Generation of API call graphs from static disassembly
First Claim
Patent Images
1. A computer-implemented method comprising:
- receiving data comprising at least a portion of a program;
first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program;
second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata;
first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function;
second generating an API call graph characterizing the generated set of possible call sequences for the at least one function;
disassembling the at least a portion of the program into instructions;
organizing the instructions into at least one function that each comprise a code block;
constructing a control flow graph characterizing the at least one function;
extracting application programming interface (API) call sequences by traversing the control flow graph; and
determining a relative order of API calls.
1 Assignment
0 Petitions
Accused Products
Abstract
Data is received that includes at least a portion of a program. Thereafter, entry point locations and execution-relevant metadata of the program are identified and retrieved. Regions of code within the program are then identified using static disassembly and based on the identified entry point locations and metadata. In addition, entry points are determined for each of a plurality of functions. Thereafter, a set of possible call sequences are generated for each function based on the identified regions of code and the determined entry points for each of the plurality of functions. Related apparatus, systems, techniques and articles are also described.
47 Citations
15 Claims
-
1. A computer-implemented method comprising:
-
receiving data comprising at least a portion of a program; first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program; second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata; first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function; second generating an API call graph characterizing the generated set of possible call sequences for the at least one function; disassembling the at least a portion of the program into instructions; organizing the instructions into at least one function that each comprise a code block; constructing a control flow graph characterizing the at least one function; extracting application programming interface (API) call sequences by traversing the control flow graph; and determining a relative order of API calls. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer program product storing instructions which, when executed by at least one hardware data processor forming part of at least one computing system, result in operations comprising:
-
receiving data comprising at least a portion of a program; first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program; second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata; first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function; and second generating an API call graph characterizing the generated set of possible call sequences for the at least one function; disassembling the at least a portion of the program into instructions, organizing the instructions into at least one function that each comprise a code block; constructing a control flow graph characterizing the at least one function; extracting application programming interface (API) call sequences by traversing the control flow graph; and determining a relative order of API calls.
-
-
15. A system comprising:
-
at least one hardware data processor; and memory storing instructions which, when executed by the at least one hardware data processor, result in operations comprising; receiving data comprising at least a portion of a program; first identifying and retrieving entry point locations and execution-relevant metadata of the at least a portion of the program; second identifying regions of code within the at least a portion of the program based on the identified entry point locations and the metadata; first generating, based on the first identifying and the second identifying, a set of possible call sequences for at least one function; second generating an API call graph characterizing the generated set of possible call sequences for the at least one function; disassembling the at least a portion of the program inio instructions; organizing the instructions into at least one function that each comprise a code block; constructing a control flow graph characterizing the at least one function; extracting application programming interface (API) call sequences by traversing the control flow graph; and determining a relative order of API calls.
-
Specification