CN116541069A

CN116541069A - Key function evaluation method, device, electronic equipment, medium and program product

Info

Publication number: CN116541069A
Application number: CN202310589401.4A
Authority: CN
Inventors: 张茜; 王雪; 王鹏; 郑子翔
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-05-24
Filing date: 2023-05-24
Publication date: 2023-08-04

Abstract

The present disclosure provides a key function evaluation method, apparatus, electronic device, medium and computer program product for realizing a setting function by a software program. The method and the device can be used in the technical fields of artificial intelligence and information security. The key function evaluation method comprises the following steps: constructing a first knowledge graph according to m first function call relation pairs acquired when a software program is executed by triggering a setting function, wherein nodes of the first knowledge graph are constructed according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are constructed according to a call relation between the first main call function and the first called function; updating the edge weight of the edge of the first knowledge graph according to the n second function call relation pairs obtained when the set function is not triggered to execute the software program, so as to obtain a second knowledge graph; calculating the point weight of the node in the second knowledge graph; and evaluating the function of the node corresponding to the point weight as a key function when the point weight meets the judging condition.

Description

Key function evaluation method, device, electronic equipment, medium and program product

Technical Field

The present disclosure relates to the field of artificial intelligence technology, and more particularly, to a key function evaluation method, apparatus, electronic device, medium, and computer program product for implementing a setting function by a software program.

Background

With the continuous development and progress of computer software development technology, the software functions are continuously expanded, become more complete and complex, can meet the requirements of all aspects, and play a certain promotion role in the development of all industries. The target software is subjected to reverse analysis and research, so that the functions and the realization logic of the software can be further mastered, and the safety defects and the loopholes of the software can be found, thereby improving the robustness of the software.

Software generally adopts a modularized design method, reduces the workload of code development through multiplexing modules, and comprises a plurality of modules, wherein each module comprises a plurality of functions for completing a specific function, each function comprises a plurality of instructions, the functions are basic function modules of a program, and a program executing process can also be regarded as a series of function calling processes. The key module and the key function are codes with more execution frequency, which directly affect the program function. When the software is reversely analyzed and the closed source software function, the software protection mechanism and the cryptographic algorithm in the software are researched, the software reverse analysis efficiency can be effectively improved by positioning the key modules and the key functions of the software, and meanwhile, the protection workload of the software is reduced.

Disclosure of Invention

In view of this, the present disclosure provides a key function evaluation method, apparatus, electronic device, computer-readable storage medium, and computer program product for realizing a setting function by a software program with high evaluation accuracy and efficiency and high degree of intellectualization.

One aspect of the present disclosure provides a key function evaluation method for implementing a setting function by a software program, including: constructing a first knowledge graph according to m first function call relation pairs acquired when the set function execution software program is triggered, wherein nodes of the first knowledge graph are constructed according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are constructed according to call relations between the first main call function and the first called function; updating the edge weights of the edges of the first knowledge graph according to n second function call relation pairs obtained when the set function execution software program is not triggered, so as to obtain a second knowledge graph, wherein n is an integer greater than or equal to 1, and m is an integer greater than or equal to n; calculating the point weight of the node in the second knowledge graph; and evaluating the function of the node corresponding to the point weight as a key function when the point weight meets the judging condition.

According to the key function evaluation method for realizing the setting function by the software program, the first knowledge graph can be constructed according to the first function call relation pair, the edge weight of the edge of the first knowledge graph can be updated according to the second function call relation pair to obtain the second knowledge graph, and the edge weight of the second knowledge graph can reflect the importance degree of the call relation between functions of the software program for realizing the setting function because the data difference between the first function call relation pair and the second function call relation pair is data when the software program is triggered to be executed by the setting function, and the importance degree of the functions of the software program for realizing the setting function can be reflected according to the point weight calculated by the edge weight. The method disclosed by the invention has high intelligent degree, can ensure the evaluation accuracy of the key function, can improve the evaluation efficiency, and reduces the consumption of labor time and energy.

