IDENTIFYING SOFTWARE EXECUTION BEHAVIOR
First Claim
1. At a computer system, the computer system including a processor and system memory, a method for identifying execution behavior for a portion of binary code, the method comprising:
- an act of accessing a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set;
an act of converting the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including;
an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code;
an act of tracking the path of one or more parameters within functions of the intermediate representation to identify one or more of;
parameter values and parameter types used to call functions of interest within the portion of binary code; and
an act of outputting one or more of;
functions, parameter values, and parameters types of interest for the portion of binary code.
12 Assignments
0 Petitions
Accused Products
Abstract
The present invention extends to methods, systems, and computer program products for identifying software execution behavior. Embodiments of the invention can be used to assist a user in a making a reasoned and informed decision about whether the behavior of executable code is malicious. Data indicative of executable code behavior can be collected statically without having to execute the executable code. Behavior data can be collected essentially automatically with little, if any, user involvement. A user initiates analysis of executable code and is provided a visual categorized representation of behavior data for the executable code.
237 Citations
20 Claims
-
1. At a computer system, the computer system including a processor and system memory, a method for identifying execution behavior for a portion of binary code, the method comprising:
-
an act of accessing a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set; an act of converting the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including; an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code; an act of tracking the path of one or more parameters within functions of the intermediate representation to identify one or more of;
parameter values and parameter types used to call functions of interest within the portion of binary code; andan act of outputting one or more of;
functions, parameter values, and parameters types of interest for the portion of binary code. - View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13)
-
-
7. The method as recited in claims wherein the act of an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions comprises:
-
an act of reducing redundant instructions within the portion of assembly code; and an act of retaining sufficient semantics from the binary code such that potentially malicious behavior can be detected.
-
-
14. A computer program product for use at a computer system, the computer system include a display device, the computer program product for implementing a method for identifying execution behavior for a portion of binary code, the computer program product computer one or more computer storage devices having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
-
access a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set; convert the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including; mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code; track the path of one or more parameters within functions of the intermediate representation to identify one or more of;
parameter values and parameter types used to call functions of interest within the portion of binary code;output one or more of;
functions, parameter values, and parameters types of interest for the portion of binary code; andpresent the one or more of;
functions, parameter values, and parameters types of interest at the display device, presentation at the display device assisting a user in determining if the portion of binary code includes malicious behaviors. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. At a computer system, the computer system including a processor, system memory, and a display device, a method for identifying execution behavior for a portion of binary code, the method comprising:
-
an act of accessing a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set; an act of converting the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including; an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code, including for at least one assembly language instruction decomposing the assembly language instruction in to a plurality of micro operations to simplify analysis of the portion of binary code; an act of tracking the path of one or more parameters within functions of the intermediate representation to identify one or more of;
parameter values and parameter types used to call functions of interest within the portion of binary code;categorizing functions, parameters values, and parameter types to simplify the complexity of identifying potentially malicious behavior exhibited by the portion of binary code; and presenting the categorized functions, parameter values, and parameters types of interest at the display device, presentation at the display device assisting a user in determining if the portion of binary code includes malicious behaviors.
-
Specification