METHODS AND SYSTEMS OF DISASSEMBLING EXECUTABLE CODE

US 20190095183A1
Filed: 09/27/2017
Published: 03/28/2019
Est. Priority Date: 09/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method useful for disassembling an executable binary comprising the steps of:

runtime monitoring of an application executing on a computer system;

capturing an API/system call performed by the application;

capturing a control transfer in the application;

generating a list of collected events, wherein the list of collected events comprises at least one of the API/system call or the control transfer;

transferring the list of collected events to a disassembler;

with the disassembler;

generating a set of disassembly traces for the executable binary by starting a disassembly operation at one or more potential start locations;

validating the set of disassembly traces by checking a consistency with a set of observed events that are in a memory region covered by the set of disassembly traces; and

combining a set of validated disassembly traces to complete the disassembly operation on the executable binary.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In another aspect, method useful for monitoring of an API/system call implemented by an application for generating disassembly of an executable binary of the application, includes the steps of scanning a computer system for an executable application. The method includes the step of scanning the computer system for a running process associated with the executable binary. The method includes the step of initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the executable binary. The method includes the step of reporting a set of collected events to a local server.

16 Citations

View as Search Results

14 Claims

1. A method useful for disassembling an executable binary comprising the steps of:
- runtime monitoring of an application executing on a computer system;
  
  capturing an API/system call performed by the application;
  
  capturing a control transfer in the application;
  
  generating a list of collected events, wherein the list of collected events comprises at least one of the API/system call or the control transfer;
  
  transferring the list of collected events to a disassembler;
  
  with the disassembler;
  
  generating a set of disassembly traces for the executable binary by starting a disassembly operation at one or more potential start locations;
  
  validating the set of disassembly traces by checking a consistency with a set of observed events that are in a memory region covered by the set of disassembly traces; and
  
  combining a set of validated disassembly traces to complete the disassembly operation on the executable binary.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein an event information includes a processor register value, an application attribute, an application symbol table, an application'"'"'s stack, and a processor'"'"'s last branch records.
  - 3. The method of claim 1, wherein collected events are reported to a remote server for use in disassembly of the executable binary.
  - 4. The method of claim 1 further comprising the step of monitoring and reporting of a control flow in the application for generating disassembly of the executable binary by:
    - scanning the computer system for a running process associated with the executable binary;
      
      instrumenting an application code of the executable application to monitor a control flow;
      
      inserting event-logging code into the executable application to monitor the control flow;
      
      inserting a software interrupt into the executable application to monitor the control flow logging a collected event reflecting a characteristic of the control flow; and
      
      reporting the collected event to a server.
  - 5. The method of claim 4, wherein a potential size of the memory region is bounded by a code section boundary.
  - 6. The method of claim 5, wherein the validation code is part of an operating system.

7. A method useful for monitoring of an API/system call implemented by an application for generating disassembly of an executable binary of the application, comprising the steps of:
- scanning a computer system for an executable application;
  
  scanning the computer system for a running process associated with the executable binary;
  
  initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the executable binary; and
  
  reporting a set of collected events to a local server.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the observed API/system call event is reported to a remote server.
  - 9. The method of claim 7, wherein an observed API/system call is validated by matching a pointer type with the API/system call.
  - 10. The method of claim 7, wherein the API/system call is validated by checking the consistency of a disassembled code with an argument used by the API/system call.
  - 11. The method of claim 7, wherein the API/system call is monitored from the application, a kernel of an operating system, an emulator, or a hypervisor.

12. A method useful for disassembling an executable code located after a control flow instruction, comprising the steps of:
- determining a potential size of a code as a difference between a control flow instruction and a start of a next execution trace;
  
  initiating a disassembly trace for each memory address in a memory region of the application;
  
  enforcing an alignment with a known API/system call observed in the memory region of the application; and
  
  enforcing a consistency between an argument supplied to the API/system call with another argument reflected in the disassembly trace.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein a potential size of the memory region is bounded by a code section boundary.
  - 14. The method of claim 12, wherein the validation code is part of an operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
New Relic
Original Assignee
Abhay Kanhere, Jayant Shukla
Inventors
SHUKLA, JAYANT, KANHERE, ABHAY

Granted Patent

US 11,294,653 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/14   against software analysis o...

G06F 21/52   during program execution, e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 8/53   Decompilation; Disassembly

METHODS AND SYSTEMS OF DISASSEMBLING EXECUTABLE CODE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS OF DISASSEMBLING EXECUTABLE CODE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links