In some embodiments, when triggering the set function to execute the software program, acquiring m first function call relation pairs includes: operation S21, executing a software program when the setting function is triggered, and obtaining g instruction address pairs, where each instruction address pair includes a jump instruction address and a target jump address, and g is an integer greater than or equal to m; operation S22, determining a first main call function and a first called function according to each instruction address pair of the g instruction address pairs; operation S23, when the first main call function and the first called function are determined according to the same instruction address pair, forming the first main call function and the first called function into one of m first function call relationship pairs; and an operation S24, traversing the g instruction address pairs, repeatedly executing the operations S22-S23, and obtaining m first function call relation pairs.

In some embodiments, the determining the first major function and the first called function according to each of the g instruction address pairs includes: matching the target jump address in each instruction address pair of the g instruction address pairs with the instruction address of a function in a predetermined first function address library, and taking the function to which the instruction address belongs as a first called function when the instruction address is matched; and matching the jump instruction address in the instruction address pair with the instruction address of a function in a predetermined first function address library, and taking the function to which the instruction address belongs as a first major function when the instruction address is matched.

In some embodiments, the predetermined first function address library comprises: acquiring an instruction offset address of each instruction in all instructions of each function in all functions of the software program when the setting function is triggered; acquiring an instruction loading address of each instruction in all instructions of each function in all functions of the software program when the setting function is triggered; calculating an instruction address of each instruction according to the instruction offset address and the instruction loading address of each instruction; and storing the mapping relation between the instruction address and the corresponding function to a first function address library.

In some embodiments, the acquiring n second function call relation pairs when the setting function is not triggered to execute the software program includes: operation S51, executing a software program when the setting function is not triggered, and obtaining k instruction address pairs, where each instruction address pair includes a jump instruction address and a target jump address, and k is an integer greater than or equal to n; operation S52, determining a second main call function and a second called function according to each instruction address pair of the k instruction address pairs; operation S53, when the second main call function and the second called function are determined according to the same instruction address pair, forming the second main call function and the second called function into one second function call relation pair of n second function call relation pairs; and an operation S54, traversing the k instruction address pairs, repeatedly executing the operations S52 to S53, and obtaining n second function call relation pairs.

In some embodiments, the determining the second major function and the second called function from each of the k instruction address pairs includes: matching the target jump address in each instruction address pair of the k instruction address pairs with instruction addresses of functions in a predetermined second function address library, and taking the function to which the instruction address belongs as a second called function of a second function call relation pair when the instruction address is matched; and matching the jump instruction address in the instruction address pair with the instruction address of a function in a second function address library, wherein when the jump instruction address is matched with the instruction address, the function to which the instruction address belongs is used as a second main call function of the second function call relation pair.

In some embodiments, the predetermined second function address library comprises: acquiring an instruction offset address of each instruction in all instructions of each function in all functions of the software program when the setting function is not triggered; acquiring an instruction loading address of each instruction in all instructions of each function in all functions of the software program when the setting function is not triggered; calculating an instruction address of each instruction according to the instruction offset address and the instruction loading address of each instruction; and storing the mapping relation between the instruction address and the corresponding function to a second function address library.

In some embodiments, the edge weight of the edge of the first knowledge graph is the number of times the first main call function calls the first called function, and updating the edge weight of the edge of the first knowledge graph according to n second function call relation pairs acquired when the setting function is not triggered to execute the software program to obtain a second knowledge graph, including: comparing each of the n second pair of function call relationships with the first pair of function call relationships constructing the first knowledge graph; when the second main call function of the second function call relation pair is the same as the first main call function of the first function call relation pair and the second called function of the second function call relation pair is the same as the first called function of the first function call relation pair, subtracting 1 from the edge weight of the edge constructed according to the second function call relation pair; and taking the knowledge graph with the updated edge weight of the edge of the first knowledge graph as a second knowledge graph.

In some embodiments, the calculating the point weights of the nodes in the second knowledge-graph includes: matching a function corresponding to the node in the second knowledge graph with a standard function in a library function; and calculating point weights of nodes which are not matched to the standard function in the library function.

