CN118520462A - Concealment method of PE program - Google Patents

Abstract

The invention provides a concealment method of a PE program, and relates to the technical field of computer software security. The method comprises the following steps: generating random three keys a, b and c to correspondingly encrypt an exe program to be concealed, shellcode data of a PE loader and corresponding sensitive character strings, and generating first, second and third encrypted data; sequentially writing a key a, first encryption data, a key b, second encryption data, a key c and third encryption data into data_encryption.h, peloader.h and basicFuncName _encryption.h files of a background; and calling a CL compiler and a LINK connector to compile and LINK the C language file, and generating a hidden exe program. The method can effectively reduce the suspicious degree of the exe program, improves the concealment of the exe program, has quicker implementation process and lower cost, is easy to realize, and is beneficial to improving the robustness of a malicious software detection technology and the defending capability of a disinfection engine.

Description

A concealment method for PE programs

Technical Field

The present invention relates to the technical field of computer software security, and in particular to a concealment method for a PE program.

Background Art

Malware is a malicious computer program or file whose purpose is to damage, destroy, steal or abuse computer systems, networks or data without the user's permission or knowledge, such as viruses, Trojans, ransomware, etc., which seriously threaten the security of information systems.

In order to more effectively promote the development of malware detection technology, we need to study not only defense technology, how to detect malware, but also attack technology, how to conceal malware so that it can evade detection by anti-virus engines, so as to improve the robustness of detection technology from the attack confrontation layer.

In the Windows environment, the methods used to conceal PE programs in malware detection training include: locating and removing signature codes, code obfuscation to reduce the readability of static analysis; anti-sandbox technology to evade sandbox detection; using encryption or shelling technology to hide malicious features; simulating normal program behavior to reduce suspicion; exploiting system vulnerabilities to bypass security detection, etc. This type of technology enables malware to effectively avoid or delay detection by security software, but there are also limitations: for example, removing signature codes may affect the normal operation of the software, code obfuscation may increase execution complexity, vulnerability exploitation depends on specific unpatched vulnerabilities, encryption, shelling and anti-killing box code features may attract the attention of the killing engine, and the more hidden codes, the more suspicious the software is. In addition, since malware evasion and killing are confrontational, both parties need to be updated in real time, and fixed evasion methods are difficult to achieve long-term concealment of malware.

Summary of the invention

In order to solve the above-mentioned technical problems existing in the prior art, the present invention aims to provide a concealment method of PE program for use in malware detection training, so as to improve the robustness of malware detection technology and the defense capability of antivirus engine.

Specifically, the method comprises the following steps:

Step S1: Generate a random key a, encrypt the exe program to be hidden, and generate the first encrypted data; write the key a and the first encrypted data into the background data_encrypt.h file;

Step S2: Generate a random key b, encrypt the shellcode of the PE loader (Portable Execute loader), and generate the second encrypted data; write the key b and the second encrypted data into the PELoader.h file in the background;

Step S3: Generate a random key c, encrypt the sensitive string, and generate the third encrypted data; write the key and the third encrypted data into the basicFuncName_encrypt.h file in the background;

Among them, sensitive strings include LoadLibraryA, VirtualAlloc and VirtualProtect;

Step S4: The command line calls the CL compiler (CL.EXE) to compile the C language file and generate an obj file; then calls the LINK connector to link the obj file and generate a hidden exe program;

Among them, the link option selects a random base address during the link process;

The C language files include:

data_encrypt.h file, PELoader.h file, basicFuncName_encrypt.h file;

checkSandBox.h, contains the sandbox detection code;

decrypt.h, contains the decryption functions corresponding to steps S1-S3;

head.h, used to declare the included header files;

main.cpp, contains the main function code, and its execution logic includes: performing sandbox detection, decrypting sensitive strings to obtain corresponding key Win32APIs, opening up a readable and executable first new memory, decrypting the first encrypted data, decrypting the second encrypted data and copying it to the first new memory, and calling the memory corresponding to the shellcode to load the exe program to be hidden.

Preferably, in step S2, the bytecode length of the PELoader function in the PE loader is obtained by subtracting the first addresses of adjacent functions, and the shellcode is extracted starting from the starting address represented by the PELoader function name;

Define the string in the PELoader function character by character;

In the compilation options of the PELoader function, select Disable SDL (Security Development Lifecycle) check, Disable optimization, Disable security check, Disable incremental linking, and Use no enhanced instructions.

Preferably, the shellcode function comprises the following steps:

Step C1: Locate PEB (ProcessEnvironmentBlock), traverse LDR (LeftDegree Right, middle root traversal) to obtain the address of Kernel32 module, parse Kernel32 module PE structure, obtain GetProcAddress function, LoadLibrary function, WinExec function;

Step C2: Parse the PE structure of the exe program to be loaded, obtain the ImageBase field value, and use VirtualAlloc to apply for the second new memory and field value; the second new memory address is ImageBase, and the field value size is SizeOfImage;

If it fails, restart the process until the application is successful;

According to the memory alignment field size in the PE file structure, map the data of the exe program to the second new memory;

Step C3: Parse the PE structure of the exe program and correct the function address in the IAT table through the GetProcAddress and LoadLibrary functions;

Step C4: parse the PE structure of the exe program and correct the relocation table;

Step C5: Correct the process main module address recorded in PEB and LDR to the starting address of the second new memory;

Step C6: Jump to the entry address pointed to by the AddressOfEntryPoint field and start the exe program.

Preferably, the encryption used in step S1 to step S3 is a custom bit operation encryption.

The technical solution provided by the present invention can be used for executable programs on the Windows platform. Each random key encryption reduces fixed features, and each call to CL, LINK compilation and linking makes the generated hidden exe more integrated, which can effectively reduce the suspicion of such exe programs and improve their concealment. Storing source code C language files in the background is conducive to implementation updates, and the overall implementation process is faster, less costly, and less expensive, and easy to implement. In other words, if this method is applied to train malware detection technology, it will help improve its robustness and further enhance the defense capabilities of the antivirus engine.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of an automated malware concealment framework based on a CL compiler in one embodiment of the present invention.

FIG. 2 is a schematic diagram of the working process of a PE loader according to an embodiment of the present invention.

FIG3 is a schematic diagram of the hidden exe operation flow generated in one embodiment of the present invention.

DETAILED DESCRIPTION

With the rapid development of the Internet and computer technology, malware has become a major problem threatening network security, which can not only threaten the privacy information of individual users, but also cause serious harm to the information systems of enterprises and government agencies. According to data, the average number of malicious files detected by its security solutions on a daily basis continued to rise from 2019 to 2023. Among them, nearly 125 million malicious files were detected in 2023, with an average of 351,000 detected per day; and cyber criminals released an average of 411,000 malicious files per day, an increase of nearly 3% over last year. Windows, as the main target of network attacks, accounts for as much as 88%, and its main threat is Trojan horses. The threat of malware is becoming increasingly severe, posing an unprecedented challenge to personal privacy, enterprises and government information systems. It is urgent to strengthen Windows malware detection technology to more effectively defend and respond to increasingly complex and hidden network threats.

In the field of Windows malicious code detection, research focuses on several key categories. The first is signature-based detection, a traditional method that relies on matching the characteristic signatures of known malware. The second is behavioral analysis detection, which identifies potential malicious activities by detecting the behavior patterns of software (such as system calls, network activities). Heuristic detection uses specific algorithms to identify unknown malware. In addition, sandbox detection technology runs software in an isolated environment to observe its behavior, which can effectively identify 0day vulnerabilities. Cloud-based detection uses cloud computing resources for large-scale data analysis. Finally, machine learning and artificial intelligence technologies automatically identify malware by analyzing data patterns, especially showing great potential in processing large amounts of data and new threats.

Each malicious code detection technology has its own unique advantages and limitations. Signature-based detection is highly accurate, but has difficulty dealing with unknown or variant malware. Behavioral analysis detection can identify new malware, but may produce false positives. Heuristic detection is suitable for new malware, but the false positive rate is also high. Sandbox detection can effectively identify 0day attacks and new malware, but the operating cost is high. Cloud-based detection has the advantages of real-time updates and big data analysis, but relies on network connections. Machine learning and artificial intelligence technologies excel in detecting new threats, but require a large amount of data to train the model. Therefore, in actual applications, multiple technologies are usually combined to balance their advantages and limitations to achieve higher detection efficiency and accuracy.

Therefore, in order to improve the robustness of malware detection technology and the defense capability of antivirus engines, the present invention provides a method for concealing PE programs.

Hereinafter, the inventor will further introduce the technical method of the present invention in combination with embodiments and drawings.

Example 1

Step S1: Generate a random key a, encrypt the exe program to be hidden, and generate first encrypted data; write the key a and the first encrypted data into the background data_encrypt.h file.

Step S2: Generate a random key b, encrypt the shellcode data of the PE loader, and generate second encrypted data; write the key b and the second encrypted data into the background PELoader.h file.

Step S3: Generate a random key c, encrypt the sensitive string, and generate third encrypted data; write the key and the third encrypted data into the basicFuncName_encrypt.h file in the background.

Among them, sensitive strings include LoadLibraryA, VirtualAlloc, and VirtualProtect.

Step S4: The command line calls the CL compiler (CL.EXE) to compile the C language file and generate an obj file; then calls the LINK connector to link the obj file and generate a hidden exe program;

Among them, the link option selects a random base address during the link process;

The C language files include:

data_encrypt.h file, PELoader.h file, basicFuncName_encrypt.h file;

checkSandBox.h, contains the sandbox detection code;

decrypt.h, contains the decryption functions corresponding to steps S1-S3;

head.h, which is used to declare the included header files;

main.cpp, contains the main function code, which is used to hide the exe program and represents the main execution logic of generating the hidden exe program, including: performing sandbox detection, decrypting sensitive strings to obtain corresponding key Win32APIs, opening up a readable and executable first new memory, decrypting the first encrypted data, decrypting the second encrypted data and copying it to the first new memory, and calling the memory corresponding to the shellcode function to load the exe program to be hidden.

Among them, the Shellcode function is a function containing shellcode data. Shellcode data is a piece of binary code, usually referring to the binary data (bytecode) of a piece of code. Shellcode data itself is not a function, it is just a piece of machine code that can be executed in memory. Shellcode in C language usually consists of address-independent code. Only in the present invention, the constructed shellcode is extracted from an entire function.

The hidden exe program is applied to malware detection training. Specifically, the hidden exe program after the original malware is hidden is added to the training set of the detection model, and the model is retrained, which ultimately improves the robustness of the malware detection technology and enhances the defense capability of the antivirus engine.

Preferably, in step S2, the bytecode length of the PELoader function in the PE loader is obtained by subtracting the first addresses of adjacent functions, and the shellcode number is extracted starting from the starting address represented by the PELoader function name;

Define the string in the PELoader function character by character;

In the compilation options of the PELoader function, select Disable SDL check, Disable optimization, Disable security check, Disable incremental linking, and Use no enhanced instructions

Preferably, the shellcode includes the following steps:

Step C1: locate PEB, traverse LDR to obtain Kernel32 module address, parse Kernel32 module PE structure, obtain GetProcAddress function, LoadLibrary function, WinExec function;

Step C2: Parse the PE structure of the exe program to be loaded, obtain the ImageBase field value, and use VirtualAlloc to apply for the second new memory and field value; the second new memory address is ImageBase, and the field value size is SizeOfImage;

If it fails, restart the process until the application is successful;

According to the memory alignment field size in the PE file structure, map the data of the exe program to the second new memory;

Step C3: Parse the PE structure of the exe program and correct the function address in the IAT (Import Address Table) table through the GetProcAddress and LoadLibrary functions;

Step C4: parse the PE structure of the exe program and correct the relocation table;

Step C5: Correct the process main module address recorded in PEB and LDR to the starting address of the second new memory;

Step C6: Jump to the entry address pointed to by the AddressOfEntryPoint field and start the exe program.

