Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method for protecting mirror image codes based on executable mirror image hiding and dll injection

A technology of mirroring and code, applied in the field of protection API, can solve the problems of no protection, large performance loss, etc.

Active Publication Date: 2016-04-20
XIANGTAN UNIV
View PDF4 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But packing can only protect the code statically. Once the shell is removed, the protection will be gone.
And when packing, we can go to the API in the system dll in the Hook process to monitor the target process, so this method can only be used in occasions with relatively low security requirements
However, the second code virtualization method has stronger protection, but because the code runs in a virtual machine, the performance loss is very large. If there are relatively high requirements for program running efficiency, the code virtualization method is not advisable. of

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for protecting mirror image codes based on executable mirror image hiding and dll injection
  • Method for protecting mirror image codes based on executable mirror image hiding and dll injection
  • Method for protecting mirror image codes based on executable mirror image hiding and dll injection

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0196] The platform used is Windows764bit version, and the debugger used is OllyDbgV2.01 version.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

Provided is a method for protecting mirror image codes based on executable mirror image hiding and dll injection. The method comprises the following steps that 1, a target mirror image is decrypted in a memorizer; 2, a PE mirror image is loaded, wherein a dll file needed for a program is loaded, mirror image repositioning is executed, and finally OEP is executed; 3, whether an IAT of an exe module is hijacked or not is checked; 4, a Load Library and a Load Library Ex are actively hijacked, operation in the step 3 is executed on a dll mirror image of a load result, and if judgment is not abnormal, the step 5 is executed; 5, a Create Process function is hijacked, and a protection dll is injected while a subprocess is set up; 6, remote thread injection is carried out, a protected target process is injected in a Ring3 environment, and thread injection of a vicious loader is avoided; 7, a thread (THREAD_PRIORITY_BELOW_NORMAL) with low priority is built, endless loop check is carried out, whether the thread is loaded by a Debugger or not is checked, and checking is carried out once every second.

Description

technical field [0001] The invention relates to the field of system bottom security, in particular to hiding executable images, preventing malicious code injection and protecting APIs. Background technique [0002] Code injection is usually thread injection, that is, another process has higher authority, can open the Token of the target, open up a new code execution space in the target process, and write the ShellCode loaded by the hijacked dll here, and then use this Sections of code are loaded as thread functions. When the hijacked dll is loaded, the system will automatically call the DllMain entry function, and at this time the value of ul_reason_for_call is DLL_PROCESS_ATTACH. If there are codes such as Hook in DllMain at this time, then this process can be modified casually to do something that the developer does not want to happen. [0003] For code hijacking, there are basically two ways, the first is packing, and the second is code virtualization. But packing can ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/51
CPCG06F21/51G06F2221/033
Inventor 欧阳建权陈灵锋刘任任唐欢容
Owner XIANGTAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products