Reusable code base creation method, rapid tracing method and system for reusable codes

Abstract

The invention discloses a reusable code base creation method, a rapid tracing method and system for reusable codes. The system comprises a pre-processing module, a code base building block and a function tracing module. The pre-processing module is used for obtaining assembly codes of each sample and extracting functions of each assembly code and used for splitting functions into multiple code blocks based on a jump instruction of each function and a jump address and calculating simhash value of each code block. The code base building block is used for building code blocks corresponding to indexes of simhash value. A code block index package comprises functions of code blocks. A function index package contains three stages of reverse indexes of samples for functions. The function tracing module is used for indexing similar code blocks for the tracing function in a code library. Each similar code block corresponds to a potential similar function. Then, according to the jump relations among similar code blocks, similar functions are determined whether to be similar to to-be-traced functions. The reusable code base creation method, the rapid tracing method and system for reusable codes improve automation degree for judgment of tasks at the same source.

Description

technical field [0001] The invention relates to the field of reverse analysis and malicious code analysis, in particular to a method for constructing a multiplexed code base based on simhash and inverted index, a method for fast source tracing and a system. Background technique [0002] Code reuse usually takes functions as the basic unit. Even if they are highly optimized by the compiler, a large number of functions are still retained. Therefore, this paper uses functions as units to trace the source and determine similarity, which is more in line with the reuse scenario. The main basis for judging the same origin of malicious code is the reuse of personal code written by the malicious code author in different malicious codes. For example, the same origin judgment of Sasser and Netsky, Flame and Gauss, etc. is based on the special function shared by them. However, in order to improve the development speed, malicious code authors often reuse public or semi-public codes writt...

AI Technical Summary

Problems solved by technology

The current similar function judgment technology has a high accuracy and recall rate, but the judgment efficiency is low, and it is not suitable for tracing the source of multiplexed functions of massive codes.

A small modification of the source code of a function, different compilation options, and different locations will cause differences in the order of instructions, registers, and jump positions in the assembled code after reverse engineering. Therefore, using methods such as hashing to trace the source will result in a very low recall rate.

In the function, the jump structure of the code block is an important feature of the similarity judgment, and the extraction of the jump relationship and the comparison of the structure diagram take a lot of time, which is an important factor that makes it difficult to achieve both the accuracy, recall rate and speed of the current similarity judgment. reason

Images