Generation of API call graphs from static disassembly

US 9,378,012 B2
Filed: 01/06/2015
Issued: 06/28/2016
Est. Priority Date: 01/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving data comprising at least a portion of a program;

first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program;

second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata;

first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function;

second generating an API call graph characterizing the generated set of possible call sequences for the at least one function;

disassembling the at least a portion of the program into instructions;

organizing the instructions into at least one function that each comprise a code block;

constructing a control flow graph characterizing the at least one function;

extracting application programming interface (API) call sequences by traversing the control flow graph; and

determining a relative order of API calls.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data is received that includes at least a portion of a program. Thereafter, entry point locations and execution-relevant metadata of the program are identified and retrieved. Regions of code within the program are then identified using static disassembly and based on the identified entry point locations and metadata. In addition, entry points are determined for each of a plurality of functions. Thereafter, a set of possible call sequences are generated for each function based on the identified regions of code and the determined entry points for each of the plurality of functions. Related apparatus, systems, techniques and articles are also described.

47 Citations

View as Search Results

15 Claims

1. A computer-implemented method comprising:
- receiving data comprising at least a portion of a program;
  
  first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program;
  
  second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata;
  
  first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function;
  
  second generating an API call graph characterizing the generated set of possible call sequences for the at least one function;
  
  disassembling the at least a portion of the program into instructions;
  
  organizing the instructions into at least one function that each comprise a code block;
  
  constructing a control flow graph characterizing the at least one function;
  
  extracting application programming interface (API) call sequences by traversing the control flow graph; and
  
  determining a relative order of API calls.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as in claim 1, wherein the call sequences further comprise application programming interface API calls.
  - 3. A method as in claim 2, wherein the call sequences further comprise calling subfunctions implemented by the program.
  - 4. A method as in claim 1, further comprising:
    - decorating at least one of the calls in the call sequence with parameter information affecting a behavior of the corresponding function.
  - 5. A method as in claim 1, wherein the entry point locations correspond to places within the at least a portion of the program at which an operating system or other program initiates execution of the at least a portion of the program.
  - 6. A method as in claim 1, wherein the first identifying comprises:
    - scanning the program for pre-defined byte sequences.
  - 7. A method as in claim 1, wherein the second identifying uses disassembly.
  - 8. A method as in claim 7, wherein the disassembly comprises emulation-augmented disassembly.
  - 9. A method as in claim 1 further comprising:
    - determining entry points for each of a plurality of functions.
  - 10. A method as in claim 1 further comprising:
    - determining a relative order of child function calls.
  - 11. A method as in claim 1, wherein the API call graph is generated based on the extracted API call sequences according to the determined relative order of the API calls.
  - 12. A method as in claim 11, wherein the API call graph is generated based on the extracted API call sequences according to the determined relative order of the API calls and the child function calls.
  - 13. A method as in claim 1, wherein the receiving, first identifying, second identifying, first generating and second generating are implemented by at least one hardware data processor forming part of at least one computing system.

14. A non-transitory computer program product storing instructions which, when executed by at least one hardware data processor forming part of at least one computing system, result in operations comprising:
- receiving data comprising at least a portion of a program;
  
  first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program;
  
  second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata;
  
  first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function; and
  
  second generating an API call graph characterizing the generated set of possible call sequences for the at least one function;
  
  disassembling the at least a portion of the program into instructions,organizing the instructions into at least one function that each comprise a code block;
  
  constructing a control flow graph characterizing the at least one function;
  
  extracting application programming interface (API) call sequences by traversing the control flow graph; and
  
  determining a relative order of API calls.

15. A system comprising:
- at least one hardware data processor; and
  
  memory storing instructions which, when executed by the at least one hardware data processor, result in operations comprising;
  
  receiving data comprising at least a portion of a program;
  
  first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program;
  
  second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata;
  
  first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function;
  
  second generating an API call graph characterizing the generated set of possible call sequences for the at least one function;
  
  disassembling the at least a portion of the program inio instructions;
  
  organizing the instructions into at least one function that each comprise a code block;
  
  constructing a control flow graph characterizing the at least one function;
  
  extracting application programming interface (API) call sequences by traversing the control flow graph; and
  
  determining a relative order of API calls.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Soeder, Derek A., Wolff, Matt
Primary Examiner(s)
DAO, THUY CHAN

Application Number

US14/590,788
Publication Number

US 20150220333A1
Time in Patent Office

539 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/34   Recording or statistical ev...

G06F 11/3414   Workload generation, e.g. s...

G06F 11/36   Preventing errors by testin...

G06F 2201/865   Monitoring of software

G06F 8/53   Decompilation; Disassembly

G06F 8/75   Structural analysis for pro...

Generation of API call graphs from static disassembly

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Generation of API call graphs from static disassembly

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links