Method and device capable of acquiring executable file input table

A technology for inputting tables and purposes, applied to program control devices, computer security devices, instruments, etc., can solve problems such as programs that cannot run anymore, and achieve a high degree of automation

Inactive Publication Date: 2011-04-06
HUAWEI TECH CO LTD +1
View PDF0 Cites 39 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, only the binary code is restored, and the input table is not repaired so that the unpacked program can no longer run

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device capable of acquiring executable file input table
  • Method and device capable of acquiring executable file input table
  • Method and device capable of acquiring executable file input table

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0035] An embodiment of the present invention provides a method for obtaining an executable file input table. Before describing the method provided by this embodiment, firstly, the concept of an input table will be described, so as to facilitate the understanding of the method provided by this embodiment of the present invention.

[0036] The packaged target software to be run is composed of executable files, which will call one or more DLL files in the dynamic link library (DLL, Dynamic Link Library), that is, the code that calls the DLL or Data, the code or data of the calling DLL, is called input. The location of the input function address is determined by the operating system through the input table when the executable file is loaded. The input table (Improt Table) is an integral part of the executable file structure. When an executable file needs to call other file functions, it needs to look up the input table for addressing. The contents of the input table are all ad...

Embodiment 2

[0082] The embodiment of the present invention provides a method for obtaining an executable file input form, which is similar to the method provided in Embodiment 1, and can obtain the input form of the target packer program; and the method provided by the embodiment of the present invention, in On the basis of Embodiment 1, some operations are added to make the obtained input form more accurate, and also to make the operation process more efficient.

[0083] Attached below Figure 5 The method provided in this embodiment is described, and the method includes:

[0084] Step D1 and step D2 are the same as step 1 and step 2 in Embodiment 1, please refer to the description in step 1 and step 2;

[0085] Step D3: Remove the addresses in the non-executable address range of the destination addresses of all control flow jump instructions obtained in step D2, and the content pointed to by the addresses in the non-executable address range; thus obtain IAT_1, the IAT_1 includes: the ...

Embodiment 3

[0107] An embodiment of the present invention provides a device for obtaining an executable file input table, such as Image 6 As shown, the device includes: a dynamic link library (DLL) information acquisition unit 100 , a disassembly unit 101 , a control flow jump instruction address acquisition unit 102 , an effective address acquisition unit 103 , and an input table reconstruction unit 104 .

[0108] Wherein, the DLL information obtaining unit 100 is used to obtain all dynamic link library DLLs loaded by the target packer, and establishes a DLL information list according to the DLLs obtained, including: all DLLs loaded by the target packer in the DLL information list Name, the base address of each DLL loaded by the target packer, the memory range occupied by each DLL loaded by the target packer, the address of the exported function in each DLL loaded by the target packer, all items, and the name of the exported function in each DLL loaded by the target packer, and any one ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The embodiment of the invention discloses a method capable of acquiring an executable file input table. The embodiment of the invention also provides a corresponding device. The method comprises the following steps of: exporting an address of a function in each dynamic link library (DLL) loaded by a target packing program included in a created DLL information list, querying the address the same as the acquired destination address of a control stream jump instruction so as to acquire IAT_3; and creating the input table according to the DLL information list and the IAT_3. The method is applicable to any packing method. Compared with the prior art, the method is more universal, does not need manual intervention and has high automation degree.

Description

technical field [0001] The invention relates to the technical field of computer and communication, in particular to a method and device for obtaining an executable file input table. Background technique [0002] Shell (Shell) is a transformation method of binary code, a program that is attached to the target program and is responsible for protecting the software so that it is difficult to be analyzed. Because of this protective function, it is vividly called a shell. Shells usually precede program execution, gain control, and then complete their task of protecting the target software. [0003] Packing is widely used in the fields of software protection and malicious code anti-detection. Packing software usually includes three aspects. One is to confuse or encrypt the binary code of the target software; the other is to change the software structure of the target software to interrupt or change the system information loading and destroy the software necessary for the operati...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/22G06F9/445
Inventor 刘丹李毅超余三超贾范兵杨晗赵忠树张大成
Owner HUAWEI TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap