Dynamic call tracking method based on CPU interrupt instructions to improve disassembly quality of indirect calls

US 9,767,004 B2
Filed: 06/16/2014
Issued: 09/19/2017
Est. Priority Date: 06/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method for disassembling compiled object code, the method comprising:

disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code;

converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions;

executing the assembly language source code;

upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function; and

for each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments presented herein describe techniques to track and correct indirect function calls in disassembled object code. Assembly language source code is generated from a binary executable object. The assembly language source code may include indirect function calls. Memory addresses associated with the function calls are identified. A central processing unit (CPU) interrupt instruction is inserted in the disassembled source code at each indirect function call. The disassembled source code is executed. When the interrupt at each indirect function call is triggered, the function name of a function referenced by a register may be determined.

Citations

20 Claims

1. A method for disassembling compiled object code, the method comprising:
- disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code;
  
  converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions;
  
  executing the assembly language source code;
  
  upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function; and
  
  for each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the interrupt instruction transfers control of the execution to a debugger module executed to determine the function name.
  - 3. The method of claim 1, wherein the register value specifies a memory address stored in the register when the interrupt instruction is triggered.
  - 4. The method of claim 1, wherein the function name is identified from a memory address stored in the register when the interrupt instruction is triggered.
  - 5. The method of claim 1, wherein the assembly language source code is generated by a disassembler.
  - 6. The method of claim 1, wherein the interrupt instruction is INT 3.
  - 7. The method of claim 1, wherein the assembly language source code is executed in a debugger module.

8. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for disassembling compiled object code, the operation comprising:
- disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code;
  
  converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions;
  
  executing the assembly language source code;
  
  upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function; and
  
  for each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the interrupt instruction transfers control of the execution to a debugger module executed to determine the function name.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the register value specifies a memory address stored in the register when the interrupt instruction is triggered.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the function name is identified from a memory address stored in the register when the interrupt instruction is triggered.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein the assembly language source code is generated by a disassembler.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the interrupt instruction is INT 3.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the assembly language source code is executed in a debugger module.

15. A system, comprising:
- a processor; and
  
  a memory storing one or more application programs configured to perform an operation for disassembling compiled object code, the operation comprising;
  
  disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code,converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions,executing the assembly language source code,upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function, andfor each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the interrupt instruction transfers control of the execution to a debugger module executed to determine the function name.
  - 17. The system of claim 15, wherein the register value specifies a memory address stored in the register when the interrupt instruction is triggered.
  - 18. The system of claim 15, wherein the function name is identified from a memory address stored in the register when the interrupt instruction is triggered.
  - 19. The system of claim 15, wherein the assembly language source code is generated by a disassembler.
  - 20. The system of claim 15, wherein the interrupt instruction is INT 3.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Yang, Hong Yi, Guo, Rui
Primary Examiner(s)
JEON, JAE UK

Application Number

US14/305,580
Publication Number

US 20150363198A1
Time in Patent Office

1,191 Days
Field of Search

717106, 717124, 717127-131, 717136, 717159
US Class Current
CPC Class Codes

G06F 11/3624 by performing operations on...

G06F 8/53 Decompilation; Disassembly

Dynamic call tracking method based on CPU interrupt instructions to improve disassembly quality of indirect calls

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic call tracking method based on CPU interrupt instructions to improve disassembly quality of indirect calls

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links