Generation of API call graphs from static disassembly
First Claim
1. A method for inferring possible paths that at least a portion of a program can take during execution, the method comprising:
- identifying, based on one or more entry points located in at least the portion of the program and execution-relevant metadata of the program, a region of code for disassembly within at least the portion of the program, the one or more entry points corresponding to one or more places within the at least the portion of the program at which an operating system or other program initiates execution, the execution-relevant metadata describing where code or execution-relevant data reside in the program;
generating, based on the identified region of code and the identified at least one entry point, a set of possible call sequences for at least one function at a corresponding entry point of the one or more entry points for the at least one function; and
generating a function call graph characterizing the generated set of possible call sequences to enable inferring possible paths that at least the portion of the program can take during execution;
wherein the set of possible call sequences comprises at least one application programming interface call.
1 Assignment
0 Petitions
Accused Products
Abstract
Data is received that includes at least a portion of a program. Thereafter, entry point locations and execution-relevant metadata of the program are identified and retrieved. Regions of code within the program are then identified using static disassembly and based on the identified entry point locations and metadata. In addition, entry points are determined for each of a plurality of functions. Thereafter, a set of possible call sequences are generated for each function based on the identified regions of code and the determined entry points for each of the plurality of functions. Related apparatus, systems, techniques and articles are also described.
-
Citations
21 Claims
-
1. A method for inferring possible paths that at least a portion of a program can take during execution, the method comprising:
-
identifying, based on one or more entry points located in at least the portion of the program and execution-relevant metadata of the program, a region of code for disassembly within at least the portion of the program, the one or more entry points corresponding to one or more places within the at least the portion of the program at which an operating system or other program initiates execution, the execution-relevant metadata describing where code or execution-relevant data reside in the program; generating, based on the identified region of code and the identified at least one entry point, a set of possible call sequences for at least one function at a corresponding entry point of the one or more entry points for the at least one function; and generating a function call graph characterizing the generated set of possible call sequences to enable inferring possible paths that at least the portion of the program can take during execution; wherein the set of possible call sequences comprises at least one application programming interface call. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
at least one processor; and at least one memory including instructions which, when executed by the at least one processor, result in the at least one processor performing operations comprising; identifying, based on one or more entry points located in at least the portion of the program and execution-relevant metadata of the program, a region of code for disassembly within at least the portion of the program, the one or more entry points corresponding to one or more places within the at least the portion of the program at which an operating system or other program initiates execution, the execution-relevant metadata describing where code or execution-relevant data reside in the program; generating, based on the identified region of code and the identified at least one entry point, a set of possible call sequences for at least one function at a corresponding entry point of the one or more entry points for the at least one function; and generating a function call graph characterizing the generated set of possible call sequences to enable inferring possible paths that at least the portion of the program can take during execution; wherein the set of possible call sequences comprises at least one application programming interface call. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium including instructions, which when executed by at least one processor, cause at least one processor to perform operations comprising:
-
identifying, based on one or more entry points located in at least the portion of the program and execution-relevant metadata of the program, a region of code for disassembly within at least the portion of the program, the one or more entry points corresponding to one or more places within the at least the portion of the program at which an operating system or other program initiates execution, the execution-relevant metadata describing where code or execution-relevant data reside in the program; generating, based on the identified region of code and the identified at least one entry point, a set of possible call sequences for at least one function at a corresponding entry point of the one or more entry points for the at least one function; and generating a function call graph characterizing the generated set of possible call sequences to enable inferring possible paths that at least the portion of the program can take during execution; wherein the set of possible call sequences comprises at least one application programming interface call. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification