基于软件执行轨迹差异比对的关键函数定位技术研究

doi:10.3969/j.issn.1000-436x.2013.09.021

通信学报 ›› 2013, Vol. 34 ›› Issue (9): 177-184.doi: 10.3969/j.issn.1000-436x.2013.09.021

基于软件执行轨迹差异比对的关键函数定位技术研究

康绯¹,王乾²,肖亚南¹,黄荷洁¹

¹ 信息工程大学数学工程与先进计算国家重点实验室，河南郑州 450001
² 中国北方电子设备研究所，北京 100191

出版日期:2013-09-25 发布日期:2017-07-05
基金资助:
国家保密局科研基金资助项目

Research on key functions locating technique based on software execution trace difference comparison

Fei KANG¹,Qian WANG²,Ya-nan XIAO¹,He-jie HUANG¹

¹ State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China
² Institute of North Electronic Equipment,Beijing 10091,China

Online:2013-09-25 Published:2017-07-05
Supported by:
Scientific Research Project of State Secrets Bureau

摘要/Abstract

摘要：

关键函数是指应用软件在某个运行阶段发挥着关键作用的核心功能函数。对软件中的关键函数进行快速定位是提高逆向分析效率的有效手段。目前，在软件逆向工程领域对关键函数进行定位大多是利用人工分析的方法。利用动态二进制插桩技术，提出了一种切实可行的基于软件执行轨迹差异的关键函数自动定位方法。当软件具有 2 类不同的输入，分别触发、不触发关键函数时，该方法能够快速、准确地识别关键函数。

关键词: 关键函数, 软件执行轨迹, 动态二进制插桩

Abstract:

Key functions are the core functions which play vital es in certain run phase of application software.The quick locating of key functions is a valid method to improve the efficiency of software reverse analysis.In the field of software reverse engineering,locating key functions is mostly based on l analysis.Dynamic binary Instrumentation (DBI) techniques were employed to present a practicabletechnique to automatically locating the key functions based on software execution trace difference.Key functions can be quickly and precisely located when key functions can be triggered or not by two different kinds of software inputs.

Key words: locating function, software execution trace, dynamic binary instrumentation

康绯,王乾,肖亚南,黄荷洁. 基于软件执行轨迹差异比对的关键函数定位技术研究[J]. 通信学报, 2013, 34(9): 177-184.

Fei KANG,Qian WANG,Ya-nan XIAO,He-jie HUANG. Research on key functions locating technique based on software execution trace difference comparison[J]. Journal on Communications, 2013, 34(9): 177-184.

