基于代码重构和页面故障技术的隐蔽调试机制研究与实现
|
摘要
恶意代码作为信息技术的衍生物,对网络安全领域的威胁日益严重。恶意代码分析工作具有十分重大的意义。通过对恶意代码运行机制的深入挖掘可以获得其内部详细信息,进而作为恶意代码检测的依据。恶意代码分析工作往往需要很多分析工具,调试器作为其中最有力的武器,被广泛应用于病毒分析,软件破解等领域。但是随着恶意代码编制技术的发展,恶意代码为了避免暴露自身的内部机制,纷纷采用反调试技术以对抗分析。此外,随着软件保护技术的进步,市面上出现了越来越多的加壳工具。这些工具使用简单方便,往往被恶意代码所利用。恶意代码采用的一系列反调试方法提高了调试难度,增加分析人员的工作量,甚至使得调试无法进行。因此需要一种新型调试机制,该机制在内部实现上应和常规调试技术有本质的不同,能从根本上规避恶意代码常用的各种反调试技术。
本文以上述需求为背景,总结恶意代码常用的各种反调试技术,通过对主流调试技术的内部实现机制进行深入分析,探索出当前调试技术的不足之处。在此基础上,提出一种基于代码重构和页面故障的隐蔽调试机制。该调试机制采用页面故障技术实现断点设置和断点触发过程,采用代码重构技术来实现断点定位和单步调试过程。本文提出的隐蔽调试机制不依赖操作系统和CPU的常规调试支持,利用该机制所进行的任何调试操作都对调试目标透明。与传统调试机制相比,该技术在调试平台隐蔽性和提高软件可调试性等方面均更胜一筹。
具体来说,本文的主要工作有:
1)提出了隐蔽调试机制的总体技术方案,详细阐述了调试机制所采用的代码重构技术和页面故障技术,以及这些技术所依赖的操作系统和CPU支持。
2)针对总体技术方案所面临的技术障碍,提出了相应的解决方法。本文在上述工作的基础上设计了一个隐蔽调试系统,给出了该系统的总体架构和工作流程。并详细阐述了系统各个功能模块的设计与实现。
3)本文对上述的隐蔽调试系统进行试验验证,着重对调试系统的功能和隐蔽性进行了测试。最后对全文做了总结并客观评价了隐蔽调试系统的优点和不足,指出对后续工作的展望。
As the derivative of information technologies, malicious codes threaten network security seriously. Analysis of malicious code has a very great significance; we can get the internal details through deep study of the operating mechanism of malicious codes. Then, what we got can be used as a evidence of malicious code detection. Malicious code analysis often requires a lot of tools. Debuggers, as one of the most powerful weapon, are widely used in virus analysis, software crack and other fields. But with the development of technology, malicious code generally use many anti-debugging techniques to avoid exposure their own internal mechanisms. In addition, with the development of software protection technologies, more and more pack tools came out into the market. These tools are easy to use, so are often used by malicious code to avoid debugger analysis. These anti-debugging techniques used by malicious code make it much difficult to analysis these malicious codes. And what is more, makes the debugging can not go on. Thus, a new type of debugging mechanism is required, which is essentially different from regular debugging tools in internal implementation mechanism, that can be used to anti those anti-debugging techniques that used by malicious codes.
In this thesis, on the context of the above requirements, we sum up all kinds of anti-debugging techniques of malicious code and with the cooperation of research of mainstream debugging technologies and its internal mechanism. We find out the shortcomings of the current debugging techniques. Then we propose a stealthy debugging mechanism with the help of code reconstruction and page fault technique, the mechanism uses the page fault debugging technology to set breakpoints and breakpoint triggering processes, using the code reconstruct technology to achieve breakpoint positioning and single-step debugging process. The debugging mechanism proposed in this thesis will not make any change on the target program’s code space, while subtle debugging mechanism to achieve and without conventional operating system and CPU debugging support. Carried out using the mechanism of any debugging operations are transparent to the debug target. Compared with traditional debugging mechanisms, this technology are superior in terms of hidden and performance。
Specifically, the main works of this thesis are:
1) Presents a stealthy debugging mechanism, gives out details of page fault technique and reconstruct technique used by this mechanism, and also includes operating system and CPU that involved.
2) Puts forward the solutions for the technical barriers of the overall technical program .Based on the above-mentioned works, we design and implement a stealthy debugging system, give out the system's overall architecture and its workflow.
3) Tests the stealthy debugging system, especially on the commissioning function of the system and healthy testing. Finally this thesis makes a summary on advantages and shortcomings of the system and points out the prospects for this field.
本文以上述需求为背景,总结恶意代码常用的各种反调试技术,通过对主流调试技术的内部实现机制进行深入分析,探索出当前调试技术的不足之处。在此基础上,提出一种基于代码重构和页面故障的隐蔽调试机制。该调试机制采用页面故障技术实现断点设置和断点触发过程,采用代码重构技术来实现断点定位和单步调试过程。本文提出的隐蔽调试机制不依赖操作系统和CPU的常规调试支持,利用该机制所进行的任何调试操作都对调试目标透明。与传统调试机制相比,该技术在调试平台隐蔽性和提高软件可调试性等方面均更胜一筹。
具体来说,本文的主要工作有:
1)提出了隐蔽调试机制的总体技术方案,详细阐述了调试机制所采用的代码重构技术和页面故障技术,以及这些技术所依赖的操作系统和CPU支持。
2)针对总体技术方案所面临的技术障碍,提出了相应的解决方法。本文在上述工作的基础上设计了一个隐蔽调试系统,给出了该系统的总体架构和工作流程。并详细阐述了系统各个功能模块的设计与实现。
3)本文对上述的隐蔽调试系统进行试验验证,着重对调试系统的功能和隐蔽性进行了测试。最后对全文做了总结并客观评价了隐蔽调试系统的优点和不足,指出对后续工作的展望。
As the derivative of information technologies, malicious codes threaten network security seriously. Analysis of malicious code has a very great significance; we can get the internal details through deep study of the operating mechanism of malicious codes. Then, what we got can be used as a evidence of malicious code detection. Malicious code analysis often requires a lot of tools. Debuggers, as one of the most powerful weapon, are widely used in virus analysis, software crack and other fields. But with the development of technology, malicious code generally use many anti-debugging techniques to avoid exposure their own internal mechanisms. In addition, with the development of software protection technologies, more and more pack tools came out into the market. These tools are easy to use, so are often used by malicious code to avoid debugger analysis. These anti-debugging techniques used by malicious code make it much difficult to analysis these malicious codes. And what is more, makes the debugging can not go on. Thus, a new type of debugging mechanism is required, which is essentially different from regular debugging tools in internal implementation mechanism, that can be used to anti those anti-debugging techniques that used by malicious codes.
In this thesis, on the context of the above requirements, we sum up all kinds of anti-debugging techniques of malicious code and with the cooperation of research of mainstream debugging technologies and its internal mechanism. We find out the shortcomings of the current debugging techniques. Then we propose a stealthy debugging mechanism with the help of code reconstruction and page fault technique, the mechanism uses the page fault debugging technology to set breakpoints and breakpoint triggering processes, using the code reconstruct technology to achieve breakpoint positioning and single-step debugging process. The debugging mechanism proposed in this thesis will not make any change on the target program’s code space, while subtle debugging mechanism to achieve and without conventional operating system and CPU debugging support. Carried out using the mechanism of any debugging operations are transparent to the debug target. Compared with traditional debugging mechanisms, this technology are superior in terms of hidden and performance。
Specifically, the main works of this thesis are:
1) Presents a stealthy debugging mechanism, gives out details of page fault technique and reconstruct technique used by this mechanism, and also includes operating system and CPU that involved.
2) Puts forward the solutions for the technical barriers of the overall technical program .Based on the above-mentioned works, we design and implement a stealthy debugging system, give out the system's overall architecture and its workflow.
3) Tests the stealthy debugging system, especially on the commissioning function of the system and healthy testing. Finally this thesis makes a summary on advantages and shortcomings of the system and points out the prospects for this field.
引文
[1] Steve Lipner. Twenty Years of Evaluation Criteria and Commercial Technology. Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, May 1999.
[2]赛门铁克安全报告,http://www.symantec.com/index.jsp. 2009
[3] Roger Grimes.恶意传播代码:Windows病毒防护.张志斌.译.北京:北京机械工业出版社,2004
[4] Matthew G Schultz,Eleazar Eskin,Erez Zadok,et al.Data Mining Methods for Detection of New Malicious Executables.IEEE Computer Society,2001,38-49
[5] Mihai Christodorescu, Somesh Jha. Static Analysis of Executables to Detect Malicious Patterns. In Proc.of the 12th USENIX Security Symp, 2003:169-186
[6] A.Vasudevan and R.Yerraballi, Cobra: Fine-grained Malware Analysis using Stealth Localized-executions, Conference: IEEE Symposium on Security and Privacy , 2006.
[7] Arun Lakhotia,Moinuddin Mohammed.Imposing Order on Program Statements to Assist Anti-Virus Scanners.In 11th IEEE Working Conference on Reverse Engineering(WCRE 2004),2004
[8] C.E Mcdowell, D.P.Helmbold. Debugging Concurrent Programs. ACM Computing Surveys, 1989, 21(4):593-622.
[9] Compuware Corporation.Debugging blue screens.Technical Paper,September 1999.
[10] J.Robbins.Debugging windows based applications using windbg.Miscorosoft Systems Journal,1999
[11] Eldad Eilam. Secrets of Reverse Engineering. Wiley, 2005
[12] P. Cerven. Crackproof Your Software: Protect Your Software Against Crackers. No Starch Press, 2002.
[13] Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. Dependable Systems and Networks With FTCS and DCC, 24-27 June 2008.
[14]沈格俊.虚拟机调试子系统设计和实现:[硕士学位论文].杭州:浙江大学, 2006
[15]张银奎.软件调试.北京:电子工业出版社,2008
[16] Mario Hewardt.Windows高级调试.聂雪军.译.北京:机械工业出版社,2009
[17] Kris Kaspersky.黑客调试技术解密.周长发.译.北京:电子工业出版社, 2006
[18]沈格俊.虚拟机调试子系统设计和实现:[硕士学位论文].杭州:浙江大学, 2006
[19]张昊.基于虚拟机扩展的软件调试技术研究:[硕士学位论文].杭州:浙江大学, 2007
[20] Vasudevan, Yerraballi. Stealth breakpoints. Computer Security Applications Conference, 21st Annual, 5-9 Dec. 2005.
[21]罗琰.基于内核模式下进程快照的可回溯调试研究及初步实现:[硕士学位论文].杭州:浙江大学, 2008
[22] N. Brulez.“Scan of the Month 33: Anti Reverse Engineering Uncovered,”2004; www.honeynet.org/scans/scan33/nico/index.html.
[23] http://www.pediy.com/tools/Debuggers/ollydbg/plugin.html
[24] T.Yetiser. Polymorphic viruses ,implementation,detection and protection.VDS Advanced Research Group,P.O.Box 9393,Baltimore,MD 21228,USA.Available online at URL http://vx.netlux.org/lib/ayt01.html. Lastaccessed 28 Oct.2005.
[25] Symantec. Understanding and managing polymorphic viruses.Available online at URL http://www.symantec.com/avcenter/whitepapers.html. Last
[26] P.Szor.The art of computer virus research and defense.Addison Wesley in collaboration with Symantec Press,2005.
[27]罗云彬. WINDOWS环境下32位汇编语言程序设计.北京:电子工业出版社, 2002
[28] Jeffrey Richter. Programming Application for Windows, Fourth Edition. Microsoft Press, 1999, 531-544
[29] Mark Russinovich, David Solomon.深入解析Windows操作系统(潘爱民).北京:电子工业出版社, 2007, 450-457
[30] Sven Schreiber. Undocumented Windows 2000 Secrets, A Programmer's Cookbook. Addison-Wesley, 2001, 265-306
[31]飞天诚信.软件加密原理与应用.北京:电子工业出版社,2004
[32]段钢.加密与解密.第三版.北京:电子工业出版社, 2008
[33] Upx. http://www.upx.org/, 2005
[34]看雪学院.软件加密技术内幕.北京:电子工业出版社, 2004
[35] Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 1: Basic Architecture
[36] Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 2: Instruction Set Reference
[37] Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 3: System Programming Guide
[38] S Yemini, D M Berry. A Modular Verifiable Exception Handling Mechanism. IEEE Trans. Software Engineering, 2000
[39]邱建雄,蔡放,方逵. Hook技术及其在软件研发中的应用.计算机应用与软件, 2003年02期:7-8
[40]崔玲丽,高立新. Win2000下实时中断技术的研究与实现.计算机应用与软件, 2007, 24(4):16~17
[41]吴荣华,邵时,杨早.基于中断的实时任务调度策略.计算机应用与软件, 2007, 24(1):38~40
[42]吴超.windows环境下隐蔽调试器设计与实现:[硕士学位论文].成都:电子科技大学,2009
[43]郑举育.动态二进制翻译中的调试器研究:[硕士学位论文].上海:上海交通大学, 2008
[44]潘丽君.动态二进制翻译器中Code Cache管理策略的研究与分析:[硕士学位论文].上海:上海交通大学, 2008
[45]齐雷;谢余强;程东年;舒辉Win32 SEH异常处理机制分析:[信息工程大学学报] 2004年02期
[46]朱晓东.Windows系统的动态代码插装技术研究及应用:[硕士学位论文].上海:上海交通大学, 2007
[47]刘昕.基于windows内核反调试的软件保护系统:[硕士学位论文].北京:北京邮电大学,2009
[48]武安河. Windows 2000/XP WDM设备驱动程序开发(第2版):北京:电子工业出版社,2005
[49]谭问,杨潇,邵坚磊.寒江独钓Windows内核安全编程.北京:电子工业出版社.2009
[50]张帆,史彩成.Windows驱动开发技术详解.北京:电子工业出版社.2009
[51] Danny Quist ,ValsmithCovert. Debugging: Circumventing Software Armoring.2007
[2]赛门铁克安全报告,http://www.symantec.com/index.jsp. 2009
[3] Roger Grimes.恶意传播代码:Windows病毒防护.张志斌.译.北京:北京机械工业出版社,2004
[4] Matthew G Schultz,Eleazar Eskin,Erez Zadok,et al.Data Mining Methods for Detection of New Malicious Executables.IEEE Computer Society,2001,38-49
[5] Mihai Christodorescu, Somesh Jha. Static Analysis of Executables to Detect Malicious Patterns. In Proc.of the 12th USENIX Security Symp, 2003:169-186
[6] A.Vasudevan and R.Yerraballi, Cobra: Fine-grained Malware Analysis using Stealth Localized-executions, Conference: IEEE Symposium on Security and Privacy , 2006.
[7] Arun Lakhotia,Moinuddin Mohammed.Imposing Order on Program Statements to Assist Anti-Virus Scanners.In 11th IEEE Working Conference on Reverse Engineering(WCRE 2004),2004
[8] C.E Mcdowell, D.P.Helmbold. Debugging Concurrent Programs. ACM Computing Surveys, 1989, 21(4):593-622.
[9] Compuware Corporation.Debugging blue screens.Technical Paper,September 1999.
[10] J.Robbins.Debugging windows based applications using windbg.Miscorosoft Systems Journal,1999
[11] Eldad Eilam. Secrets of Reverse Engineering. Wiley, 2005
[12] P. Cerven. Crackproof Your Software: Protect Your Software Against Crackers. No Starch Press, 2002.
[13] Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. Dependable Systems and Networks With FTCS and DCC, 24-27 June 2008.
