CN104331308A - PE program file loading and execution method - Google Patents
PE program file loading and execution method Download PDFInfo
- Publication number
- CN104331308A CN104331308A CN201410594178.3A CN201410594178A CN104331308A CN 104331308 A CN104331308 A CN 104331308A CN 201410594178 A CN201410594178 A CN 201410594178A CN 104331308 A CN104331308 A CN 104331308A
- Authority
- CN
- China
- Prior art keywords
- file
- code
- data
- execution method
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 108
- 238000011282 treatment Methods 0.000 claims description 19
- 230000008676 import Effects 0.000 claims description 5
- 238000011084 recovery Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009191 jumping Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a PE program file loading and execution method, which belongs to the software safety technology, and solves the problem in the prior art that PE file data is likely to copy or illegally use when the PE file is loaded. The PE file code dynamic loading and execution method comprises the following steps: (1) establishing a PE file comprising only one PE file header datum; (2) starting the PE file established in the step (1) in a suspending form; (3) receiving a code and data necessary for running the loaded PE file from a server program; (4) loading the code and data received in the step (3) into a memory space of a process established in the step (2); (5) adding an additional processing code into the memory space of the process established in the step (2); (6) restoring the state of the process established in the step (2) to a running state. By adopting the PE program file loading and execution method, in the starting and running process of the PE file program, the actual PE file data is not stored in a file system, and the PE file code and data are effectively prevented from being leaked or illegally utilized.
Description
Technical field
The present invention relates to a kind of PE program file load and execution method, specifically: to relate to when a kind of PE file start runs directly directly load PE document code and data in proceeding internal memory space by service end transmission, initialization also performs, can realize preventing PE document code in PE file start and operational process, PE document code is illegally utilized or is revealed.
Background technology
Traditional its loading procedure of PE file directly reads out by operating system the code and data that comprise PE file and sets up new process in conjunction with the PE File header information in this PE file in the middle of a file system, again by memory-mapped or directly to copy Data import in the memory headroom of this process, the code just starting to proceed to PE file after doing necessary initialization performs.
Traditional method requirement, in the loading of PE file with in the middle of the whole cycle of operation, each data division of its corresponding PE file as shown in Figure 1, comprise PE file header data, in the middle of the file system that sector data etc. store when must be present in PE file start always, when also requiring PE file start simultaneously and run, the PE document code of this PE file in the middle of file system is complete.Simultaneously when this PE file routine runs, PE file can be replicated, and cannot delete.The method can not prevent PE file when operation, and its file data is replicated, copy, thus likely causes the leakage of PE file data or illegally utilized.
Summary of the invention
The object of the present invention is to provide a kind of PE program file load and execution method, by the code of PE file and data are stored in by network with perform in service end that PE file system is connected, after process is set up, the instant code from service end transmission PE file and data are to the Installed System Memory performing PE file routine, and directly by the Data import except PE file header data such as sector data in the middle of the memory headroom of corresponding process, initialization also performs.As shown in Figure 2, realize in whole PE program in the middle of the whole cycle starting to execution, in the middle of the file system of the system of executive routine, section code and the sector data of this PE file can not be there is.Meanwhile, after program startup optimization, also can not there are complete original PE document code and data in the internal memory of the system of executive routine, thus avoid PE document code and leaking data and illegally utilized.
To achieve these goals, the technical solution used in the present invention is as follows:
A kind of PE program file load and execution method, described PE program file load and execution method comprises the following steps:
(1) the PE file only including PE file header data is set up
(2) with the PE file that suspended pattern setting up procedure (1) is set up
(3) the necessary code of PE running paper and data are loaded from serve end program reception
(4) by the code received by step (3) and Data import to step (2) create process memory headroom in the middle of
(5) add additional treatments code in the middle of the memory headroom of the process created to step (2), concrete steps are as follows:
A. application one section of memory headroom in the process created in step (2)
B. additional treatments code is write in the middle of the memory headroom applied for
C. modify steps (2) create the code entrance of process, make it proceed to the additional treatments code entrance of interpolation.
(6) recovering step (2) create the execution that state of a process is running status, recovery routine code.
The method of described step (1) is: from by the PE file of dynamic load and execution, copy PE file header data in service end by serve end program and transferred data to the loading procedure running on and be loaded and perform PE file and need in the system run by network.Loading procedure is after receiving the data that in step (1), serve end program transmits, perform PE file and need the document location be activated to create a file being loaded, and the data received carried out revising in the middle of rear writing in files, thus be loaded PE file need the document location be activated to set up PE file that one only comprises PE file header data.
The method of described step (2) for: loading procedure, when starting the PE file that described step (1) creates, sets corresponding parameter, operating system is created new process that one is in halted state.
The method of described step (3) is: the code of necessity required when loading procedure is loaded execution PE running paper from serve end program reception and data.
The method of described step (4) for: loading procedure carries out necessary adjustment to the data received by step (3), and according to be loaded perform PE file original PE file header in section descriptor by data write step (2) create tram in the middle of proceeding internal memory space.
The method of described step (5) for: loading procedure applies for the memory headroom of a length of tape executable code attribute in step (2) institute establishment process, then one section of self-defining additional treatments code is write the memory headroom applied for, finally by step (2) create process the code revision of source code porch be one section of code jumping to the additional treatments code porch of write.
The method of described step (6) by: it is running status that loading procedure recovering step (2) is created state of a process.
Necessary code in described step (3) and data this PE file specifically comprised pointed by PE file header section description list is positioned at each section code in the middle of file or data.
In such scheme, need a loading procedure to complete the establishment of process and the dynamic load of code data, also need a serve end program to store and issue the code data of PE file simultaneously.To step (1) create the PE file header of PE file correction can correctly be identified and start by windows according to created PE file and revise.To step (2) create in proceeding internal memory space and need after the segment data of write area in this process space, apply for one section of new memory headroom and add one section of additional treatments code, and simultaneously by the code revision of the source code entrance of process for directly to proceed to additional treatments code entrance.Additional treatments code is one section of self-defining process code, in this self-defining process code, needs to carry out initialization or other associative operations to the importing table data of process, finally proceeds to process source code entrance.Additional treatments code is mainly used in carrying out necessary correction to code in process or data, can normally run to make process.
Adopt the present invention that PE file can be made to load by a kind of new mode and run; guarantee in the start-up and operation process of PE file; the complete code and data that are loaded and perform PE file is not stored in the file system of the system that PE runs; thus the leakage of document code data can be prevented or be copied illegally, realize the protection to PE document code and data.
Accompanying drawing explanation
Fig. 1 is the schematic diagram data being performed PE file that prior art loads and stores in file system during execution PE file.
Fig. 2 stores the schematic diagram data being performed PE file in file system during the present invention loads and perform PE file.
Embodiment
Embodiment
A kind of PE document code is dynamically added in manner of execution, comprises the following steps:
(1) the PE file only including PE file header data is set up: notification service end program copies its PE file header data and is transferred to loading procedure from the PE program file needing to be loaded execution.Loading procedure is after receiving data, data are revised, be 0 by PointerToRawData (pointing to the skew of file real data) the member's structural modification in wherein each section head description list (the IMAGE_SECTION_HEADER structure defined by Microsoft's winnt.h header file), and SizeOfRawData (actual file data size) member is revised as 0 in same structure, section is made not point to real data in file.IMAGE_DIRECTORY_ENTRY_IMPORT item in DataDirectory (data directory) member in amendment PE head, this VirtualAddress member and Size member value being revised as 0, making windows not process importing table information when starting this PE program file.Last basis is loaded and performs PE program file situation and do some and may affect the correction of newly setting up PE file start.Generally comprise and signature item is revised etc.After revising data, need the document location place be activated newly to create a file being loaded PE program file, and revised data will write this file above.
(2) use function CreateProcess (windows creates process function) and set the PE file that CREEATE_SUSPEND (suspend identify) parameter setting up procedure (1) sets up, and obtaining the handle of created process.
(3) loading procedure is by the code of network reception PE file: determine that being loaded PE program runs necessary code and data according to information such as step (2) institute establishment processes, generally comprise each sector data, if step (2) create not set in the PE File header information process plot of process and start, also will comprise relocation information.After determining necessary code and data, notification service end issues desired data, receives data that whole service end passes down and applies for that one section of memory headroom stores.
(4) loading procedure by the code received by step (4) and Data import to step (3) create process memory headroom in the middle of: use NtQuerylnformationProcess function obtain step (2) create the process plot of process, if include relocation information, first to step (3) receive code and data carry out reorientation correction, then by WriteProcessMemory coordinate original PE section description list by the code data write step (2) adjusted create in proceeding internal memory space.
(5) add additional treatments code in the middle of the memory headroom of process that loading procedure creates to step (2): due to by step (1) to (4) although actual code or data are loaded in the middle of the memory headroom of process by process that set up, but because the importing table description entry in PE head is filled out 0 by step (1), windows can not be correct process actual importing table information, therefore to need to step (2) set up proceeding internal memory space and add extra process code to process the relevant informations such as the correct importing table of former PE file.By VirtualAllocEx in step (2) create process application one section and can perform memory headroom, WriteProcessMemory is used additional treatments code to be write the memory headroom applied for, and calculate additional treatments code actual code entrance now, use WriteProcessMemory to create the source code entrance interpolation redirect code of process to step (2) institute, make it turn to the actual code entrance of additional treatments code.
The code of additional treatments described in this step is one section of self-defining process code, in this self-defining process code, need to carry out initialization to the importing table of the PE file being loaded execution, and recover the source code entrance revised in this step, finally proceed to source code entrance.
The code of redirect described in this step can be different according to the instruction set difference of processor, as added calculated value with bytecode E9 under 32 x86 instruction set.
(6) loading procedure recovering step (2) create state of a process by running status: use ResumeThread function recovering step (3) the main thread state of establishment process be executing state.
Suppose there is a PE file routine A.EXE, after carrying out dynamic load execution by the present invention, this PE file routine is when starting and perform, its code and the data store status in file system as shown in Figure 2, this complete PE document code and data are stored in service end, and in the file system of local actual this PE file of execution, only store a PE file routine B.EXE only comprising PE file header data come from original PE file copy.
Claims (10)
1. a PE program file load and execution method, is characterized in that, described PE program file load and execution method comprises the following steps:
(1) the PE file only including PE file header data is set up
(2) with the PE file that suspended pattern setting up procedure (1) is set up
(3) the necessary code of PE running paper and data are loaded from serve end program reception
(4) by the code received by step (3) and Data import to step (2) create process memory headroom in the middle of
(5) add additional treatments code in the middle of the memory headroom of the process created to step (2), concrete steps are as follows:
A. application one section of memory headroom in the process created in step (2)
B. additional treatments code is write in the memory headroom applied for
C. modify steps (2) create the code entrance of process, make it proceed to the additional treatments code entrance of interpolation.
(6) recovering step (2) create the execution that state of a process is running status, recovery routine code.
2. PE program file load and execution method according to claim 1, it is characterized in that, the method of described step (1) is: service end is copied PE file header data the original file data of dynamic load and execution PE file from needs and by data distributing to running on the loading procedure be loaded in PE program file actual motion system, by loading procedure, data is written in the new file being loaded PE file and needing the document location be activated to create.
3. PE program file load and execution method according to claim 1, is characterized in that, the method for described step (1) also comprises to be revised the file header of described PE file.
4. PE program file load and execution method according to claim 1, is characterized in that, the new PE program file that described step (1) creates only includes PE file header data.
5. PE program file load and execution method according to claim 1, it is characterized in that, described step (2), (3), (4), (5), (6) complete in a single program run in the system being loaded the execution of PE program file needs.
6. PE program file load and execution method according to claim 1, is characterized in that, when described a also comprises application memory headroom, needs to indicate applied for memory headroom for band executable code Attribute Memory space to system.
7. PE program file load and execution method according to claim 1, it is characterized in that, described PE program file load and execution method also comprises, step (4) execute backward step (2) create in proceeding internal memory space and add additional treatments code.
8. PE program file load and execution method according to claim 1, it is characterized in that, additional treatments code in described step (5) specifically comprises: the importing table data in the middle of process code data, repair original real code porch data, after being finished, proceed to original real code entrance.
9. PE program file load and execution method according to claim 1, it is characterized in that, the method of described step (4) is: by the sector data received according to being loaded section description list information in PE file header data, be loaded into step (2) create tram in the memory headroom of process.
