CN104331308B - A kind of PE program files load and execution method - Google Patents
A kind of PE program files load and execution method Download PDFInfo
- Publication number
- CN104331308B CN104331308B CN201410594178.3A CN201410594178A CN104331308B CN 104331308 B CN104331308 B CN 104331308B CN 201410594178 A CN201410594178 A CN 201410594178A CN 104331308 B CN104331308 B CN 104331308B
- Authority
- CN
- China
- Prior art keywords
- code
- files
- data
- file
- loaded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 92
- 238000011282 treatment Methods 0.000 claims abstract description 19
- 230000006870 function Effects 0.000 claims description 5
- 238000011084 recovery Methods 0.000 claims description 2
- 241001269238 Data Species 0.000 abstract description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 208000010378 Pulmonary Embolism Diseases 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of PE program files load and execution method, belong to software security techniques, the problem of PE file datas are easily replicated or illegally utilized when solving PE files load operating in the prior art.The PE document codes dynamic load, which performs method, to be included:(1) the PE files for only including a PE file header data are set up;(2) the PE files set up with suspended pattern starting step (1);(3) code and data necessary to being loaded PE running papers are received from serve end program;(4) code and data received by step (3) are loaded into step (2) to create among the memory headroom of process;(5) addition additional treatments code among the memory headroom of the process created to step (2);(6) recovering step (2) creates state of a process for running status.The present invention is realized to be started with running in PE file routines, is not stored actual PE file datas in file system, can effectively be prevented PE document codes leaking data or be illegally used.
Description
Technical field
The present invention relates to a kind of PE program files load and execution method, specifically:It is to be related to a kind of PE file starts fortune
Directly transmitted by service end during row and be loaded directly into PE document codes and data into proceeding internal memory space, initialized and hold
OK, can realize prevents PE document codes in PE file starts and running, and PE document codes are illegally used or revealed.
Background technology
Traditional its loading procedure of PE files directly reads out PE files by operating system among a file system
Included in code and the data and PE File header informations that combine in the PE files set up new process, then mapped by internal memory
Or directly duplication is loaded data into the memory headroom of the process, is done and is just started the generation for being transferred to PE files after necessary initialization
Code is performed.
Traditional method requirement, among the whole cycle of loading and the operation of PE files, its corresponding PE as shown in Figure 1
Each data division of file, including PE file header data, sector data etc. are deposited when must be always present in PE file starts
Among the file system of storage, while when also requiring PE file starts and operation, PE file of the PE files among file system
Code is complete.Simultaneously when the PE file routines are run, PE files can be replicated, it is impossible to be deleted.The method can not prevent
Only PE files operation when, its file data is replicated, copy, it is possible to cause PE file datas leakage or by
It is illegal to utilize.
The content of the invention
It is an object of the invention to provide a kind of PE program files load and execution method, by by the code sum of PE files
According to being stored in by network with performing in the service end that PE file system is connected, after process foundation, immediately from service end
The code and data of PE files are transmitted into the Installed System Memory for performing PE file routines, and sector data etc. is directly removed into PE files
Data outside head data are loaded among the memory headroom of corresponding process, are initialized and are performed.As shown in Fig. 2 realizing whole
PE programs, from starting among the whole cycle of execution, are not in PE texts among the file system of the system of configuration processor
The section code and sector data of part.Meanwhile, after program startup optimization, be also not in the internal memory of the system of configuration processor
Complete original PE document codes and data, so as to avoid PE document codes and leaking data and be illegally used.
To achieve these goals, the technical solution adopted by the present invention is as follows:
A kind of PE program files load and execution method, the PE program files load and execution method comprises the following steps:
(1) the PE files for only including a PE file header data are set up
(2) the PE files set up with suspended pattern starting step (1)
(3) code and data necessary to being loaded PE running papers are received from serve end program
(4) code and data received by step (3) are loaded into step (2) to create among the memory headroom of process
(5) addition additional treatments code among the memory headroom of the process created to step (2), is comprised the following steps that:
A. one section of memory headroom is applied in the process that step (2) is created
B. additional treatments code is write among apllied memory headroom
C. amendment step (2) creates the code entrance of process, the additional treatments code entrance for making it be transferred to addition.
(6) recovering step (2) creates state of a process for running status, the execution of recovery routine code.
