主权项 |
1. A method for identifying a format of a message, comprising:
capturing, using a hardware processor, an execution trace of an executable program, wherein the execution trace comprises a processing procedure used by the executable program to process the message received by the executable program; performing, by the hardware processor, stain marking on the execution trace and extracting a stain propagation record indicating propagation of a stain mark of each byte of the message in the processing procedure; dividing, by the hardware processor, the message into fields based on the stain propagation record, with bytes of the message corresponding to continuously-numbered stain offsets as one field; performing, by the hardware processor, hierarchical division on functions in the execution trace and determining a function call relationship of the processing procedure; analyzing, by the hardware processor, semantic information of the functions in the execution trace based on the function call relationship of the processing procedure; and determining, by the hardware processor, the format of the message based on the semantic information, the divided fields of the message, and the hierarchical division of the functions of the execution trace of the executable program, wherein the format of the message is a format of a message used by a communication protocol of a malicious program. |