10. PE program file load and execution method according to claim 1, it is characterized in that, the data that described step (4) also comprises step (3) receives are revised.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410594178.3A CN104331308B (en) | 2014-10-30 | 2014-10-30 | A kind of PE program files load and execution method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410594178.3A CN104331308B (en) | 2014-10-30 | 2014-10-30 | A kind of PE program files load and execution method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104331308A true CN104331308A (en) | 2015-02-04 |
| CN104331308B CN104331308B (en) | 2017-08-22 |
Family
ID=52406042
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410594178.3A Expired - Fee Related CN104331308B (en) | 2014-10-30 | 2014-10-30 | A kind of PE program files load and execution method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104331308B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677415A (en) * | 2016-01-06 | 2016-06-15 | 网易(杭州)网络有限公司 | Hot updating method and device |
| CN108334404A (en) * | 2017-01-20 | 2018-07-27 | 腾讯科技(深圳)有限公司 | The operation method and device of application program |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070074287A1 (en) * | 2005-09-13 | 2007-03-29 | Christopher Abad | Signature for executable code |
| CN101149773A (en) * | 2007-08-27 | 2008-03-26 | 中国人民解放军空军电子技术研究所 | Software real name authentication system and its safe checking method |
| US20090133125A1 (en) * | 2007-11-21 | 2009-05-21 | Yang Seo Choi | Method and apparatus for malware detection |
| CN101719209A (en) * | 2009-12-25 | 2010-06-02 | 武汉大学 | General digital rights protection method on WINDOWS platform |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102938036A (en) * | 2011-11-29 | 2013-02-20 | Ut斯达康通讯有限公司 | Section double encryption and safe loading method of Windows dynamic link library |
-
2014
- 2014-10-30 CN CN201410594178.3A patent/CN104331308B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070074287A1 (en) * | 2005-09-13 | 2007-03-29 | Christopher Abad | Signature for executable code |
| CN101149773A (en) * | 2007-08-27 | 2008-03-26 | 中国人民解放军空军电子技术研究所 | Software real name authentication system and its safe checking method |
| US20090133125A1 (en) * | 2007-11-21 | 2009-05-21 | Yang Seo Choi | Method and apparatus for malware detection |
| CN101719209A (en) * | 2009-12-25 | 2010-06-02 | 武汉大学 | General digital rights protection method on WINDOWS platform |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102938036A (en) * | 2011-11-29 | 2013-02-20 | Ut斯达康通讯有限公司 | Section double encryption and safe loading method of Windows dynamic link library |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677415A (en) * | 2016-01-06 | 2016-06-15 | 网易(杭州)网络有限公司 | Hot updating method and device |
| CN108334404A (en) * | 2017-01-20 | 2018-07-27 | 腾讯科技(深圳)有限公司 | The operation method and device of application program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104331308B (en) | 2017-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10642596B2 (en) | Embedded device and program updating method | |
| US9898326B2 (en) | Securing code loading in a virtual environment | |
| US9003381B2 (en) | Context-specific optimized code | |
| US10019256B2 (en) | Systems and methods for incremental software development | |
| KR101802920B1 (en) | Method and apparatus for creating a virtual machine system disk snapshot | |
| US20150347165A1 (en) | Virtual machine template management | |
| US9569199B2 (en) | Systems and methods to update source code files | |
| US8495614B2 (en) | Mechanism for dynamically generating spec files for software package managers | |
| CN107464148A (en) | A kind of intelligent contract upgrade method and system based on alliance's chain | |
| US10545851B2 (en) | Breakpoint insertion into kernel pages | |
| WO2016101503A1 (en) | Hot patching realization method and apparatus | |
| JP7432523B2 (en) | Dynamic memory protection | |
| US10310863B1 (en) | Patching functions in use on a running computer system | |
| EP2511820A1 (en) | Bypassing user mode redirection | |
| EP2329368B1 (en) | Updating content without using a mini operating system | |
| CN106874022B (en) | A kind of hot patch injection method and device | |
| CN108021427A (en) | Information system deployment and updating management method based on Docker | |
| CN102902530A (en) | Procedure verifying device based on Linux embedded operating system | |
| CN105095767A (en) | System and method for secure startup checked based on file data block | |
| CN104331308A (en) | PE program file loading and execution method | |
| CN103544415A (en) | Mobile platform application software reinforcement method | |
| CN106020812A (en) | DSP platform spacecraft software-oriented dynamic on-orbit maintenance method | |
| US20220108003A1 (en) | Apparatus and method for kernel runtime randomization | |
| CN107168719A (en) | Application program running method and device, terminal and computer readable storage medium | |
| US10606611B2 (en) | Techniques for performing dynamic linking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170822 Termination date: 20181030 |