关键词: 虚拟机保护, 等价指令替换, 切分乱序, 多样化, 表隐藏

Abstract: The combination of Handlers in virtual machine can protect key codes in the program, and these Handlers are the main target for software reverse analysts to attack. Aiming at the reduction method for dynamic extraction and static analysis of Handlers, virtual machine protection method based on Handler obfuscation is proposed. Firstly, various equivalent instruction rules are used to generate different equivalence Handlers, and then all Handlers are divided and disordered by random scrambling algorithm, and they are restructured by constructing jump table, finally random address array is used to hide the data of Handler scheduling address table and execution jump table. Experiments and analysis show that the generation, segmentation and disorder of diverse Handlers increase the difficulty of dynamic extraction and analysis, the Handler address table and a jump table hidden enhances the difficulty of static reverse analysis.

Key words: virtual machine protection, equivalent instruction replacement, segmentation disorder, diversity, table hidden