Method of protecting image code based on hiding executable image and injecting dll
A technology of mirroring and code, applied in the field of API protection, which can solve the problems of no protection and large performance loss.
Active Publication Date: 2018-03-30
XIANGTAN UNIV
View PDF4 Cites 2 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
But packing can only protect the code statically. Once the shell is removed, the protection will be gone.
And when packing, we can go to the API in the system dll in the Hook process to monitor the target process, so this method can only be used in occasions with relatively low security requirements
However, the second code virtualization method has stronger protection, but because the code runs in a virtual machine, the performance loss is very large. If there are relatively high requirements for program running efficiency, the code virtualization method is not advisable. of
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment
[0196] The platform used is Windows7 64bit version, and the debugger used is OllyDbg V2.01 version.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More
Abstract
Provided is a method for protecting mirror image codes based on executable mirror image hiding and dll injection. The method comprises the following steps that 1, a target mirror image is decrypted in a memorizer; 2, a PE mirror image is loaded, wherein a dll file needed for a program is loaded, mirror image repositioning is executed, and finally OEP is executed; 3, whether an IAT of an exe module is hijacked or not is checked; 4, a Load Library and a Load Library Ex are actively hijacked, operation in the step 3 is executed on a dll mirror image of a load result, and if judgment is not abnormal, the step 5 is executed; 5, a Create Process function is hijacked, and a protection dll is injected while a subprocess is set up; 6, remote thread injection is carried out, a protected target process is injected in a Ring3 environment, and thread injection of a vicious loader is avoided; 7, a thread (THREAD_PRIORITY_BELOW_NORMAL) with low priority is built, endless loop check is carried out, whether the thread is loaded by a Debugger or not is checked, and checking is carried out once every second.
Description
technical field [0001] The invention relates to the field of system low-level security, in particular to hiding executable images, preventing malicious code injection and protecting APIs. Background technique [0002] Code injection is usually thread injection, that is, another process has higher authority, can open the Token of the target, open up a new code execution space in the target process, and write the ShellCode loaded by the hijacked dll here, and then use this Sections of code are loaded as thread functions. When the hijacked dll is loaded, the system will automatically call the DllMain entry function, and at this time the value of ul_reason_for_call is DLL_PROCESS_ATTACH. If there are codes such as Hook in DllMain at this time, then this process can be modified casually to do something that the developer does not want to happen. [0003] For code hijacking, there are basically two ways, the first is packing, and the second is code virtualization. But packing c...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/51
CPCG06F21/51G06F2221/033
Inventor 欧阳建权陈灵锋刘任任唐欢容
Owner XIANGTAN UNIV
Who we serve
- R&D Engineer
- R&D Manager
- IP Professional
Why Patsnap Eureka
- Industry Leading Data Capabilities
- Powerful AI technology
- Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.
© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com