Research Of PE File Information Hiding Based On Code Fusion

With the rapid development of computer science and Internet technology,the application fields of computer are increasingly expanding.At the same time,more and more security requirements are needed.How to achieve secure transmission and storage of digital information is emergent.Mere encryption technology does not solve this problem.However,information hiding technology provides a new secure stratedgy for information communication.Now it has become a hotspot research topic in information security field.PE file is a standard format for executable file and is applied extensively.PE file has diversity,uncertainty of file size,complexity of file structure and singleness of file format,which make PE file easy to be a carrier of information hiding,especially for that of large hiding capacity.Existing information technologies based on PE file often utilize redundant space or fields.Those approaches are not related to program functions or instruction codes.Therefore there exists some disadvantages,such as exceeding convergence,bad concealment and unsatisfied robust of hidden information.In this thesis,we deeply analyze code section,resource section and import table of PE file,and further study information hiding algorithms of PE file based on code fusion by exploiting the features of code section,icon resource and import table.Main research topics and contributions are as follows:(1)A large volume information hiding algorithm base on function migration is proposed.Firstly it utilizes disassemble engine to disassemble code section of PE file,processes functions recognition,and shifts all the codes of above system or user-defined functions to the last section of PE file.Then it hides information in the old code space.To improve concealment and anti-attack capacity,it will transform hidden messages into instructions and seal them into a standard function.Like this,combining hidden information with main functions or key codes of PE file makes this algorithm good concealment and anti-attack ability.Moreover,in order to improve the above algorithm and maintain logical relation of instructions containing hidden information,an information hiding algorithm changing constant operands is proposed.The improved algorithm does not modify other parts of instructions except constant operands.Therefore,basic form of instructions and the logical relation between instructions and function semantics is not changed,which improves concealment ability significantly.Finally,to improve hiding capability,an infinite capacity hiding algorithm is proposed.It transforms hidden information into instructions and hides them between two shifted functions.Only choosing two and more functions and then hiding information by function migration,infinite information can be hidden.Theory analysis and experiment result show that the three algorithms have stronger concealment and anti-attack capability when compared with similar algorithms.(2)An algorithm based on incremental link characteristics of compilers is presented.Adopting incremental link aims to boost compile speed and make debug convenient.By analyzing PE file characteristics after utilizing incremental link,this algorithm is designed.Concretely,it hides information into padding bytes between adjacent function codes,which integrates hidden information into program instruction codes to guarantee concealment and attack tolerance.When Windows application programs are created,the compiler will link object program with numerous initial or windows frame functions.This method has following characteristics.Firstly,large padding space ensures hiding capacity.Secondly,after hidden,PE file size does not increase.Finally,there is not any impact on program performance.(3)On the base of icon characteristics of PE file,using transparent display theory of 32 bits icon and palette icon,we propose two hiding algorithms.This algorithm hides information in the transparent region of icon resource of PE file.Theory analysis and experiment result show that it has good concealment and large hiding capability.At the same time,the icon can maintain the same appearance with primary icon without any visual distortion and length change.It also does not impact program performance.Meanwhile,we can further improve the hiding capacity by adding one or more icons to PE file.To improve concealment,the new icon is added by copying the original icon of PE file,the new icon style is consistent with the original icon.(4)According to working theory of import table and loader of PE file,an algorithm based on LAT table and an algorithm based on import table shift are proposed respectively.Theory analysis and experiment result show that the two algorithms overcome the disadvantages of previous hiding information schemes,such as hidden information convergence and destruction of import table.The thesis proposes some novel and key algorithms for hiding information technology of PE file.Research results will provide technology guarantee for covert communication via Internet.It can be used extensively in information security field,such as covert communication and rights protection.