A virtualization packing method based on elf infection android local layer instruction compilation

Abstract

The invention discloses a method of compiling and virtualizing Android local layer instructions based on ELF infection. This method performs Hex extraction and mapping virtualization on the so file to be protected to form a virtual machine so file, and performs key code segments on the so file. Encrypt to form an encrypted so file; use the virtual machine so file to perform ELF infection on the encrypted so file to form an infected so file; use the Cydia Substrate framework to replace the encrypted so file with Hook, so that the virtual machine so file The virtual instruction code replaces the encrypted code in the encrypted so file. The present invention uses the idea of ​​compile-time virtualization. This idea does not involve the problem of different ARM platform versions, so it has good compatibility, can prevent memory dump analysis and increases the attacker's attack cost.

Description

technical field [0001] The invention belongs to the technical field of Android application program reinforcement, and in particular relates to a protection technology based on ELF-infected local layer so file compile-time virtualization packing protection, combined with a Cydia Substrate framework for hooking to realize the normal call of core functions. Background technique [0002] In recent years, with the vigorous development of mobile phone applications, the annual output has grown exponentially. According to statistics, the number of APPs in major application stores in my country has exceeded 10 million. While APP brings convenience to people's lives, it also creates opportunities for criminals, which seriously affects the healthy development of the APP industry. [0003] The protection of APP has changed from the initial simple reinforcement of dex to the current extraction and reinforcement of dex. The protected object has also been transferred from the dex layer to ...

AI Technical Summary

Problems solved by technology

[0004] The existing protections for local layer files mainly include UPX packing, ELF file section encryption and OLLVM obfuscation. These Android native layer protection methods can only prevent static analysis on the surface, but they cannot deal with it in essence. Dynamic analysis and experienced reverse engineer

Experienced reverse attackers conduct dynamic analysis and debugging, and choose the right time to dump the so restored in memory; in addition, the existing OLLVM confusion is mainly aimed at compiling confusion at the source code level. Although the protection is strong, But the operability is weak

Therefore, the above methods have certain limitations in the protection of the Android native layer so, and the Android native layer so file is usually an important implementation part of the core logic code in the entire Android App, so there is an urgent need for a method that can prevent memory dump analysis and at the same time A method that can take into account the advantages of the above protection

Images