| 摘要 |
Apparatus for identifying the functionality and structure of an executable, being a file or a code, for examining and classifying the executable, consisting of a computerized hardware device being in communication with a computer. The computerized hardware device comprises a first memory for storing characterizing patterns obtained offline; a second memory for temporary storing a file or a data stream to be tested; a processor, adapted to: upon receiving an executable data stream to be tested from the computer, upload the characterizing patterns to the first memory; receive the data stream from the computer and store the data stream in the second memory! comparing the HASH or XOR result of the tested data stream to the stored characterizing patterns; copy the region in the tested data stream which is about the size of a function is to a temporary storage region in the second memory! replace the RVA fields with a predetermined constant value or a predetermined sequence! check the values in the RVA fields to verify whether they are compatible with the type of the required CPU and operating system and if not, cancel the tested function! calculate the Hash or XOR values for the tested function! if there is a match between the HASH or XOR result and one of the stored characterizing patterns, store the tested function is in a table of results, along with identification details and start/end addresses! check to find if the table of results comprises functions, which contain other smaller overlapping functions and if it does, filter out the other smaller overlapping functions from the table of results! returning the table of results to the computer, to check similarity to data entities with other programs. |