The method of the step (1) is:By serve end program service end from the PE files for being loaded dynamically execution it is multiple
PE file headers data processed and being transferred data to by network run on to be loaded and perform PE files and need in the system run
Loading procedure.Loading procedure performs PE texts after the data that serve end program is transmitted in receiving step (1) being loaded
Part needs the document location that is activated to set up a file, and after the data received are modified among write-in file, from
And need the document location being activated to set up a PE file for only including a PE file header data being loaded PE files.
The method of the step (2) is:Loading procedure sets phase when starting the PE files that the step (1) is created
The parameter answered, makes operating system create a new process placed in a suspend state.
The method of the step (3) is:Loading procedure is received from serve end program is loaded execution PE running papers when institute
The necessary code and data needed.
The method of the step (4) is:Loading procedure carries out necessary adjustment to the data received by step (3), and
In the original PE file headers for performing PE files according to being loaded section description information writes data into step (2) and creates process
Correct position among memory headroom.
The method of the step (5) is:Loading procedure applies for one section of band executable code in step (2) institute establishment process
The memory headroom of attribute, then writes apllied memory headroom, finally by step by one section of customized additional treatments code
(2) generation that the source code porch code revision of process jumps to the additional treatments code porch of write-in for one section is created
Code.
The method of the step (6) is:Loading procedure recovering step (2) creates state of a process for running status.
Necessary code and data in the step (3) specifically include PE file head sections describe pointed by table the PE text
Part is located at each section code or data among file.
, it is necessary to which loading procedure completes the establishment of process and the dynamic load of code data, together in such scheme
When a serve end program is also needed to store and issue the code data of PE files.The PE of PE files is created to step (1)
The amendment of file header can correctly be recognized by windows according to created PE files and start to correct.To step (2) institute
Create needs to apply for one section of new memory headroom and addition in the process space in proceeding internal memory space after write-in sector data
One section of additional treatments code, and simultaneously enter the code revision of the source code entrance of process to be directly transferred to additional treatments code
Mouthful.Additional treatments code is one section of customized processing code, it is necessary to importing to process in this customized processing code
Table data are initialized or other associative operations, are finally transferred to process source code entrance.Additional treatments code is mainly used in
Necessary amendment is carried out to code in process or data, to enable process normally to run.
Using the present invention can make PE files by it is a kind of it is new by the way of load and run, it is ensured that PE files startup and
Do not stored in running, in the file system for the system that PE is run and be loaded the complete code and data that perform PE files,
So as to prevent the leakage of document code data or be copied illegally, the protection to PE document codes and data is realized.
Brief description of the drawings
Fig. 1 is that the data for being performed PE files stored during prior art loads and performs PE files in file system are shown
It is intended to.
Storage is performed the data signal of PE files in file system during Fig. 2 is loaded for the present invention and performed PE files
Figure.
Embodiment
Embodiment
A kind of PE document codes are dynamically added in execution method, comprise the following steps:
(1) the PE files for only including a PE file header data are set up:Notify serve end program is loaded from needs to hold
Its PE file headers data is replicated in capable PE program files and loading procedure is transferred to.Loading procedure is after data are received, logarithm
According to being modified, the table (IMAGE_SECTION_HEADER defined by Microsoft's winnt.h header files is described into wherein each section head
Structure) in PointerToRawData (point to file real data skew) member's structural modification be 0, and same structure
SizeOfRawData (actual file data size) member is revised as 0, section is not directed to the real data in file.Modification
The IMAGE_DIRECTORY_ENTRY_IMPORT items in DataDirectory (data directory) member in PE, by this
VirtualAddress member and Size member value be revised as 0 so that windows start the PE program files when do not handle
Import table information.Perform PE program file situations finally according to being loaded and do some and may influence newly to set up repairing for PE file starts
Just.Generally comprise and signature item is modified.After data are modified, need to be activated being loaded PE program files
Document location at newly set up a file, and the revised data of institute will write this document above.
(2) use function CreateProcess (windows creates process function) and set CREEATE_SUSPEND (temporarily
Stop mark) the PE files set up of parameter starting step (1), and obtain the handle of created process.
(3) loading procedure receives the code of PE files by network:Quilt is determined according to information such as step (2) institute establishment processes
Code and data necessary to loading the operation of PE programs, generally comprise each sector data, if step (2) creates process not
Set process plot starts in PE File header informations, will also include relocation information.It is determined that necessary code sum
According to rear, notify service end to issue required data, receive one section of memory headroom storage of data and application that whole service ends are passed down.
