Method and apparatus for detecting application

US 10,417,422 B2
Filed: 05/25/2017
Issued: 09/17/2019
Est. Priority Date: 10/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an application, comprising:

disassembling a binary program of an application running on a target device to generate a to-be-recovered assembly program;

selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of a preset reference function in a reference assembly program to obtain at least one candidate function, wherein a matching degree between the function information of the function selected from the to-be-recovered assembly program and the consistent function information of the preset reference function in the reference assembly program is greater than a preset threshold, and the matching degree comprises at least one of;

a matching degree between function names, a matching degree between constants in the functions, or a matching degree between calling relationships of the functions;

selecting, among the at least one candidate function, the candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as an object function;

selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable; and

outputting positional information of the object function and the target variable in the to-be-recovered assembly program as a detection result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure discloses a method and an apparatus for detecting an application. The method comprises: disassembling a binary program of an application running on a target device to generate a to-be-recovered assembly program; selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of a preset reference function in a reference assembly program to obtain at least one candidate function; selecting, among the at least one candidate function, a candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as an object function; selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable; and outputting positional information of the object function and the target variable in the to-be-recovered assembly program as a detection result.

9 Citations

19 Claims

1. A method for detecting an application, comprising:
- disassembling a binary program of an application running on a target device to generate a to-be-recovered assembly program;
  
  selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of a preset reference function in a reference assembly program to obtain at least one candidate function, wherein a matching degree between the function information of the function selected from the to-be-recovered assembly program and the consistent function information of the preset reference function in the reference assembly program is greater than a preset threshold, and the matching degree comprises at least one of;
  
  a matching degree between function names, a matching degree between constants in the functions, or a matching degree between calling relationships of the functions;
  
  selecting, among the at least one candidate function, the candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as an object function;
  
  selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable; and
  
  outputting positional information of the object function and the target variable in the to-be-recovered assembly program as a detection result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19)
- - 2. The method according to claim 1, wherein the selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of the preset reference function in the reference assembly program to obtain at least one candidate function comprises:
    - extracting respectively at least one item of function information of the preset reference function and at least one item of function information of each function in the to-be-recovered assembly program to generate a function information set of the preset reference function and a function information set of the each function in the to-be-recovered assembly program;
      
      calculating a similarity between the function information set of the preset reference function and the function information set of the each function in the to-be-recovered assembly program, respectively; and
      
      selecting the candidate function from the each function in the to-be-recovered assembly program based on a result of calculating the similarity.
  - 3. The method according to claim 1, wherein the selecting, among the at least one candidate function, a candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as the object function comprises:
    - extracting respectively at least one item of grammatical and/or semantic information of the preset reference function and at least one item of grammatical and/or semantic information of each candidate function to generate a grammatical and/or semantic information set of the preset reference function and a grammatical and/or semantic information set of the each candidate function;
      
      calculating a similarity between the grammatical and/or semantic information set of the preset reference function and the grammatical and/or semantic information set of the each candidate function, respectively; and
      
      selecting the object function from the each candidate function based on a result of calculating the similarity.
  - 4. The method according to claim 1, wherein the selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable comprises:
    - extracting respectively at least one item of grammatical and/or semantic information of the preset reference variable and at least one item of grammatical and/or semantic information of each variable in the object function to generate a grammatical and/or semantic information set of the preset reference variable and a grammatical and/or semantic feature set of the each variable in the object function;
      
      calculating a similarity between the grammatical and/or semantic information set of the preset reference variable and the grammatical and/or semantic information set of the each variable in the object function, respectively; and
      
      selecting the target variable from the each variable in the object function based on a result of calculating the similarity.
  - 5. The method according to claim 1, wherein the positional information of the object function and the target variable in the to-be-recovered assembly program comprises a starting address of the object function and an offset of the target variable.
  - 6. The method according to claim 1, wherein the grammatical and/or semantic information of the function comprises at least one of:
    - a number of basic blocks, a control flow graph, an output corresponding to a sample input, and an analytical result of symbolic execution.
  - 7. The method according to claim 1, wherein the grammatical and/or semantic information of the variable comprises at least one of:
    - a variable name, dependency relationship of the variable in a data flow or a control flow, and an analytical result of symbolic execution.
  - 8. The method according to claim 2, wherein the calculating a similarity comprises a minimum hash algorithm.
  - 18. The method according to claim 1, the function having an identical name as a name of the preset reference function is selected from the to-be-recovered assembly program as the candidate function.
  - 19. The method according to claim 1, the function having an identical calling relationship as a calling relationship of the preset reference function is selected from the to-be-recovered assembly program as the candidate function.

