Matching Similar Functions in Different Versions of a Malware

摘要

Malware analysis is an important means for information security. Malicious softwares emerge endlessly, which has saddled reverse analysis with high difficulty and heavy workload. In variants of a malware, many codes are reused with or without modifications. After a long term analysis on malwares, reverse engineers have accumulated a large number of analysis results. If the analysis results can be transferred to the corresponding functions of new version software, it is of great importance for efficiency improvement and workload reduction in malware analysis. The key point in this work is to identify the similar functions in different versions of a software. In this paper, we present a new method for matching similar function pairs, termed TPM (Two-stage Profile Matching). Based on our proposed features of functions, TPM recursively matches similar function pairs by combining with call relations and our decision rules. Experimental results show that, TPM can achieve the higher average precision, compared with 3- tuple CFG method and the comparable tools such as bindiff, diaphora and PatchDiff, in our test cases.