Research On Reverse Locating Of Key Functions In Windows Application

Reverse Analysis is an important approach to analyze software without source code. One method which can efficiently improve the efficiency of Reverse Analysis is to locate the target functions fast and efficiently. Locating the functions which is worthy of study can shrink the area and reduce the complexity of the Reverse Analysis. This thesis researched in depth on how to actualize locating functions quickly and effectually.The thesis summarized four common methods for locating functions, thoroughly studied the mechanism by which Windows messages are processed and the characteristics of representative programs in framework. Aimed at the two general cases of locating functions in Reverse Analysis, the thesis put forward the reverse locating technique based on the characteristics of program frame class. First, the structure information and frame characteristics of the program were acquired by means of static analysis, and functional code and framework code were distinguished from each other. Second, resorting to characteristics detection in dynamic analysis, specific behaviors, such as network activity and file operation, in target function were detected, and all possible executing paths of the target function were marked. Last, the target function was located by using the path comparison algorithm.In order to solve the problem of obtaining the static information from the target programs in the process of locating, the thesis programmed an IDA plug-in to implement the obtaining of static information from the object program by the research on the disassembled mechanism of IDA; it completed an analyzing plug-in of the MFC frame on the base of thoroughly analyzing the MFC frame; it designed a dynamic obtaining algorithm for the run-time basic block of target program. After thoroughly researched the technique of tracking and logging the executing paths, a reverse location assistant tool was designed and implemented. The tool adopted the technique of graphic display for the paths, and according to the executing paths in different instance of the target program, with the executing paths comparison algorithm realized, which could get the address of target function exactly.The testing on the accuracy and the efficiency of the tool was presented in the end of the thesis. According to the results, the tool has good performance in locating target function, and is valuable in improving the efficiency of Reverse Analysis.