CN112347490A - Application program shell adding method - Google Patents
Application program shell adding method Download PDFInfo
- Publication number
- CN112347490A CN112347490A CN202010528419.XA CN202010528419A CN112347490A CN 112347490 A CN112347490 A CN 112347490A CN 202010528419 A CN202010528419 A CN 202010528419A CN 112347490 A CN112347490 A CN 112347490A
- Authority
- CN
- China
- Prior art keywords
- section
- function
- sections
- code
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 13
- 230000006870 function Effects 0.000 claims description 41
- 230000008676 import Effects 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 6
- 230000008439 repair process Effects 0.000 claims description 3
- JLQUFIHWVLZVTJ-UHFFFAOYSA-N carbosulfan Chemical compound CCCCN(CCCC)SN(C)C(=O)OC1=CC=CC2=C1OC(C)(C)C2 JLQUFIHWVLZVTJ-UHFFFAOYSA-N 0.000 abstract 1
- 230000003068 static effect Effects 0.000 description 4
- 238000000151 deposition Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for adding a shell to an application program, which comprises the steps of copying an executable file into a memory, splitting a section to extract a resource table, modifying a PE (provider edge) head, integrating other sections into a section, putting the sections together, encrypting the sections, adding A, B, C, storing codes for adding the shell and repairing relocation tables of the codes, wherein the first section is used for storing a code checking module; the second is used for repairing the operating environment of the shelled program; the third one is used to decompress the sections, marshal the data of the a section into a dll file, and load it.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method for adding a shell to an application program.
Background
The shell adding is to change the code of executable program file or dynamic link library file through a series of mathematical operations to achieve the purpose of reducing the file volume or encrypting the program code. Existing shell-added products are compressed shells such as Upx, ASpack, for example, encryptable shells such as patents CN201110437932.9, CN 201310648196.0.
However, the compact shell such as Upx and ASpack cannot prevent ida static analysis, and the encrypted shell disclosed in patents CN201110437932.9 and CN201310648196.0 has no compact code, and the volume of the packed file is large. Therefore, it is necessary to develop a solution to solve the above problems.
Disclosure of Invention
In view of the above, the present invention is directed to a method for shell-adding an application program, which can prevent static analysis and dynamic analysis and reduce the file volume as much as possible.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for adding shell to application program includes copying executable file into internal memory, splitting up sections to extract resource table, modifying PE head, integrating other sections into one section, encrypting, adding three sections A, B, C, storing codes for adding shell and repairing their relocation table, the first for storing code checking module; encryption import table, encryption function name table, function address table, hash value of function name filled in them, and entry point pointing to function in section C.
Preferably, the code for both sections B and C are copied from the sections in the prepared dll file, section B is mainly used to decrypt and repair the target file, and section C is mainly used to decompress the target file.
Preferably, the code flow of the section B is mainly divided into the following steps, and when each step is executed, the next code is decrypted: obtaining a key function; calculating key codes in the section B into a hash value for decrypting a target section, then splitting the section, and integrating the resource table and the resource table together to restore the original memory arrangement; mapping the segments according to the mapping granularity of the target file; decrypting the import table and loading the file in the import table; encrypting the function address table, and pointing the function address table to a new structure; firstly, the hash value of the module name is transmitted, then the hash value of the function name is transmitted, and then the function address calculation function is skipped; repairing the TLS; a portion of the code of the entry point is checked and a jump is made to the entry point.
Preferably, the main code flow of the section C is to load a key module to obtain a required function; creating a thread to clear hardware breakpoints and closing logs; decompressing other sections; checking the full code; applying for a heap space, storing the decrypted section B codes, and repairing a relocation table of the section B; a decryption section A, which is manually mapped into the memory, and the module information is added into the module linked list; enter the start function of decrypted segment B.
Compared with the prior art, the invention has obvious advantages and beneficial effects, and specifically, the technical scheme includes that:
by adopting the method, when each step of function runs, the function is calculated into the hash value, and the next step of decryption is performed, so that ida static compilation is prevented, and program debugging is prevented. When the shell is added, the file volume is reduced by compressing, and the file is decompressed by self after running; and manually loading the import table, manually loading the dll file in the self section, encrypting the function name table and increasing the shelling difficulty.
Drawings
FIG. 1 is a schematic flow chart of a preferred embodiment of the present invention;
FIG. 2 is a code flow diagram of section B in the preferred embodiment of the present invention.
Detailed Description
The invention has disclosed a application program adds the method of the shell, copy the executable file into the memory first, and split the district and withdraw the resource table, revise PE head, put other districts into a district together and then encrypt, add three districts A, B, C again, the latter two are used for depositing the code which adds the shell and repairing their relocation tables, the first one is used for depositing and is used for the code inspection module; the import table is encrypted, the function names are encrypted into a table, the function address table is filled with the hash value of the function name, and the entry point points to the function in the section C (as shown in fig. 1).
The code for both sections B and C are copied from the sections in the prepared dll file, section B is primarily used to decrypt and repair the destination file, and section C is primarily used to decompress the destination file.
As shown in fig. 2, the code flow of the section B is mainly divided into the following steps, and when each step is executed, the next code is decrypted: obtaining a key function; calculating key codes in the section B into a hash value for decrypting a target section, then splitting the section, and integrating the resource table and the resource table together to restore the original memory arrangement; mapping the segments according to the mapping granularity of the target file; decrypting the import table and loading the file in the import table; encrypting the function address table, and pointing the function address table to a new structure; firstly, the hash value of the module name is transmitted, then the hash value of the function name is transmitted, and then the function address calculation function is skipped; repairing the TLS; a portion of the code of the entry point is checked and a jump is made to the entry point.
The main code flow of the section C is loading a key module to obtain a required function; creating a thread to clear hardware breakpoints and closing logs; decompressing other sections; checking the full code; applying for a heap space, storing the decrypted section B codes, and repairing a relocation table of the section B; a decryption section A, which is manually mapped into the memory, and the module information is added into the module linked list; enter the start function of decrypted segment B.
The design key points of the invention are as follows: by adopting the method, when each step of function runs, the function is calculated into the hash value, and the next step of decryption is performed, so that ida static compilation is prevented, and program debugging is prevented. When the shell is added, the file volume is reduced by compressing, and the file is decompressed by self after running; and manually loading the import table, manually loading the dll file in the self section, encrypting the function name table and increasing the shelling difficulty.
The technical principle of the present invention is described above in connection with specific embodiments. The description is made for the purpose of illustrating the principles of the invention and should not be construed in any way as limiting the scope of the invention. Based on the explanations herein, those skilled in the art will be able to conceive of other embodiments of the present invention without inventive effort, which would fall within the scope of the present invention.
Claims (4)
1. A method for application shell filling, comprising: copying an executable file into a memory, splitting a section to extract a resource table, modifying a PE (provider edge) head, integrating other sections into a section, then encrypting the section, adding A, B, C three sections, storing shelled codes and repairing relocation tables of the shelled codes, wherein the first section is used for storing a code check module; the function address table is encrypted, filled with the hash value of the function name, and the entry point is pointed to the function in the C section.
2. A method of application shell filling as claimed in claim 1, characterized by: the code for both sections B and C are copied from the sections in the prepared dll file, section B is primarily used to decrypt and repair the destination file, and section C is primarily used to decompress the destination file.
3. A method of application shell filling as claimed in claim 1, characterized by: the code flow of the section B is mainly divided into the following steps, and when the code flow runs in each step, the next code is decrypted: obtaining a key function; calculating key codes in the section B into a hash value for decrypting a target section, then splitting the section, and integrating the resource table and the resource table together to restore the original memory arrangement; mapping the segments according to the mapping granularity of the target file; decrypting the import table and loading the file in the import table; encrypting the function address table, and pointing the function address table to a new structure; firstly, the hash value of the module name is transmitted, then the hash value of the function name is transmitted, and then the function address calculation function is skipped; repairing the TLS; a portion of the code of the entry point is checked and a jump is made to the entry point.
4. A method of application shell filling as claimed in claim 1, characterized by: the main code flow of the section C is loading a key module to obtain a required function; creating a thread to clear hardware breakpoints and closing logs; decompressing other sections; checking the full code; applying for a heap space, storing the decrypted section B codes, and repairing a relocation table of the section B; a decryption section A, which is manually mapped into the memory, and the module information is added into the module linked list; enter the start function of decrypted segment B.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010528419.XA CN112347490A (en) | 2020-06-11 | 2020-06-11 | Application program shell adding method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010528419.XA CN112347490A (en) | 2020-06-11 | 2020-06-11 | Application program shell adding method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112347490A true CN112347490A (en) | 2021-02-09 |
Family
ID=74358204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010528419.XA Pending CN112347490A (en) | 2020-06-11 | 2020-06-11 | Application program shell adding method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112347490A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964040A (en) * | 2010-09-10 | 2011-02-02 | 西安理工大学 | PE loader-based software packing protection method |
| US20170171175A1 (en) * | 2011-12-21 | 2017-06-15 | Ssh Communications Security Oyj | Managing credentials in a computer system |
| CN110321501A (en) * | 2019-05-24 | 2019-10-11 | 深圳壹账通智能科技有限公司 | Link shell adding jump method, device, electronic equipment and storage medium |
| CN111191195A (en) * | 2019-12-10 | 2020-05-22 | 航天信息股份有限公司 | Method and device for protecting APK |
-
2020
- 2020-06-11 CN CN202010528419.XA patent/CN112347490A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964040A (en) * | 2010-09-10 | 2011-02-02 | 西安理工大学 | PE loader-based software packing protection method |
| US20170171175A1 (en) * | 2011-12-21 | 2017-06-15 | Ssh Communications Security Oyj | Managing credentials in a computer system |
| CN110321501A (en) * | 2019-05-24 | 2019-10-11 | 深圳壹账通智能科技有限公司 | Link shell adding jump method, device, electronic equipment and storage medium |
| CN111191195A (en) * | 2019-12-10 | 2020-05-22 | 航天信息股份有限公司 | Method and device for protecting APK |
Non-Patent Citations (2)
| Title |
|---|
| 九阳道人: "C++写壳详解之基础篇", 《HTTPS://BBS.PEDIY.COM/THREAD-250960.HTM》 * |
| 张顺: "基于壳技术的软件保护方案研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200293677A1 (en) | File packaging and unpackaging methods, apparatuses, and network devices | |
| CN106203006A (en) | Android application reinforcement means based on dex Yu so file Dynamic Execution | |
| US9858072B2 (en) | Portable executable file analysis | |
| KR101471589B1 (en) | Method for Providing Security for Common Intermediate Language Program | |
| US20080168564A1 (en) | Software or other information integrity verification using variable block length and selection | |
| US20020138748A1 (en) | Code checksums for relocatable code | |
| CN105022936A (en) | Class file encryption and decryption method and class file encryption and decryption device | |
| CN108363911B (en) | Python script obfuscating and watermarking method and device | |
| WO2016078130A1 (en) | Dynamic loading method for preventing reverse of apk file | |
| CN104573416A (en) | Method and device for generating application installation package and executing application | |
| CN104408337A (en) | Reinforcement method for preventing reverse of APK (Android package) file | |
| CN104317625A (en) | Dynamic loading method for APK files | |
| CN109062582A (en) | A kind of encryption method and device of application installation package | |
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| CN113568680B (en) | Dynamic link library protection method, device, equipment and medium for application program | |
| CN104834838B (en) | Prevent the method and device of DEX file unloading from internal memory | |
| CN104504313A (en) | Confidential treatment method and device for code | |
| US11675768B2 (en) | Compression/decompression using index correlating uncompressed/compressed content | |
| CN109840400B (en) | Apparatus and method for providing security and apparatus and method for performing security for universal intermediate language | |
| US11601283B2 (en) | Message authentication code (MAC) based compression and decompression | |
| CN112347490A (en) | Application program shell adding method | |
| KR102039380B1 (en) | Apparatus and Method of Providing Security, and Apparatus and Method of Executing Security for Protecting Code of Shared Object | |
| CN112035803A (en) | Protection method and device based on Windows platform software | |
| KR101667774B1 (en) | Apparatus and Method of Providing Security for Script Program | |
| CN106775843A (en) | The bytecode-optimized methods of dalvik based on internal memory loading |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210209 |