(4) code and data received by step (4) are loaded into the internal memory that step (3) creates process by loading procedure
Among space:The process plot of process is created using NtQuerylnformationProcess functions acquisition step (2), such as
Fruit includes relocation information, receives code to step (3) first and data carry out reorientation amendment, then pass through
The original PE sections of WriteProcessMemory cooperations describe table and the code data write step (2) adjusted are created into process
In memory headroom.
(5) addition additional treatments code among the memory headroom for the process that loading procedure is created to step (2):Due to logical
Step (1) to (4) is crossed although actual code or data are loaded among the memory headroom of process by the process set up, because
Importing table in PE has been described item by step (1), which fills out 0, windows, can not correctly handle actual importing table information, therefore
Need to set up the extra processing code of proceeding internal memory space addition to handle former PE files correctly importing table etc. to step (2)
Relevant information.One section of executable memory headroom of process application is created in step (2) by VirtualAllocEx, used
Additional treatments code is write apllied memory headroom by WriteProcessMemory, and calculates additional treatments code now
Actual code entrance, using WriteProcessMemory to step (2) create process source code entrance add jump
Turn code, the actual code entrance for making it turn to additional treatments code.
Additional treatments code described in this step are one section of customized processing code, herein customized processing code
In, it is necessary to initialized to the importing table of the PE for being loaded execution files, and recover the source code changed in this step
Entrance, is finally transferred to source code entrance.
Code is redirected described in this step can be different according to the instruction set difference of processor, such as 32 x86 instruction set
Under can with bytecode E9 add calculated value.
(6) loading procedure recovering step (2) creates state of a process for running status:Use ResumeThread functions
The main thread state that recovering step (3) creates process is execution state.
Assuming that there is a PE file routine A.EXE, carried out by the present invention after dynamic load execution, the PE file routines exist
When being started and carried out, the storage state of its code and data in file system is as shown in Fig. 2 the PE file generations completely
Code and data are stored in service end, and in the local file system for actually performing the PE files, are only stored with one from original
The copied next PE file routines B.EXE for only including a PE file header data of PE files.
Claims (7)
1. a kind of PE program files load and execution method, it is characterised in that the PE program files load and execution method include with
Lower step:
(1) set up and only include the PE files of a PE file header data, and item is described to the importing tables of PE file headers and set to 0;
(2) the PE files set up with suspended pattern starting step (1);
(3) code and data necessary to being loaded PE running papers are received from serve end program;
(4) code and data received by step (3) are loaded into step (2) to create among the memory headroom of process;
(5) addition additional treatments code among the memory headroom of the process created to step (2), is comprised the following steps that:
A. one section of memory headroom is applied in the process that step (2) is created;
B. additional treatments code is write among apllied memory headroom;
C. amendment step (2) creates the source code entrance of process, the additional treatments code entrance for making it be transferred to addition;
(6) recovering step (2) creates state of a process for running status, the execution of recovery routine code;Wherein described step
(5) concrete function of the additional treatments code in includes:The importing table of PE files to being loaded execution is initialized, and is recovered
The source code entrance changed in step (5), is transferred to source code entrance after being finished.
2. PE program files load and execution method according to claim 1, it is characterised in that the method for the step (1)
For:Service end replicates PE file headers data and by under data from needing to be loaded dynamically the original file data for performing PE files
The loading procedure for running on and being loaded in PE program file actual motion systems is issued, is write data into and is being added by loading procedure
Carry the new file that PE files need to be created at the document location being activated.
3. PE program files load and execution method according to claim 1, it is characterised in that the method for the step (1)
Also include being modified the file header of the PE files.
4. PE program files load and execution method according to claim 1, it is characterised in that the step (2), (3),
(4), (5), (6) run in the single program being loaded during PE program files need the system performed at one and completed.
5. PE program files load and execution method according to claim 1, it is characterised in that the step a also includes Shen
Please memory headroom when, it is necessary to indicate that apllied memory headroom is band executable code Attribute Memory space to system.
6. PE program files load and execution method according to claim 1, it is characterised in that the method for the step (4)
For:The sector data received is described into table information according to section in PE file header data is loaded, step (2) is loaded into and is created
The correct position built in the memory headroom of process.