[14]沈格俊.虚拟机调试子系统设计和实现:[硕士学位论文].杭州:浙江大学, 2006
[15]张银奎.软件调试.北京:电子工业出版社,2008
[16] Mario Hewardt.Windows高级调试.聂雪军.译.北京:机械工业出版社,2009
[17] Kris Kaspersky.黑客调试技术解密.周长发.译.北京:电子工业出版社, 2006
[18]沈格俊.虚拟机调试子系统设计和实现:[硕士学位论文].杭州:浙江大学, 2006
[19]张昊.基于虚拟机扩展的软件调试技术研究:[硕士学位论文].杭州:浙江大学, 2007
[20] Vasudevan, Yerraballi. Stealth breakpoints. Computer Security Applications Conference, 21st Annual, 5-9 Dec. 2005.
[21]罗琰.基于内核模式下进程快照的可回溯调试研究及初步实现:[硕士学位论文].杭州:浙江大学, 2008
[22] N. Brulez.“Scan of the Month 33: Anti Reverse Engineering Uncovered,”2004; www.honeynet.org/scans/scan33/nico/index.html.
[23] http://www.pediy.com/tools/Debuggers/ollydbg/plugin.html
[24] T.Yetiser. Polymorphic viruses ,implementation,detection and protection.VDS Advanced Research Group,P.O.Box 9393,Baltimore,MD 21228,USA.Available online at URL http://vx.netlux.org/lib/ayt01.html. Lastaccessed 28 Oct.2005.
[25] Symantec. Understanding and managing polymorphic viruses.Available online at URL http://www.symantec.com/avcenter/whitepapers.html. Last
[26] P.Szor.The art of computer virus research and defense.Addison Wesley in collaboration with Symantec Press,2005.
[27]罗云彬. WINDOWS环境下32位汇编语言程序设计.北京:电子工业出版社, 2002
[28] Jeffrey Richter. Programming Application for Windows, Fourth Edition. Microsoft Press, 1999, 531-544
[29] Mark Russinovich, David Solomon.深入解析Windows操作系统(潘爱民).北京:电子工业出版社, 2007, 450-457
[30] Sven Schreiber. Undocumented Windows 2000 Secrets, A Programmer's Cookbook. Addison-Wesley, 2001, 265-306
[31]飞天诚信.软件加密原理与应用.北京:电子工业出版社,2004
[32]段钢.加密与解密.第三版.北京:电子工业出版社, 2008
[33] Upx. http://www.upx.org/, 2005
[34]看雪学院.软件加密技术内幕.北京:电子工业出版社, 2004
[35] Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 1: Basic Architecture
[36] Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 2: Instruction Set Reference
[37] Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 3: System Programming Guide
[38] S Yemini, D M Berry. A Modular Verifiable Exception Handling Mechanism. IEEE Trans. Software Engineering, 2000
[39]邱建雄,蔡放,方逵. Hook技术及其在软件研发中的应用.计算机应用与软件, 2003年02期:7-8
[40]崔玲丽,高立新. Win2000下实时中断技术的研究与实现.计算机应用与软件, 2007, 24(4):16~17
[41]吴荣华,邵时,杨早.基于中断的实时任务调度策略.计算机应用与软件, 2007, 24(1):38~40
[42]吴超.windows环境下隐蔽调试器设计与实现:[硕士学位论文].成都:电子科技大学,2009
[43]郑举育.动态二进制翻译中的调试器研究:[硕士学位论文].上海:上海交通大学, 2008
[44]潘丽君.动态二进制翻译器中Code Cache管理策略的研究与分析:[硕士学位论文].上海:上海交通大学, 2008
[45]齐雷;谢余强;程东年;舒辉Win32 SEH异常处理机制分析:[信息工程大学学报] 2004年02期
[46]朱晓东.Windows系统的动态代码插装技术研究及应用:[硕士学位论文].上海:上海交通大学, 2007
[47]刘昕.基于windows内核反调试的软件保护系统:[硕士学位论文].北京:北京邮电大学,2009
[48]武安河. Windows 2000/XP WDM设备驱动程序开发(第2版):北京:电子工业出版社,2005
[49]谭问,杨潇,邵坚磊.寒江独钓Windows内核安全编程.北京:电子工业出版社.2009
[50]张帆,史彩成.Windows驱动开发技术详解.北京:电子工业出版社.2009
[51] Danny Quist ,ValsmithCovert. Debugging: Circumventing Software Armoring.2007