KR101300256B1 - Method for securing software executable files by prohibiting dynamic and static analysis, and computer-readable recording medium for storing program for securing software executable files for the same - Google Patents
Method for securing software executable files by prohibiting dynamic and static analysis, and computer-readable recording medium for storing program for securing software executable files for the same Download PDFInfo
- Publication number
- KR101300256B1 KR101300256B1 KR20110095323A KR20110095323A KR101300256B1 KR 101300256 B1 KR101300256 B1 KR 101300256B1 KR 20110095323 A KR20110095323 A KR 20110095323A KR 20110095323 A KR20110095323 A KR 20110095323A KR 101300256 B1 KR101300256 B1 KR 101300256B1
- Authority
- KR
- South Korea
- Prior art keywords
- code
- executable file
- memory
- executable
- prevention
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 230000003068 static effect Effects 0.000 title claims abstract description 38
- 230000002265 prevention Effects 0.000 claims abstract description 62
- 230000000903 blocking effect Effects 0.000 claims abstract description 53
- 230000008569 process Effects 0.000 claims description 49
- 238000012545 processing Methods 0.000 claims description 17
- 238000012544 monitoring process Methods 0.000 claims description 10
- 230000006870 function Effects 0.000 claims description 6
- 230000007123 defense Effects 0.000 abstract description 8
- 230000001681 protective effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- PWPJGUXAGUPAHP-UHFFFAOYSA-N lufenuron Chemical compound C1=C(Cl)C(OC(F)(F)C(C(F)(F)F)F)=CC(Cl)=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F PWPJGUXAGUPAHP-UHFFFAOYSA-N 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a method for protecting a software executable file through the prevention of dynamic analysis and static analysis, and to a computer-readable recording medium recording a software executable file protection program through the prevention of dynamic analysis and static analysis. When the executable file is loaded into the memory by the system loader, code encryption means for encrypting the executable code of the loaded executable file, reverse code engineering prevention means for preventing reverse code engineering for the loaded executable file, And memory access blocking means for blocking memory access to the memory region in which the executable file is loaded, so that the executable file encryption code, reverse code engineering defense technique, By malicious memory access blocking techniques It can block the protective analysis and forgery of the memory area for the line file.
Description
The present invention relates to a method for protecting a software executable file through the prevention of dynamic analysis and static analysis, and to a computer readable recording medium recording a software executable file protection program through the prevention of dynamic analysis and static analysis. Computer-readable record of software executable file protection program through encryption and analysis defense against data protection, and dynamic and static analysis prevention to prevent memory area forgery, and software executable protection program through dynamic and static analysis prevention It is about the medium.
Figure 1 shows the execution process for the executable file of the software on the conventional Windows operating system It is a figure which shows. Referring to FIG. 1, first, a system loader in a terminal device implemented on a Windows operating system analyzes a target file to analyze whether the target file is an executable file (S1).
According to the analysis of step S1, in the case of an executable file, the system loader loads the entire area of the executable file onto the memory (S2).
Thereafter, the system loader analyzes the execution of the code starting from the entry point, which is the start address of the executable file (S3), and finally executes the executable code of the executable file by the central processing unit ( S4).
If such a process is performed, it may be executed by the central processing unit without a defense against the executable code, and may be exposed to malicious access to the executable file or the executable code. In addition, it is possible to analyze by malicious users who perform such access, so that it is easy to find vulnerabilities of the software, leak personal information, and hack into memory on the system. Accordingly, in the prior art, a serious problem in software security is exposed because it leads to artificial forgery of code and data.
[Related Technical Literature]
1. Method and device for extracting Windows executable files (Patent Application No. 10-2008-0125415)
The object of the present invention is to encrypt the executable executable code, reverse code engineering defense technique, and malicious memory access blocking technique before branching from the system loader running on the Windows operating system to the executable code of the executable file. Software executable file protection method through dynamic analysis and static analysis prevention to protect analysis analysis and forgery of memory area and software executable file protection program through dynamic and static analysis prevention. In providing.
The computer-readable recording medium that records the software executable file protection program through the dynamic analysis and the static analysis prevention according to the present invention in order to achieve this problem, the executable file is stored on the memory by the system loader when the target file is an executable file. When loaded, code encryption means for performing encryption on the executable code of the loaded executable file, reverse code engineering prevention means for preventing reverse code engineering of the loaded executable file, and the memory region in which the executable file is loaded. Memory access blocking means for performing memory access blocking.
Further, the code encrypting means preferably provides the executable code decrypted using the encryption key encrypted by the executable code of the executable file to the reverse code engineering preventing means and the memory access blocking means.
In this case, it is preferable that the code encrypting means generates a structured exception handler (SEH) when encrypting the executable code of the executable file, generates a software interrupt, and decrypts the encrypted executable code.
In addition, the code encryption means preferably performs encryption and decryption on the operation code (OPcode) of the central processing unit that matches the execution code with 1: 1.
In addition, reverse code engineering preventive measures are invoked upon address calls for execution when they are not running, and then create watchdog threads to watch for debug events collected by externally accessed processes, and centralize them according to watchdog threads. It is preferable to check the register values DR0 to DR3 in the debug registers of the processing apparatus and terminate the executable file loaded on the memory when the executable file determines that the executable file by the access process is being analyzed.
In addition, the reverse code engineering prevention means preferably determines that the executable file has been analyzed by the access processor when the registers DR0 to DR3 are set to one.
On the other hand, the memory access blocking means, when the access process from the outside is not registered, obtains the application process call (API) address of the kernel function according to the access to the memory at the kernel level, and then the obtained application process call ( API) It is preferable to block access to the memory area loaded with the executable file by the access process by changing the address to a pre-stored handler address for blocking access.
In this case, the memory access blocking means preferably stores the obtained application process call (API) address.
Software execution file protection method through the dynamic analysis and static analysis prevention in accordance with the present invention for achieving this problem, the Windows operating including a security enhancement loader consisting of code encryption means, reverse code engineering prevention means and memory access blocking means In order to enhance security of an executable file on a terminal device that executes a software executable file on a system basis, the system loader loading the executable file onto a memory when the target file is an executable file; Code encryption means for performing encryption on the executable code of the loaded executable file; Preventing the reverse code engineering means for reverse code engineering for the loaded executable file; And performing a memory access blocking operation on the memory area in which the execution file is loaded, by the memory access blocking means.
In this case, the performing of the encryption may include determining whether the code encryption means is encrypting the executable code of the executable file; Acquiring, by the code encryption means, an encryption key used for encryption if the executable code is being encrypted; Generating, by the code encryption means, a SEH to generate a software interrupt; And encrypting, by the code encrypting means, decrypting the encrypted execution code according to a software interrupt, and obtaining the existing form of the execution code loaded on the memory and providing the reverse code engineering prevention means and the memory access blocking means. Do.
At this time, in the step of determining whether the encryption is in progress, the code encryption means encrypts the operation code (OPcode) of the central processing unit matched with the execution code 1: 1, and in the step of providing by decrypting, the code encryption means It is desirable to decrypt the encrypted opcode.
In addition, the step of preventing reverse code engineering, the security enhancement loader to invoke the address of the reverse code engineering prevention means when the reverse code engineering prevention means is not being performed; Generating, by the reverse code engineering prevention means, a monitoring thread for monitoring whether a debug event by an access process from outside is collected; The reverse code engineering prevention means checks the register values of DR0 to DR3 in the debug register of the CPU according to the monitoring thread to determine that the executable is being analyzed by the access process. Terminating the file; preferably.
Also, in the step of terminating the executable file loaded on the memory, it is preferable that the reverse code engineering prevention means determines that the executable file is analyzed by the access processor when the registers DR0 to DR3 are set to one.