Preferably, the encryption in steps S1 to S3 adopts a custom bit operation encryption algorithm.

Encryption details: Encryption uses byte stream encryption. For each byte in the plaintext data, the following operations are performed:

a. XOR the corresponding bytes in the key to obfuscate the data;

b. Use the sequence number of the current byte to take modulo 8, calculate the number of bits to be cyclically shifted, and cyclically shift the byte;

c. Perform a byte inversion operation to increase the randomness of encryption;

d. Use the next byte in the key to perform XOR operation again. Finally, split each encrypted byte into two bytes, the upper four bits and the lower four bits, to obtain the final encrypted data sequence to reduce the entropy value of the encrypted data.

The implementation process of custom bit operation encryption is simple and efficient. It provides certain data protection and security through XOR operation and shift operation combined with key obfuscation and negation operation. And finally, splitting bytes effectively reduces the entropy value of encrypted data.

Optionally, it can also be used as an encryption function interface, including parameters: plaintext pointer pBuffer, plaintext size bSize, key pointer pKey, key size kSize, outDataSize pointer returns the encrypted data size. Return value: Returns the encrypted ciphertext pointer if successful, and returns NULL if failed. Any encryption method can be encapsulated into this interface function. The corresponding decryption function interface definition is the same.

Example 2

As shown in FIG1 , the concealment method provided in this embodiment includes:

Step 1: Generate a random key a, encrypt the hidden exe program, and write the key a and encrypted data into the background data_encrypt.h file;

Step 2: Generate a random key b, encrypt the shellcode function of the PE loader, and write the key b and encrypted data into the background PELoader.h file;

Step 3: Generate a random key c, encrypt the corresponding sensitive string, and write the key and encrypted data into the background basicFuncName_encrypt.h file;

Step 4: The command line calls the CL compiler and LINK linker to compile and link the background C language file respectively, and generate the hidden exe program. Among them, the link option selects random base address/DYNAMICBASE, which refers to the memory base address when the generated exe is started. If a fixed base address is selected, the memory base address of each exe startup is ImageBase+AddressOfEntryPoint; if a random base address is selected, the memory base address of each exe startup is random base address+AddressOfEntryPoint.

Furthermore, the encryption algorithms in step 1, step 2, and step 3 are the same, which are customized bit operation (AND, OR, NOT, XOR, shift) encryption.

Further, in step 2, as shown in FIG2 , the function of the PE loader is to implement memory loading and running of the exe file, and the input parameter is the memory start address of the exe to be loaded, and the implementation process is:

1) Locate the base address of the Kernel32 module to obtain key functions;

2) Apply for a specified memory address and map exe;

3) Revise the IAT table;

4) Correct the relocation table;

5) Correct the main module address in the process;

6) Jump to the entry address to start exe;

Furthermore, in step 2, the method of extracting the PELoader shellcode is to obtain the bytecode length of the PELoader function by subtracting the first addresses of adjacent functions (in the binary PE file, the function blocks are arranged in alphabetical order according to the function names), and extract the shellcode starting from the starting address represented by the PELoader function name. The following points should be noted:

1) The string definition in the PELoader function is character by character to ensure that it is stored in the bytecode;

2) In the compilation options of the PELoader code (compilation environment is Visual Studio 2019), select Disable SDL check (/sdl-), Disable optimization (/Od), Use non-enhanced instructions (/arch:IA32), Disable security check (/GS-), Disable incremental linking (/INCREMENTAL:NO);

Furthermore, the sensitive strings in step 3 are “LoadLibraryA”, “VirtualAlloc”, and “VirtualProtect”.

Furthermore, in step 4, the background C language file includes:

1) basicFuncName_encrypt.h, which contains sensitive string encryption data and its key;

2) data_encrypt.h, which contains the encrypted data and key of the malicious exe;

3) PELoader.h, which contains the encrypted data of the PE loader shellcode and its key;

4) checkSandBox.h, contains sandbox detection code, which can be customized;

5) decrypt.h, contains the decryption functions corresponding to the encryption functions in step 1, step 2, and step 3;

6) head.h, used to declare included header files, such as #pragma once, #include<stdio.h>, #include<Windows.h>;

7) main.cpp, contains the main function code, as shown in Figure 3. Its main function flow is: perform sandbox detection, decrypt sensitive string data to obtain the corresponding key Win32API, open a readable and executable memory, decrypt the encrypted data of the PE loader shellcode and copy it to the new memory, decrypt the encrypted data of the exe to be hidden, and call the PE loader shellcode memory to load the exe to be hidden;

Furthermore, in step 4, the CL compiler and LINK linker are from Visual Studio 2019. First, the CL compiler is called to compile the source code file to generate an obj file, and then the LINK connector is called to link it to generate a hidden exe. The link option must select a random address (/DYNAMICBASE). The detailed compilation and link options are:

1) CL compiler compilation options:

"x86/cl.exe" /I"./Include/1ucrt" /I"./Include/1include" /I"./Include/1shared"/I"./Include/1um" /c /Zi /nologo / W3 /WX- /diagnostics:column /sdl /O2 /Oi /Oy- /GL /D WIN32 /D NDEBUG /D _CONSOLE /D _UNICODE /D UNICODE /Gm-/EHsc /MD /GS /Gy /fp:precise / permissive- /Zc:wchar_t /Zc:forScope /Zc:inline/Fo"RELEASE\\" /Fd"RELEASE\VC142.PDB" /external:W3 /Gd /TP/analyze- /FCMAIN.CPP;

2) LINK linker link options:

"x86/link.exe" "RELEASE\\main.obj" /LIBPATH:"./lib/lib_x86" /LIBPATH:"./lib/um-x86"/LIBPATH:"./lib/urct-x86" / OUT:".\MAIN.EXE" /INCREMENTAL:NO /NOLOGO KERNEL32.LIB USER32.LIB GDI32.LIB WINSPOOL.LIBCOMDLG32.LIBADVAPI32.LIB SHELL32.LIB OLE32.LIB OLEAUT32.LIB UUID.LIBODBC32.LIB ODBCCP32.LIB /MANIFEST /MANIFESTUAC:"level='asInvoker'uiAccess='false'" /manifest:embed /PDB:".\RELEASE\main.PDB" /SUBSYSTEM:CONSOLE /OPT:REF/OPT:ICF /LTCG:incremental/LTCGOUT:"RELEASE\main.IOBJ" /TLBID:1 /DYNAMICBASE/NXCOMPAT /MACHINE:X86 /SAFESEH RELEASE\MAIN.OBJ.

Compared with the prior art, the beneficial effects of this embodiment are:

Extract the shellcode of the PE loader, generate a random key each time to encrypt the shellcode, the exe data to be concealed and the sensitive string and write them into the background C language file, then call the CL compiler and LINK linker to compile and link the background source code file to generate a concealed exe program, and finally achieve the effect of bypassing the detection of the anti-killing engine. Compared with other malware detection countermeasures, the concealment method proposed in the present invention has fewer fixed features each time the random key encryption, and each call of CL, LINK compilation and linking makes the generated concealed exe more integrated, and the source code file is stored in the background to facilitate the implementation of updates (such as anti-killing box code), and the overall implementation process has low overhead and is easy to implement.

The CL-based automated malware concealment method of the present invention can achieve good evasion effects for a variety of open source malware detection engines. Compared with the evasion method of positioning and removing signature codes, this method will not affect the original function of exe; compared with the common evasion method based on encryption and shelling, this method has higher integrity and is less likely to detect abnormalities; compared with the evasion technology of ordinary memory loading, this method calls CL and LINK to automatically compile and link, without the need for manual compilation and linking each time, and has a high degree of automation; compared with the GAN-based and gradient-based malware evasion methods, this method is faster and less costly; and effectively improves the robustness of the detection technology.

It can be seen that the technical solution provided by the present invention can be used for executable programs on the Windows platform. Each random key encryption makes the fixed features less, and each call to CL, LINK compilation and linking makes the generated hidden exe program more integrated, which can effectively reduce the suspicion of the exe program and improve its concealment; storing the source code C language file in the background is conducive to the implementation of updates, and the overall implementation process is faster, lower cost, less overhead, and easy to implement; in other words, if this method is applied to train malware detection technology, it will help improve its robustness and further enhance the defense capability of the antivirus engine.

In addition to achieving the above-mentioned beneficial effects, the above-mentioned preferred methods also achieve the following beneficial effects: the shellcode of the PELoader function is a strong feature of malicious code detection, and encrypting the shellcode function with a random key is conducive to feature concealment; loading and running the exe program through memory can prevent the original binary data of the malware from being exposed in local files; the custom bit operation encryption implementation process is simple and efficient, and provides certain data protection and security through XOR operations and shift operations combined with key obfuscation and inversion operations, and splitting bytes can effectively reduce the entropy value of encrypted data.

The above are only preferred embodiments of the present invention and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the protection scope of the present invention.

Claims (4)

1. A method for concealing a PE program, characterized by comprising the following steps: Step S1: Generate a random key a, encrypt the exe program to be hidden, and generate the first encrypted data; write the key a and the first encrypted data into the background data_encrypt.h file; Step S2: Generate a random key b, encrypt the shellcode of the PE loader, and generate second encrypted data; write the key b and the second encrypted data into the background PELoader.h file; Step S3: Generate a random key c, encrypt the sensitive string, and generate the third encrypted data; write the key and the third encrypted data into the basicFuncName_encrypt.h file in the background; Among them, sensitive strings include LoadLibraryA, VirtualAlloc and VirtualProtect; Step S4: The command line calls the CL compiler to compile the C language file to generate an obj file; then calls the LINK connector to link the obj file to generate a hidden exe program; Among them, the link option selects a random base address during the link process; The C language files include: data_encrypt.h file, PELoader.h file, basicFuncName_encrypt.h file; checkSandBox.h, contains the sandbox detection code; decrypt.h, contains the decryption functions corresponding to steps S1-S3; head.h, used to declare the included header files; main.cpp, contains the main function code, and its execution logic includes: performing sandbox detection, decrypting sensitive strings to obtain corresponding key Win32APIs, opening up a readable and executable first new memory, decrypting the first encrypted data, decrypting the second encrypted data and copying it to the first new memory, and calling the memory corresponding to the shellcode to load the exe program to be hidden. 2. A method for concealing a PE program as claimed in claim 1, characterized in that the shellcode extraction method of the PE loader in step S2 comprises: The bytecode length of the PELoader function in the PE loader is obtained by subtracting the first addresses of adjacent functions, and the shellcode is extracted starting from the starting address represented by the PELoader function name; Define the string in the PELoader function character by character; In the compilation options of the PELoader function, select disable SDL check, disable optimization, disable security check, disable incremental linking, and use no enhanced instructions. 3. A method for concealing a PE program as claimed in claim 1, characterized in that the shellcode comprises the following steps: Step C1: locate PEB, traverse LDR to obtain Kernel32 module address, parse Kernel32 module PE structure, obtain GetProcAddress function, LoadLibrary function, WinExec function; Step C2: Parse the PE structure of the exe program to be loaded, obtain the ImageBase field value, and use VirtualAlloc to apply for the second new memory and field value; the second new memory address is ImageBase, and the field value size is SizeOfImage; If it fails, restart the process until the application is successful; According to the memory alignment field size in the PE file structure, map the data of the exe program to the second new memory; Step C3: Parse the PE structure of the exe program and correct the function address in the IAT table through the GetProcAddress and LoadLibrary functions; Step C4: parse the PE structure of the exe program and correct the relocation table; Step C5: Correct the process main module address recorded in PEB and LDR to the starting address of the second new memory; Step C6: Jump to the entry address pointed to by the AddressOfEntryPoint field and start the exe program. 4. A method for concealing a PE program as described in claim 1, characterized in that the encryption in steps S1 to S3 adopts a custom bit operation encryption algorithm.