7. PE program files load and execution method according to claim 1, it is characterised in that the step (4) also includes
Step (3) received data is modified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410594178.3A CN104331308B (en) | 2014-10-30 | 2014-10-30 | A kind of PE program files load and execution method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410594178.3A CN104331308B (en) | 2014-10-30 | 2014-10-30 | A kind of PE program files load and execution method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104331308A CN104331308A (en) | 2015-02-04 |
| CN104331308B true CN104331308B (en) | 2017-08-22 |
Family
ID=52406042
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410594178.3A Expired - Fee Related CN104331308B (en) | 2014-10-30 | 2014-10-30 | A kind of PE program files load and execution method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104331308B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677415B (en) * | 2016-01-06 | 2020-07-17 | 网易(杭州)网络有限公司 | Hot update method and device |
| CN108334404B (en) * | 2017-01-20 | 2022-02-22 | 腾讯科技(深圳)有限公司 | Application program running method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101149773A (en) * | 2007-08-27 | 2008-03-26 | 中国人民解放军空军电子技术研究所 | Software real name authentication system and its safe checking method |
| CN101719209A (en) * | 2009-12-25 | 2010-06-02 | 武汉大学 | General digital rights protection method on WINDOWS platform |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102938036A (en) * | 2011-11-29 | 2013-02-20 | Ut斯达康通讯有限公司 | Section double encryption and safe loading method of Windows dynamic link library |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080134326A2 (en) * | 2005-09-13 | 2008-06-05 | Cloudmark, Inc. | Signature for Executable Code |
| KR100942795B1 (en) * | 2007-11-21 | 2010-02-18 | 한국전자통신연구원 | Malware detection device and method |
-
2014
- 2014-10-30 CN CN201410594178.3A patent/CN104331308B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101149773A (en) * | 2007-08-27 | 2008-03-26 | 中国人民解放军空军电子技术研究所 | Software real name authentication system and its safe checking method |
| CN101719209A (en) * | 2009-12-25 | 2010-06-02 | 武汉大学 | General digital rights protection method on WINDOWS platform |
| CN101908119A (en) * | 2010-08-12 | 2010-12-08 | 浙江中控软件技术有限公司 | Method and device for processing dynamic link library (DLL) file |
| CN102938036A (en) * | 2011-11-29 | 2013-02-20 | Ut斯达康通讯有限公司 | Section double encryption and safe loading method of Windows dynamic link library |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104331308A (en) | 2015-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9195476B2 (en) | System and method for aggressive self-modification in dynamic function call systems | |
| EP3779745A1 (en) | Code pointer authentication for hardware flow control | |
| US8615735B2 (en) | System and method for blurring instructions and data via binary obfuscation | |
| WO2016101503A1 (en) | Hot patching realization method and apparatus | |
| US20100269106A1 (en) | Method of finding a safe time to modify code of a running computer program | |
| CN102902530A (en) | Procedure verifying device based on Linux embedded operating system | |
| US20120331489A1 (en) | Bypassing user mode redirection | |
| CN110298175A (en) | A kind of processing method and relevant apparatus of dll file | |
| CN105095767A (en) | System and method for secure startup checked based on file data block | |
| CN104331308B (en) | A kind of PE program files load and execution method | |
| CN104679561A (en) | Dynamic link library file loading method and dynamic link library file loading system | |
| US20220108003A1 (en) | Apparatus and method for kernel runtime randomization | |
| CN103544415A (en) | Mobile platform application software reinforcement method | |
| JP2006172206A (en) | Information processing apparatus and control method therefor, computer program, and storage medium | |
| WO2018014687A1 (en) | Parameter passing method and apparatus, and computer storage medium | |
| JP6174247B2 (en) | Program integrity verification method using hash | |
| US11113392B2 (en) | Executable binary code insertion | |
| US20060259903A1 (en) | Method for creating unique identification for copies of executable code and management thereof | |
| US20060259900A1 (en) | Method for creating unique identification for copies of executable code and management thereof | |
| CN105912893A (en) | Strengthening method based on Android system microinstruction just-in-time compilation | |
| CN106687973B (en) | For defending the method and system based on the attack for returning to guiding programming (ROP) | |
| KR102254119B1 (en) | Method and apparatus for processing graphics command | |
| WO2016041592A1 (en) | Generating and executing protected items of software | |
| KR101341328B1 (en) | User definition api function creation | |
| KR20200017120A (en) | Method and system for protecting code using code spraying |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170822 Termination date: 20181030 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |