Method and device for extracting message format

摘要

Examples of extracting a message format are disclosed. Extracting the message format may include capturing an execution trace of a malicious program client and identifying and analyzing a processing procedure of a message in the execution trace. An input message format is identified based on the analysis, where the input message format is of a communication protocol used by a malicious program. The examples of identifying the message format provide increase extraction efficiency, accurate analysis and positioning, and a reduced rate of false positives.

主权项

1. A method for identifying a format of a message, comprising:
capturing, using a hardware processor, an execution trace of an executable program, wherein the execution trace comprises a processing procedure used by the executable program to process the message received by the executable program; performing, by the hardware processor, stain marking on the execution trace and extracting a stain propagation record indicating propagation of a stain mark of each byte of the message in the processing procedure; dividing, by the hardware processor, the message into fields based on the stain propagation record, with bytes of the message corresponding to continuously-numbered stain offsets as one field; performing, by the hardware processor, hierarchical division on functions in the execution trace and determining a function call relationship of the processing procedure; analyzing, by the hardware processor, semantic information of the functions in the execution trace based on the function call relationship of the processing procedure; and determining, by the hardware processor, the format of the message based on the semantic information, the divided fields of the message, and the hierarchical division of the functions of the execution trace of the executable program, wherein the format of the message is a format of a message used by a communication protocol of a malicious program.