}} \to Q_{I_{new i} \to G_{new d i}}$
S₅	$Q_{I_{i} \to T_{i}} \to Q_{I_{new i} \to T_{new i}}$

表2

表3

动态链接化各映射关系定义　Table 3 The definition of mapping relationship in dynamic linking"

标识符	定义
D₁	$L_{P_{i} \to f_{i}} \to L_{new P_{i} \to f_{i}}$
D₂	$L_{f_{i} \to C_{i}} \to L_{new f_{i} \to C_{i}}$

表3

图2

图3

图4

图5

图6

表4

表5

图7

表6

图8

表7

参考文献 16

[1]	许团, 屈蕾蕾, 石文昌 . 基于结构特征的二进制代码安全缺陷分析模型[J]. 网络与信息安全学报, 2017,3(9): 31-39.
	XU T , QU L L , SHI W C . Analysis model of binary code security flaws based on structure characteristics[J]. Chinese Journal of Network and Information Security, 2017,3(9): 31-39.
[2]	孙博文, 黄炎裔, 温俏琨 ,等. 基于静态多特征融合的恶意软件分类方法[J]. 网络与信息安全学报, 2017,3(11): 68-76.
	SUN B W , HUANG Y Y , WEN Q K ,et al. Malware classification method based on static multiple-feature fusion[J]. Chinese Journal of Network and Information Security, 2017,3(11): 68-76.
[3]	李伟明, 邹德清, 孙国忠 . 针对恶意代码的连续内存镜像分析方法[J]. 网络与信息安全学报, 2017,3(2): 20-30.
	LI W M , ZOU D Q , SUN G Z . Successive memory image analysis method for malicious codes[J]. Chinese Journal of Network and Information Security, 2017,3(2): 20-30.
[4]	王健 . 基于完整性验证和壳的软件保护技术研究[D]. 太原:中北大学, 2018.
	WANG J . Research on software protection technology based on in-tegrity verification and shell[D]. Taiyuan:North China University, 2018.
[5]	杜春来, 孔丹丹, 王景中 ,等. 一种基于指令虚拟化的代码保护模型[J]. 信息网络安全, 2017(2): 22-28.
	DU C L , KONG D D , WANG J Z ,et al. A code protection model based on instruction virtualization[J]. Netinfo Security, 2017(2): 22-28.
[6]	BALACHANDRAN V , EMMANUEL S , KEONG N . Obfuscation by code fragmentation to evade reverse engineering[C]// 2014 IEEE International Conference on Systems,Man,and Cybernetics (SMC. 2014.
[7]	BALACHANDRAN V , KEONG N W , EMMANUEL S . Function level control flow obfuscation for software security[C]// Eighth International Conference on Complex,Intelligence and Software Intensive Systems. 2014: 133-140.
[8]	LASZLO T , KISS A . Obfuscating C++ programs via control flow flattening[R]. 2009.
[9]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfusca-torLLVM-software protection for the masses[C]// 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[10]	DAVIDSON J , HILL J , KNIGHT J . Protection of software-based survivability mechanisms[C]// 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2001: 193-193.
[11]	WANG C , HILL J , KNIGHT J . Software tamper resistance:obstructing static analysis of programs[J]. 2000:
[12]	WANG C . A security architecture for survivability mechanisms[D]. Virginia:University of Virginia,School of Engineering and Applied Science, 2000.
[13]	蒋华, 刘勇, 王鑫 . 基于控制流的代码混淆技术研究[J]. 计算机应用研究, 2013,30(3): 897-899.
	JIANG H , LIU Y , WANG X . Code confusion technology research based on control flow[J]. Application Research of Computers, 2013,30(3): 897-899.
[14]	王旭 . 基于目标代码的控制流混淆技术研究[D]. 北京:北京邮电大学, 2013.
	WANG X . Research on control flow obfuscation technology based on object code[D]. Beijing:Beijing University of Posts and Telecommunications, 2013.
[15]	王丰峰, 张涛, 徐伟光 ,等. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019,5(6): 10-20.
	WANG F F , ZHANG T , XU W G ,et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of network and information security, 2019,5(6): 10-20.
[16]	乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12.
	QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Information Security, 2018,4(3): 1-12.

测试源码程序	代码行数	函数数量	功能描述
rsa	678	52	非对称加密算法
rc4	184	13	流加密算法，密钥长度可变，对称加密算法
MD5	115	10	密码哈希函数，产生一个128 bi（t 16 Byte）的哈希值
aes	279	25	区块长度固定为 128 bit，密钥长度是128矩阵加密算法
des	203	5	密钥加密的块算法，区块长度64 bit，密钥长度56 bit
sm4	259	20	分组加密算法，分组长度与密钥长度均为128 bit
sha256	125	18	密码哈希函数，产生一个256 bit的哈希值
gzip	4 514	144	文件压缩算法
huffman	225	21	可变字长编码方式
Huffcomprs	630	27	哈夫曼压缩算法

测试源码程序	碎片化前	碎片化后
rsa	52	0
rc4	45	0
MD5	46	0
aes	43	0
des	42	0
sm4	43	0
sha256	45	0
gzip	80	0
huffman	48	0
Huffcomprs	51	0

测试源码程序	碎片块数	函数调用表项数	间接调用比例（碎片化前）	间接调用比例（碎片化后）
rsa	37	37	10%	82%
rc4	4	4	40%	80%
MD5	3	3	33%	67%
aes	17	17	26%	76%
des	1	1	50%	67%
sm4	12	12	17%	69%
sha256	11	11	28%	49%
gzip	99	99	12%	78%
huffman	10	10	24%	54%
Huffcomprs	9	9	22%	56%

测试源码程序	碎片化前/ms	碎片化后/ms	时间开销增加比例
rsa	3 515	3 813	8.48%
rc4	15	16	6.67%
MD5	15	16	6.67%
aes	15	16	6.67%
des	31	32	3.23%
sm4	16	31	93.75%
sha256	15	16	6.67%
gzip	437	734	67.96%
huffman	31	47	51.62%
Huffcomprs	94	141	50.00%