Dynamic Call Graph Generation And Its Application In Reverse Engineering Of Kernel Module

With the increasing scale of software, malicious code wanton expand, the software function call analysis and reverse engineering of the software is very im-portant. At present, most of the function call analysis tools intent a known source of static or dynamic analysis, can not analyze the function pointer, the system boot process and loadable modules and no source code of the software and the current reverse engineering software implementations majority of semi-automatic. So this paper analyzes the dynamic function calls to achieve the kernel loadable module automatically reverse engineering implementation.This paper analyzes the advantages and disadvantages of the existing function call graph generation tool, a dynamic function call graph generation method based on kernel trace, and the development of dynamic function call graph generation tool DCG-RTL (dynamic call graph based on RTL, referred to as the DCG-RTL). DCG-RTL simulator is running in s2e target to be tracked kernel and modules, plug-ins and captured by the function name resolution plug-in function call instruction to record runtime function call and return relevant information, while taking advantage of kallsym access mechanism linux loadable module relevant information. Further use of the function call and return time to calculate the time it takes to run each function itself, and finally the dynamic and static relationship between the use of open source software function calls lxr show up in the web browser. So DCG-RTL generated function call graph contains static, dynamic and function of the execution time, while the figure also attached to a source of information that is path-dependent function call through a link on the map you can easily jump to the source code location. Read and write to the file through a function pointer to a function and call the kernel loadable module analysis and the results show that the DCG-RTL has better accuracy and comprehensivenessUse DCG-RTL obtain tracking information extracted from the dynamic rela-tionship between function calls, and in accordance with the mechanism of acquired kallsym starting position and size of the module is loaded in memory, screening out the function call is part of loadable modules. Subsequent analysis of these dynamic function calls to determine the load module binary code sections divided, re-use de- compile engine after each slice to disassemble the binary code to give each assembly code, assembly code compiled in accordance with the final fill format requirements appropriate information, collate and compile code pooled. And known source k-ernel loadable modules conducted experimental results show that the method of reverse engineering in this paper is feasible.