图/表 10

图1

图2

图3

图4

图5

表1

表2

表3

表4

表5

参考文献 14

[1]	段钢 . 加密与解密(第三版)[M]. 北京: 电子工业出版社, 2008. DUAN G . Encryption and Decryption(Third Edition)[M]. Beijing: Electronic Industry PressPress, 2008.
[2]	CHEN K , RAJLICH V . Case study of feature location usin dependence graph[A]. Proceedings of the 8th International Workshop on Program Comprehension[C]. Washington DC,USA, 2000. 241-247.
[3]	KOSCHKE R,QUANTEJ . On dynamic feature location[A]. AS '05 Proceedings of the 20th IEEE/ACM International Con erence on Automated Software Engineering[C]. New York,USA, 2005. 86-95.
[4]	EISENBERG A D , VOLDER K D . Dynamic feature traces:finding features in unfamiliarcode[A]. Proceedings of the 21st IEEE International Conference on Software Maintenance[C]. Washington DC,USA, 2005. 337-346.
[5]	谢裕敏, 舒辉, 陈建敏 ,等. MFC 消息响应函数的逆向定位[J]. 计算机应用, 2009,29(5): 1393-1396. XIE Y M , SHU H , CHEN J M ,et al. Location of MFC messages processing functions in converse analysis[J]. Journal f Computer Applications, 2009,29(5): 1393-1396.
[6]	邓超国, 谷大武, 李卷孺 ,等. 一种基于全系统仿真和指令流分析的二进制代码分析方法[J]. 计算机应用研究, 2011,28(4): 1437-1441. DENG C G,GU D W , LI J R , et a l . Approach of binary code analysis based on full-system emulation and instruction-flow analysis[J]. Application Research of Computers, 2011,28(4): 1437-1441.
[7]	LIU D , ARCUS A , POSHYVANYK D ,et al. Feature location via information retrieval based filtering of a single scenario execution trace[A]. Proceedings of the Twenty-second IEEE/ACM International Conference on Automated Software Engineering[C]. New York,USA, 2007. 234-243.
[8]	YUAN C,LAO N , WEN J R , et a l . Automated known problem diagnosis with event traces[A]. EuroSys '06 Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006[C]. New York,USA, 2006. 375-388.
[9]	EAGLE C . The IDA Pro Book:The Unofficial Guide to the World's Most Popular Disassembler[M]. San Francisco: No Starch PressPress, 2008.
[10]	NETHERCOTE N . Dynamic Binary Analysis and Instrumentation or Building Tools is Easy[D]. Trinity Lane,Cambridge:Un versity of Cambridge, 2004.
[11]	BRUENING D L . Efficient,Transparent and Comprehensive Runtime Code Manipulation[D]. Amherst:Massachusetts Institute of Technology, 2004.
[12]	NETHERCOTE N , SEWARD J . Valgrind:a framework for heavyweight dynamic binary instrumentation[J]. ACM SIGPLAN,, 2007,42(6): 89-100.
[13]	LUK C K , COHN R , MUTH R ,et al. Pin:building customized program analysis tools with dynamic instrumentation[A]. Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI)[C]. New York,USA, 2005. 190-200.
[14]	HAN J W . Data Mining-Concepts and Techniques[M]. Beijing: China Machine PressPress, 2006.

函数调用统计	触发关键函数执行	不触发关键函数执行
函数调用统计	触发关键函数执行	第1次运行	第2次运行	第3次运行
函数集合数量	562	550	551	550
函数调用总次数	1 377 257	56 612	56 795	56 676

聚类组别	函数所在模块	函数地址偏移	函数调用次数
1	Rar.exe	0x2b9c8	1
	Rar.exe	0xce54	1
2	Rar.exe	0xd070	1
	Rar.exe	0xc290	3
3	Rar.exe	0xceb8	3
	Rar.exe	0xd31c	17
4	Rar.exe	0xb5ec	1
	Rar.exe	0x3ff0	1
5	Rar.exe	0x1f24	1
	Rar.exe	0x24e0	1

程序名称	编程框架	是否加壳	程序功能说明	需要定位的关键函数
Notepad	Other	否	Windows自带的笔记本程序	文件保存函数
HashCalc	MFC	否	哈希值计算	MD5算法函数
FirePassword	Other	是	Firefox密码获取程序	密码获取核心函数
dc0decrackme	Delphi	否	注册码验证的crackme程序	注册码验证核心函数
RSATool2v1.10	MFC	是	RSA算法加解密程序	RSA算法函数

程序名称	函数规模	函数调用次数	关键函数地址
Notepad	53	3 686	0x1003D6D
HashCalc	622	135 421	0x41AB13
FirePassword	620	22 354	0x401EC4
dc0decrackme	982	128 726	0x441C08
RSATool2v1.10	154	1 371 024	0x40D130

程序名称	调用树分析/ms	函数统计/ms	其他/ms	集合比对/ms
WinRAR3.7	30 123	11 582	6 162	642
Notepad	196	69	28	29
HashCalc	10 038	5 887	1 695	532
FirePassword	28 192	12 215	2 941	527
dc0decrackme	4 063	1 632	635	663
RSATool2v1.10	21 102	12 782	3 282	98

基于软件执行轨迹差异比对的关键函数定位技术研究

Research on key functions locating technique based on software execution trace difference comparison

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 14

相关文章 0

Metrics

推荐阅读 0