针对虚拟机软件保护的攻击方法研究

发布时间：2018-04-21 21:23

本文选题：软件攻击 + 虚拟机保护指令还原　；参考：《西北大学》2013年硕士论文

【摘要】：随着软件安全技术的不断发展,各种软件保护方法(如软件加密、混淆、防篡改、软件水印等)应运而生。其中,基于虚拟机的保护技术(下文简称虚拟机)是目前应用最广泛的一种软件代码保护技术,其实现原理是将待保护的X86指令转化为虚拟机可解释的字节码,使用虚拟机私有的解释器对该字节码解释执行。在安全性上,虚拟机解释器中大量的混淆以及虚拟机解释器自身的复杂性大大增加了逆向分析的难度。但是这并没有阻止攻击者对基于虚拟机的保护软件的破解,在新兴的软件攻击技术面前,现有的基于虚拟机的保护技术变的不堪一击。本文基于博弈论与攻防对抗的思想,研究基于虚拟机的软件保护的攻击策略,旨在从攻击过程中分析软件的脆弱点,为软件保护者提供依据,使其可以开发出更有针对性的软件保护技术。本文的主要研究工作：首先介绍目前软件安全研究的现状；其次,从逆向工程的角度出发,对基于虚拟机的保护技术的基本框架与虚拟机解释器的基本组成部分进行了详细的介绍；之后,在大量的逆向分析的基础上,提出并详细介绍了一种虚拟机还原的半自动化攻击方案：提出“动态提取,静态分析”与“反变形引擎”相结合的Handler还原方案；建立原子Handler库、Handler组合库以及无效Handler库对Handler进行管理；最后提出基于寄存器数据跟踪的策略还原虚拟机保护的关键指令；最后,开发出基于虚拟机软件保护的半自动化攻击系统,使用现有的虚拟机保护软件Code Virtualizer作为攻击对象,从实验角度对本文提出的虚拟机还原的半自动化攻击策略进行验证。
[Abstract]:With the development of software security technology, various software protection methods (such as software encryption, confusion, tamper-proof, software watermarking, etc.) emerge as the times require. The protection technology based on virtual machine (hereinafter referred to as virtual machine) is one of the most widely used software code protection technology at present. Its implementation principle is to convert the protected X86 instruction into byte code that can be interpreted by virtual machine. Execute the bytecode interpretation using a virtual machine private interpreter. In terms of security, the confusion in the virtual machine interpreter and the complexity of the virtual machine interpreter greatly increase the difficulty of reverse analysis. But this has not prevented the attacker from cracking the protection software based on the virtual machine. In the face of the new software attack technology, the existing protection technology based on the virtual machine becomes vulnerable. Based on the idea of game theory and attack and defense confrontation, this paper studies the attack strategy of software protection based on virtual machine, in order to analyze the vulnerable point of software in the process of attack, and provide the basis for software protector. So that it can develop more targeted software protection technology. The main research work of this paper is as follows: Firstly, the present situation of software security research is introduced. Secondly, the basic framework of virtual machine based protection technology and the basic components of virtual machine interpreter are introduced in detail from the point of view of reverse engineering. On the basis of a lot of reverse analysis, a semi-automatic attack scheme of virtual machine restore is proposed and introduced in detail: a Handler restore scheme combining "dynamic extraction, static analysis" and "reverse deformation engine" is proposed. The atomic Handler library and the invalid Handler library are established to manage the Handler. At last, the key instructions of restoring virtual machine protection based on register data tracking are proposed. Finally, a semi-automatic attack system based on virtual machine software protection is developed. Using the existing virtual machine protection software Code Virtualizer as the object of attack, the semi-automatic attack strategy of virtual machine restore proposed in this paper is verified from the point of view of experiment.
【学位授予单位】：西北大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP302;TP311.53

【参考文献】