In addition, the step of performing a memory access blocking step, the memory access blocking means determines whether an access process from the outside is registered; Obtaining, by the memory access blocking means, an application process call (API) address of a kernel function according to access to the memory at the kernel level, if it is not registered as a result of the above determination; And by the memory access blocking means changing the obtained application process call (API) address to a pre-stored handler address for blocking access to block access to the memory region loaded with the executable file by the access process. desirable.
At this time, the step of obtaining the application process call (API) address by the memory access blocking means, it is preferable to store the application process call (API) address obtained by the memory access blocking means.
According to the present invention, through the encryption of the executable code constituting the executable file provides an effect of blocking the code analysis of the software, to prevent the decryption of the executable code by a malicious user (user) or to delay the analysis time.
In addition, reverse code engineering prevention prevents the use of tools that can be analyzed by malicious users (e.g. hackers) by providing appropriate defense mechanisms for dynamic or static analysis to prevent tools for debugging from accessing protected executables. By blocking the access to the memory and blocking the access to the memory, it is impossible to analyze the executable file or the code used by the legitimate user, thereby providing the effect of securing the integrity of the data area.
Figure 1 shows the execution process for the executable file of the software on the conventional Windows operating system Indicative drawing.
2 is a diagram showing the main configuration of a terminal device based on the Windows operating system for performing a software executable file protection method through the prevention of dynamic analysis and static analysis according to an embodiment of the present invention.
3 is an overall flowchart illustrating a software executable file protection method through dynamic analysis and static analysis prevention according to an embodiment of the present invention.
4 is a flowchart illustrating the operation of reverse code engineering means in a software executable file protection method through dynamic analysis and static analysis prevention according to an embodiment of the present invention.
5 is a flowchart illustrating a driving method of code encryption means among software executable file protection methods through dynamic analysis and static analysis prevention according to an embodiment of the present invention.
FIG. 6 is a flowchart illustrating a driving method of a memory access blocking means among software executable file protection methods through dynamic analysis and static analysis prevention according to an embodiment of the present invention. FIG.
Hereinafter, the present invention will be described in detail with reference to the drawings.
2 is a diagram illustrating a main configuration of a terminal device 1 based on a Windows operating system that performs a method for protecting a software executable file through dynamic and static analysis prevention according to an embodiment of the present invention. Referring to FIG. 2, the terminal device 1 based on the Windows operating system includes a central processing unit 10, a system loader 20, a memory 30, a security enhancement loader 40, and a security enhancement loader 40. 40 includes code encryption means 41, reverse code engineering prevention means 42 and memory access blocking means 43.
Hereinafter, the configuration of the security enhancement loader 40 will be described.
The code encrypting means 41 is a means for encrypting the executable code of the executable file loaded by the system loader 20 so as not to be analyzed when exposed to the outside through an access process from the outside.
More specifically, the execution code loaded by the system loader 20 is executed by matching 1: 1 to an operation code (hereinafter referred to as "OPcode") of the central processing unit 10, the operation code (Opcode Code encryption means 41 encrypts the operation code (OPcode) so that it cannot be confirmed by the analysis means.
On the other hand, the operation code (OPcode) is a code designating the type of processing to be executed by the central processing unit 10 on the Windows operating system, and may include the operation target and address in addition to the operation code in the basic structure of the machine language instructions.
The encrypted opcode may be converted into decryption by software interrupt at the same time as encryption and used. The opcodes that are all decrypted can maintain the form of the existing code as it is in the execution code area loaded by the system loader 20, and the reverse code engineering prevention means 42 by the code encryption means 41, Memory access blocking means 43 may be provided.
The reverse code engineering prevention means 42 is a means to prevent reverse code engineering by preventing collection of debug events for executable files on the Windows operating system.
On the other hand, if you look at the basic process of reverse code engineering on the Windows operating system, you can get the handle of the target file to be executed or the target file being executed and execute or attach the process in debug mode through the handle obtained. After analyzing the execution code based on the entry point of the executable file, the processing for the occurrence of the debug event is performed.
Thus, by discerning whether a debug event is occurring, one can see if reverse code engineering is being performed.
Thus, the reverse code engineering prevention means 42 determines whether the debug event is being collected by an access process from the outside of the executable file. Confirmation that the debug event is collected is determined by checking the register values from DR0 to DR3 among the debug registers of the CPU 10 to determine whether the executable file is being analyzed.
At this time, DR0 to DR3 in the debug register have an address value designated as a hardware break point. In the debug registers, DR4 through DR5 are reserved values for future use and are not currently used, and DR6 through DR7 are register values storing state information.
The memory access blocking means 43 is a means for blocking access to the region of the memory 30 that is created / accessed as the executable file is executed and the region of the memory 30 loaded with the executable code.
The memory access blocking means 43 defends the area of the memory 30 in which the executable file and the executable code are loaded for execution by the central processing unit 10.
More specifically, the memory access blocking means 43 is an application process call used when accessing the memory 30 at the kernel level managing an input / output process or a creation process on the Windows operating system. By hooking to select and control an Invocation (API) function, it completely blocks access to the memory 30 by an access process from the outside.
By providing such technical means, according to the present invention, a malicious user (e.g., a hacker) can be provided by appropriately defending against dynamic or static analysis of the tool for debugging by preventing reverse code engineering from accessing the protected executable. Prevents the use of tools that can be analyzed and prevents the analysis of executable files or executable code by blocking memory access, thereby ensuring the integrity of the data area.
In other words, according to the present invention, since the binary of the protected executable file is already encrypted and protected as well as the dynamic analysis defense, the defense against the static analysis is also possible. The meaning that the software executable file is protected by the present invention means that the static analysis is performed because the structure of the protected file is changed and the executable code is stored on the disk in addition to the defense against dynamic analysis (including memory access defense). It is also possible to defend against this.
3 is an overall flowchart illustrating a software executable file protection method through dynamic analysis and static analysis prevention according to an embodiment of the present invention. 2 and 3, the system loader 20 first determines whether the target file is an executable file in order to strengthen the executable file security (S11).
If the result of the determination in step S11 is an executable file, the system loader 20 loads the executable file into the memory 30 (S42).
The security enhancement loader 40 controls to perform code encryption by driving the code encryption means 41 for the executable code of the executable file loaded in step S42 (S13).
After step S13, the security enhancement loader 40 controls the reverse code engineering prevention means 42 to perform reverse code engineering (S14).
After step S15, the security enhancement loader 40 controls the memory access blocker 43 to drive the memory access blocker 43 (S15).
Thereafter, the system loader 20 analyzes the code execution to proceed from the entry point (Entry Point) which is the start address of the executable file loaded in the memory 20 (S16).
After step S16, the central processing unit 10 controls to execute the execution code of the executable file (S17).
4 is a flowchart illustrating the operation of the reverse code engineering means 42 of the software executable file protection method through dynamic analysis and static analysis prevention according to an embodiment of the present invention. 2 to 4, the security enhancement loader 40 determines whether the reverse code engineering prevention means 42 is being performed (S21).
As a result of the determination in step S21, when it is determined that the reverse code engineering prevention means 42 is not being performed, the security enhancement loader 40 calls the address of the reverse code engineering prevention means 42 to reverse code engineering prevention means. Invoke (42) (S22).
According to step S22, the reverse code engineering prevention means 42 creates a monitoring thread for monitoring whether a debug event by an access process from the outside is collected (S23).
Thereafter, the reverse code engineering prevention means 42 checks the register values of DR0 to DR3 in the debug registers of the CPU 10 according to the generated monitoring thread, so that the executable file is analyzed by the access process. It is checked whether or not it is (S24).
The reverse code engineering prevention means 42 determines whether the registers from DR0 to DR3 are set to 1, for example (S25).
In addition, when the registers from DR0 to DR3 are set to 1, the reverse code engineering prevention means 42 determines that the executable file is analyzed by an external access processor, and the system loader 20 is stored on the memory 30. End the executable file loaded by (S26).
5 is a flowchart illustrating a driving method of the software executable file protection method code encryption means 41 by preventing dynamic analysis and static analysis according to an embodiment of the present invention. 2 and 5, the security enhancement loader 40 determines whether the executable code of the executable file loaded on the memory 30 by the code encryption means 41 is being encrypted (S31). ).
In more detail, the code encrypting means 41 executes the execution code by matching the operation code with the operation code of the central processing unit 10 to 'OPcode' as 1: 1. The operation code (OPcode) is encrypted so that it cannot be confirmed by the analysis means.
If the execution code is being encrypted as a result of the determination in step S31, the code encrypting means 41 obtains an encryption key used for encryption (S32).
After step S32, the code encrypting means 41 registers the SEH (S33), thereby generating a software interrupt (S34).
Here, SEH is an exception handling handler provided by the Microsoft Visual C ++ compiler level. It can be used only on the Windows operating system, and it is an interrupt handler for executing a process after identifying the cause of the software interrupt in connection with the software interrupt. Can be.
After step S33, the security enhancement loader 40 decrypts the execution code according to the software interrupt (S35). Accordingly, according to the decryption, the existing code is maintained in the execution code area loaded by the system loader 20 to be used in process processing on the terminal device 1 based on the Windows operating system.
6 is a flowchart illustrating a driving method of the memory access blocking means 43 of the software executable file protection method through the prevention of dynamic analysis and static analysis according to an embodiment of the present invention. 2 and 6, the memory access blocking means 43 determines whether an access process from the outside is registered (S41).
If it is not registered as a result of the determination in step S41, the memory access blocking means 43 obtains an application process call (API) address of the kernel function according to the memory 30 access at the kernel level (S42).
In step S42, the memory access blocking means 43 stores the application process call (API) address obtained in step S42 (S43).
After step S43, the memory access blocking means 43 changes the obtained application process call (API) address to a pre-stored handler address for blocking access, so that the executable file is loaded by an external access process. Block access to the 30 (S44).
The present invention can also be embodied as computer-readable codes on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.
Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disks, optical data storage devices, and the like, which may be implemented in the form of carrier waves (eg, transmission over the Internet). .
The computer readable recording medium can also store and execute computer readable code in a manner that is distributed over network coupled computer systems. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.
As described above, preferred embodiments of the present invention have been disclosed in the present specification and drawings, and although specific terms have been used, they have been used only in a general sense to easily describe the technical contents of the present invention and to facilitate understanding of the invention , And are not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention can be carried out in addition to the embodiments disclosed herein.
1: Terminal device based on Windows operating system
10: central processing unit
20: system loader
30: Memory
40: Enhanced Security Loader
41: code encryption
42: Reverse code engineering measures
43: memory access blocking means
Claims (15)
The code encrypting means 41 provides the reverse code engineering preventing means 42 and the memory access blocking means 43 with the executable code decrypted using the encryption key that the executable code of the executable file is encrypting. A computer-readable recording medium that records a software executable file protection program through dynamic analysis and static analysis prevention.
The code encrypting means 41 generates a SEH when encrypting the executable code of the executable file, generates a software interrupt, and decrypts the encrypted executable code. A computer-readable recording medium that records a software executable file protection program.
The code encrypting means 41 encrypts and decrypts the opcode of the central processing unit that matches the execution code with 1: 1, and the software executable file through the prevention of dynamic analysis and static analysis, characterized in that the code. A computer-readable recording medium that records a protection program.
The reverse code engineering prevention means 42 is invoked upon an address call for execution when it is not running, and then generates a watch thread for monitoring whether a debug event by an access process from the outside is collected, and the watch thread In accordance with the present invention, if the execution file is determined to be analyzed by an access process by checking the register value of DR0 to DR3 among debug registers of the CPU, the execution file loaded on the memory is terminated. A computer-readable recording medium that records a software executable file protection program through dynamic analysis and static analysis prevention.
The reverse code engineering preventing means 42 determines that the executable file is analyzed by the access processor when the registers DR0 to DR3 are set to 1, and executes the software through preventing dynamic analysis and static analysis. A computer-readable recording medium that records a file protection program.
When the access process from the outside is not registered, the memory access blocking means 43 obtains an application process call (API) address of a kernel function according to access to the memory at a kernel level, and then obtains the obtained application. Software through dynamic analysis and static analysis prevention, which changes the process call (API) address to a pre-stored handler address to block access to the memory region loaded with the executable file by the access process. A computer-readable recording medium that records an executable file protection program.
And the memory access blocking means (43) stores the obtained application process call (API) address. The computer-readable recording medium recording the software executable file protection program through the prevention of dynamic analysis and static analysis.
A first step of the system loader loading an executable file into memory;
Performing the encryption on the executable code of the loaded executable file by the code encrypting means 41, and determining whether the code encrypting means 41 is encrypting the executable code of the executable file (a And (b) the code encryption means 41 obtaining an encryption key used for the encryption if the executable code is being encrypted, and the code encryption means 41 generates a SEH to generate a software interrupt. (C) and the code encrypting means 41 decrypts the encrypted executable code according to the software interrupt to obtain an existing form of the executable code loaded on the memory, thereby preventing the reverse code engineering means 42. And (d) providing the memory access blocking means (43);
A third step of the reverse code engineering prevention means (42) preventing reverse code engineering of the loaded executable;
A fourth step of the memory access blocking means (43) performing a memory access blocking on the memory area in which the executable file is loaded;
Software executable file protection method through the prevention of dynamic and static analysis, including the configuration.
In step (a), the code encrypting means 41 encrypts an operation code (OPcode) of the central processing unit that matches the execution code with 1: 1.
The step (d) is a software executable file protection method through the dynamic analysis and static analysis prevention, characterized in that the code encryption means (41) decrypts the encrypted operation code.
In the third step,
(E) invoking the security code loader by calling the address of the reverse code engineering prevention means (42) when the reverse code engineering prevention means (42) is not being performed;
(F) the reverse code engineering prevention means (42) generating a monitoring thread for monitoring whether a debug event by an access process from outside is collected;
The reverse code engineering prevention means 42 checks a register value of DR0 to DR3 in the debug register of the CPU according to the monitoring thread, and determines that the executable file is being analyzed by the access process. Terminating the executable file loaded on the memory (g);
Software executable file protection method through the prevention of dynamic analysis and static analysis, characterized in that comprises a.
The step (g) is characterized in that the reverse code engineering prevention means 42 determines that the executable file is analyzed by the access processor when the registers DR0 through DR3 are set to 1. How to protect software executables by preventing analysis.
The fourth step,
(H) determining, by the memory access blocking means 43, whether an access process from the outside is registered;
(I) obtaining, by the memory access blocking means (43), an application process call (API) address of a kernel function according to access to the memory at a kernel level if it is not registered as the determination result;
The memory access blocking means 43 changes the obtained application process call (API) address to a handler address for preset access blocking to block access to the memory region loaded with the executable file by the access process. Step (j);
Software executable file protection method through the prevention of dynamic analysis and static analysis, characterized in that comprises a.
The step (i) is a method for protecting a software executable file through dynamic and static analysis prevention, characterized in that the memory access blocking means (43) stores the obtained application process call (API) address.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20110095323A KR101300256B1 (en) | 2011-09-21 | 2011-09-21 | Method for securing software executable files by prohibiting dynamic and static analysis, and computer-readable recording medium for storing program for securing software executable files for the same |
PCT/KR2011/006986 WO2013042808A1 (en) | 2011-09-21 | 2011-09-22 | Method for protecting software executable files through protection from dynamic analysis and static analysis, and computer-readable recording medium recording corresponding software executable file protecting programs |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20110095323A KR101300256B1 (en) | 2011-09-21 | 2011-09-21 | Method for securing software executable files by prohibiting dynamic and static analysis, and computer-readable recording medium for storing program for securing software executable files for the same |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20130031625A KR20130031625A (en) | 2013-03-29 |
KR101300256B1 true KR101300256B1 (en) | 2013-09-16 |
Family
ID=47914559
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR20110095323A KR101300256B1 (en) | 2011-09-21 | 2011-09-21 | Method for securing software executable files by prohibiting dynamic and static analysis, and computer-readable recording medium for storing program for securing software executable files for the same |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR101300256B1 (en) |
WO (1) | WO2013042808A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101724412B1 (en) * | 2015-09-23 | 2017-04-10 | 한국전자통신연구원 | Apparatus for analysis application using expansion code and method usnig the same |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090081200A (en) * | 2008-01-23 | 2009-07-28 | 주식회사 안철수연구소 | Security system for internet site and method thereof |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7035850B2 (en) * | 2000-03-22 | 2006-04-25 | Hitachi, Ltd. | Access control system |
US20020112158A1 (en) * | 2001-02-14 | 2002-08-15 | Golchikov Andrey Vladimirovich | Executable file protection |
EP1674960B1 (en) * | 2004-12-23 | 2011-10-05 | Sap Ag | Reverse engineering access control |
-
2011
- 2011-09-21 KR KR20110095323A patent/KR101300256B1/en active IP Right Grant
- 2011-09-22 WO PCT/KR2011/006986 patent/WO2013042808A1/en active Application Filing
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090081200A (en) * | 2008-01-23 | 2009-07-28 | 주식회사 안철수연구소 | Security system for internet site and method thereof |
Also Published As
Publication number | Publication date |
---|---|
WO2013042808A1 (en) | 2013-03-28 |
KR20130031625A (en) | 2013-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2979219B1 (en) | Suspicious program detection | |
EP2420950B1 (en) | Information processing system, information processing method, information processing program, computer readable medium and computer data signal | |
US8756434B2 (en) | System and method for executing an encrypted binary from a memory pool | |
KR101503785B1 (en) | Method And Apparatus For Protecting Dynamic Library | |
US8522015B2 (en) | Authentication of binaries in memory with proxy code execution | |
US8225290B2 (en) | Systems and methods for regulating execution of computer software | |
GB2581482A (en) | Security virtual-machine software applications | |
CN107430650B (en) | Securing computer programs against reverse engineering | |
Protsenko et al. | Dynamic self-protection and tamperproofing for android apps using native code | |
US20170169196A1 (en) | Device and method for executing protected ios software modules | |
EP2492833A1 (en) | Method and apparatus for detecting malicious software | |
CN112613037B (en) | Code verification method and device | |
US7607122B2 (en) | Post build process to record stack and call tree information | |
Hawkins et al. | Dynamic canary randomization for improved software security | |
KR101749209B1 (en) | Method and apparatus for hiding information of application, and method and apparatus for executing application | |
KR101300256B1 (en) | Method for securing software executable files by prohibiting dynamic and static analysis, and computer-readable recording medium for storing program for securing software executable files for the same | |
EP2075728A1 (en) | A method and an apparatus for code protection | |
Wang et al. | Tamper resistant software through dynamic integrity checking | |
KR102557007B1 (en) | Method for rebuilding binary file and apparatus thereof | |
CN114444028A (en) | Method and device for improving code security, computer equipment and storage medium | |
JP4120702B2 (en) | Information processing system and program | |
US20170134379A1 (en) | Method for securing an application and data | |
CN107944233A (en) | A kind of guard method of executable file and device | |
Hussein et al. | A proposed approach to detect and thwart previously unknown code injection attacks | |
Togan et al. | Virtual machine for encrypted code execution |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20160802 Year of fee payment: 4 |
|
FPAY | Annual fee payment |
Payment date: 20170803 Year of fee payment: 5 |
|
FPAY | Annual fee payment |
Payment date: 20180808 Year of fee payment: 6 |
|
FPAY | Annual fee payment |
Payment date: 20190812 Year of fee payment: 7 |