Research And Implementation Of Reverse Analysis PE File Protection System

In order to deal with the security threats brought by reverse analysis to Windows software,this paper proposes and implements a security protection system for Windows executable programs.The system protects the static analysis and dynamic analysis process in the reverse analysis of executable programs and effectively improves the reverse analysis.The main protection measures adopted are: 1.Packing,improving on the basis of existing virtual machine packing technology,and proposing a protection mechanism of diversified Handler;2.Code obfuscation,changing the operation of the program by obfuscating the software The structure of the function block at the time and increase the complexity of the instruction,in order to increase the difficulty of reverse analysis.This article aims to enhance the anti-reverse ability of PE files,and conducts research on the binary obfuscation technology and virtual machine packing technology of PE files under the Windows platform.The main work includes:First,analyze the research status of PE file packer technology and binary protection technology under Windows,summarize the common methods of PE file anti-reverse analysis,briefly explain the packer principle of PE files and the analysis of popular shell types in the market.Secondly,the virtual machine-based diversified Handler shelling protection method is elaborated,and the established data structure,calling convention,and framework are explained in detail from the source code level,and the advantages of common Handler implementation and diversified Handler implementation are compared.The shortcomings finally prove that the diversified Handler has stronger anti-reverse performance,and then proves the effectiveness of the proposed packing method.Thirdly,a static protection algorithm for exchanging basic blocks between functions is proposed by establishing an index,and the basic idea of the algorithm is briefly explained.Through the analysis of the commonly used anti-debugging techniques,the limitations of the commonly used anti-debugging techniques are found.Optimize and improve on the above,and finally design and implement a binary obfuscator.Finally,the above-mentioned packer method is tested and verified.By comparing the compression rate,runtime overhead,static and dynamic instruction execution rate and other parameters with popular packer software,it indirectly proves that the proposed protection method is effective and feasible.The experimental results show that the proposed protection method has certain advantages in terms of concealment,running time overhead and space occupation.