What technology area does this patent fall under?

Primary CPC classification G06F11/3624. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Sep 19 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Dynamic call tracking method based on CPU interrupt instructions to improve disassembly quality of indirect calls

US9767004B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9767004-B2
Application number	US-201414305580-A
Country	US
Kind code	B2
Filing date	Jun 16, 2014
Priority date	Jun 16, 2014
Publication date	Sep 19, 2017
Grant date	Sep 19, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Embodiments presented herein describe techniques to track and correct indirect function calls in disassembled object code. Assembly language source code is generated from a binary executable object. The assembly language source code may include indirect function calls. Memory addresses associated with the function calls are identified. A central processing unit (CPU) interrupt instruction is inserted in the disassembled source code at each indirect function call. The disassembled source code is executed. When the interrupt at each indirect function call is triggered, the function name of a function referenced by a register may be determined.

First claim

Opening claim text (preview).

What is claimed is: 1. A method for disassembling compiled object code, the method comprising: disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code; converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions; executing the assembly language source code; upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function; and for each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function. 2. The method of claim 1 , wherein the interrupt instruction transfers control of the execution to a debugger module executed to determine the function name. 3. The method of claim 1 , wherein the register value specifies a memory address stored in the register when the interrupt instruction is triggered. 4. The method of claim 1 , wherein the function name is identified from a memory address stored in the register when the interrupt instruction is triggered. 5. The method of claim 1 , wherein the assembly language source code is generated by a disassembler. 6. The method of claim 1 , wherein the interrupt instruction is INT 3 . 7. The method of claim 1 , wherein the assembly language source code is executed in a debugger module. 8. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for disassembling compiled object code, the operation comprising: disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code; converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions; executing the assembly language source code; upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function; and for each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function. 9. The non-transitory computer-readable storage medium of claim 8 , wherein the interrupt instruction transfers control of the execution to a debugger module executed to determine the function name. 10. The non-transitory computer-readable storage medium of claim 8 , wherein the register value specifies a memory address stored in the register when the interrupt instruction is triggered. 11. The non-transitory computer-readable storage medium of claim 8 , wherein the function name is identified from a memory address stored in the register when the interrupt instruction is triggered. 12. The non-transitory computer-readable storage medium of claim 8 , wherein the assembly language source code is generated by a disassembler. 13. The non-transitory computer-readable storage medium of claim 8 , wherein the interrupt instruction is INT 3 . 14. The non-transitory computer-readable storage medium of claim 8 , wherein the assembly language source code is executed in a debugger module. 15. A system, comprising: a processor; and a memory storing one or more application programs configured to perform an operation for disassembling compiled object code, the operation comprising: disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls and wherein each indirect function call corresponds to a function dynamically identified using an address identified when executing the assembly language source code, converting one or more of the indirect function calls to one or more central processing unit (CPU) interrupt instructions, executing the assembly language source code, upon reaching the interrupt instruction to which each indirect function call was converted while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, wherein the register value specifies a memory address of the identified function, and for each interrupt instruction, replacing, in the assembly language source code, the register specified in the indirect function call that was converted to the interrupt instruction with a function name corresponding to the register value, and invoking the identified function. 16. The system of claim 15 , wherein the interrupt instruction transfers control of the execution to a debugger module executed to determine the function name. 17. The system of claim 15 , wherein the register value specifies a memory address stored in the register when the interrupt instruction is triggered. 18. The system of claim 15 , wherein the function name is identified from a memory address stored in the register when the interrupt instruction is triggered. 19. The system of claim 15 , wherein the assembly language source code is generated by a disassembler. 20. The system of claim 15 , wherein the interrupt instruction is INT 3 .

Assignees

Symantec Corp

Inventors

Classifications

G06F11/3624Primary
by performing operations on the source code, e.g. via a compiler · CPC title
G06F8/53
Decompilation; Disassembly · CPC title

Patent family

Related publications grouped by family.

View patent family 54836202

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9767004B2 cover?: Embodiments presented herein describe techniques to track and correct indirect function calls in disassembled object code. Assembly language source code is generated from a binary executable object. The assembly language source code may include indirect function calls. Memory addresses associated with the function calls are identified. A central processing unit (CPU) interrupt instruction is in…
Who is the assignee on this patent?: Symantec Corp
What technology area does this patent fall under?: Primary CPC classification G06F11/3624. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Sep 19 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).