9. An apparatus for detecting an application, comprising:
- at least one processor; and
  
  a memory storing instructions, which when executed by the at least one processor, cause the at least one processor to perform operations, the operations comprising;
  
  disassembling a binary program of an application running on a target device to generate a to-be-recovered assembly program;
  
  selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of a preset reference function in a reference assembly program to obtain at least one candidate function, wherein a matching degree between the function information of the function selected from the to-be-recovered assembly program and the consistent function information of the preset reference function in the reference assembly program is greater than a preset threshold, and the function information comprises at least one of;
  
  a function name, a constant in the function, or a calling relationship of the function;
  
  selecting, among the at least one candidate function, a candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as an object function;
  
  selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable; and
  
  outputting positional information of the object function and the target variable in the to-be-recovered assembly program as a detection result.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus according to claim 9, wherein the selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of the preset reference function in a reference assembly program to obtain at least one candidate function comprises:
    - extracting respectively at least one item of function information of the preset reference function and at least one item of function information of each function in the to-be-recovered assembly program to generate a function information set of the preset reference function and a function information set of the each function in the to-be-recovered assembly program;
      
      calculating a similarity between the function information set of the preset reference function and the function information set of the each function in the to-be-recovered assembly program, respectively; and
      
      selecting the candidate function from the each function in the to-be-recovered assembly program based on a result of calculating the similarity.
  - 11. The apparatus according to claim 9, wherein the selecting, among the at least one candidate function, a candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as an object function comprises:
    - extracting respectively at least one item of grammatical and/or semantic information of the preset reference function and at least one item of grammatical and/or semantic information of each candidate function to generate a grammatical and/or semantic information set of the preset reference function and a grammatical and/or semantic information set of the each candidate function;
      
      calculating a similarity between the grammatical and/or semantic information set of the preset reference function and the grammatical and/or semantic information set of the each candidate function, respectively; and
      
      selecting the object function from the each candidate function based on a result of calculating the similarity.
  - 12. The apparatus according to claim 9, wherein the selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable comprises:
    - extracting respectively at least one item of grammatical and/or semantic information of the preset reference variable and at least one item of grammatical and/or semantic information of each variable in the object function to generate a grammatical and/or semantic information set of the preset reference variable and a grammatical and/or semantic feature set of the each variable in the object function;
      
      calculating a similarity between the grammatical and/or semantic information set of the preset reference variable and the grammatical and/or semantic information set of the each variable in the object function, respectively; and
      
      selecting the target variable from the each variable in the object function based on a result of calculating the similarity.
  - 13. The apparatus according to claim 9, wherein the positional information of the object function and the target variable in the to-be-recovered assembly program comprises a starting address of the object function and an offset of the target variable.
  - 14. The apparatus according to claim 9, wherein the grammatical and/or semantic information of the function comprises at least one of:
    - a number of basic blocks, a control flow graph, an output corresponding to a sample input, and an analytical result of symbolic execution.
  - 15. The apparatus according to claim 9, wherein the grammatical and/or semantic information of the variable comprises at least one of:
    - a variable name, dependency relationship of the variable in a data flow or a control flow, and an analytical result of symbolic execution.
  - 16. The apparatus according to claim 10, wherein the calculating a similarity comprises a minimum hash algorithm.

17. A non-transitory storage medium storing one or more programs, the one or more programs when executed by an apparatus, causing the apparatus to perform operations, the operations comprising:
- disassembling a binary program of an application running on a target device to generate a to-be-recovered assembly program;
  
  selecting, from the to-be-recovered assembly program, a function having function information consistent with function information of a preset reference function in a reference assembly program to obtain at least one candidate function, wherein a matching degree between the function information of the function selected from the to-be-recovered assembly program and the consistent function information of the preset reference function in the reference assembly program is greater than a preset threshold, and the function information comprises at least one of;
  
  a function name, a constant in the function, or a calling relationship of the function;
  
  selecting, among the at least one candidate function, a candidate function having grammatical and/or semantic information consistent with grammatical and/or semantic information of the preset reference function as an object function;
  
  selecting, from the object function, a variable having grammatical and/or semantic information consistent with grammatical and/or semantic information of a preset reference variable in the preset reference function as a target variable; and
  
  outputting positional information of the object function and the target variable in the to-be-recovered assembly program as a detection result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Baidu Online Network Technology (Beijing) Co., Ltd (Baidu Incorporated)
Original Assignee
Baidu Online Network Technology (Beijing) Co., Ltd (Baidu Incorporated)
Inventors
Zhang, Yulong, Wei, Tao
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Salman, Raied A

Application Number

US15/605,668
Publication Number

US 20180114019A1
Time in Patent Office

845 Days
Field of Search

726 25, 726 23, 717163
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 40/253   Grammatical analysis; Style...

G06F 40/30   Semantic analysis

G06F 8/53   Decompilation; Disassembly

Method and apparatus for detecting application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links