METHODS AND SYSTEMS OF DISASSEMBLING EXECUTABLE CODE
First Claim
1. A method useful for disassembling an executable binary comprising the steps of:
- runtime monitoring of an application executing on a computer system;
capturing an API/system call performed by the application;
capturing a control transfer in the application;
generating a list of collected events, wherein the list of collected events comprises at least one of the API/system call or the control transfer;
transferring the list of collected events to a disassembler;
with the disassembler;
generating a set of disassembly traces for the executable binary by starting a disassembly operation at one or more potential start locations;
validating the set of disassembly traces by checking a consistency with a set of observed events that are in a memory region covered by the set of disassembly traces; and
combining a set of validated disassembly traces to complete the disassembly operation on the executable binary.
3 Assignments
0 Petitions
Accused Products
Abstract
In another aspect, method useful for monitoring of an API/system call implemented by an application for generating disassembly of an executable binary of the application, includes the steps of scanning a computer system for an executable application. The method includes the step of scanning the computer system for a running process associated with the executable binary. The method includes the step of initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the executable binary. The method includes the step of reporting a set of collected events to a local server.
16 Citations
14 Claims
-
1. A method useful for disassembling an executable binary comprising the steps of:
-
runtime monitoring of an application executing on a computer system; capturing an API/system call performed by the application; capturing a control transfer in the application; generating a list of collected events, wherein the list of collected events comprises at least one of the API/system call or the control transfer; transferring the list of collected events to a disassembler; with the disassembler; generating a set of disassembly traces for the executable binary by starting a disassembly operation at one or more potential start locations; validating the set of disassembly traces by checking a consistency with a set of observed events that are in a memory region covered by the set of disassembly traces; and combining a set of validated disassembly traces to complete the disassembly operation on the executable binary. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method useful for monitoring of an API/system call implemented by an application for generating disassembly of an executable binary of the application, comprising the steps of:
-
scanning a computer system for an executable application; scanning the computer system for a running process associated with the executable binary; initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the executable binary; and reporting a set of collected events to a local server. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method useful for disassembling an executable code located after a control flow instruction, comprising the steps of:
-
determining a potential size of a code as a difference between a control flow instruction and a start of a next execution trace; initiating a disassembly trace for each memory address in a memory region of the application; enforcing an alignment with a known API/system call observed in the memory region of the application; and enforcing a consistency between an argument supplied to the API/system call with another argument reflected in the disassembly trace. - View Dependent Claims (13, 14)
-
Specification