In some embodiments, the edges of the second knowledge-graph are directed edges, the first tuned function is pointed to by the first dominant function, and the point weight of the node is the sum of the weights of the edges pointing to the node.

Another aspect of the present disclosure provides a key function evaluation apparatus for implementing a setting function by a software program, including: the building module is used for executing a first knowledge graph according to m first function call relation pairs acquired when the set function execution software program is triggered, wherein nodes of the first knowledge graph are built according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are built according to a call relation between the first main call function and the first called function; the determining module is used for executing the steps of updating the edge weights of the edges of the first knowledge graph according to n second function call relation pairs obtained when the set function execution software program is not triggered to obtain a second knowledge graph, wherein n is an integer greater than or equal to 1, and m is an integer greater than or equal to n; the calculation module is used for executing calculation of the point weights of the nodes in the second knowledge graph; and an evaluation module for performing evaluation of a function of a node corresponding to the point weight as a key function when the point weight satisfies a determination condition.

Another aspect of the present disclosure provides an electronic device comprising one or more processors and one or more memories, wherein the memories are configured to store executable instructions that, when executed by the processors, implement the method as described above.

Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.

Another aspect of the present disclosure provides a computer program product comprising a computer program comprising computer executable instructions which, when executed, are for implementing a method as described above.

Drawings

The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:

FIG. 1 schematically illustrates an exemplary system architecture to which methods, apparatuses may be applied according to embodiments of the present disclosure;

FIG. 2 schematically illustrates a flow chart of a key function evaluation method of a software program implementing a set-up function according to an embodiment of the present disclosure;

FIG. 3 schematically illustrates a flow chart for obtaining m first function call relationship pairs when a set-up function execution software program is triggered, according to an embodiment of the disclosure;

FIG. 4 schematically illustrates a flow diagram for determining a first major function and a first called function from each of g instruction address pairs according to an embodiment of the present disclosure;

FIG. 5 schematically illustrates a schematic diagram of a first function start address library according to an embodiment of the present disclosure;

FIG. 6 schematically illustrates a flowchart of a method of pre-determining a first function address library in accordance with an embodiment of the present disclosure;

FIG. 7 schematically illustrates a flowchart of acquiring n second function call relationship pairs when a set function execution software program is not triggered, according to an embodiment of the present disclosure;

FIG. 8 schematically illustrates a flow chart for determining a second major call function and a second called function from each of k instruction address pairs according to an embodiment of the present disclosure;

FIG. 9 schematically illustrates a flowchart of pre-determining a second function address library according to an embodiment of the disclosure;

FIG. 10 schematically illustrates a flowchart of updating edge weights of edges of a first knowledge-graph to obtain a second knowledge-graph according to n second function call relation pairs acquired when a set function is not triggered to execute a software program, according to an embodiment of the present disclosure;

FIG. 11 schematically illustrates a process of updating edge weights of a first knowledge-graph to obtain a second knowledge-graph, in accordance with an embodiment of the disclosure;

Fig. 12 schematically illustrates a flowchart of calculating point weights of nodes in a second knowledge-graph, in accordance with an embodiment of the disclosure;

FIG. 13 is a block diagram of a key function evaluation system for implementing a set function by a software program of the present disclosure;

FIG. 14 schematically illustrates a directed weighted schematic of a knowledge-graph, in accordance with an embodiment of the disclosure;

FIG. 15 schematically shows a block diagram of a key function evaluation device of a software program implementing a setting function according to an embodiment of the present disclosure;

fig. 16 schematically illustrates a block diagram of an electronic device according to an embodiment of the disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are taken, and the public order harmony is not violated. In the technical scheme of the disclosure, the processes of acquiring, collecting, storing, using, processing, transmitting, providing, disclosing, applying and the like of the data all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more of the described features.

However, in the current software reverse analysis process, a manual analysis method based on dynamic debugging software analysis or static reverse analysis is often adopted to position a key function, and when the software function and the implementation logic are complex, the manual analysis method based on dynamic debugging software analysis or static reverse analysis is high in positioning precision, but the efficiency of manual participation in analysis is low, and a great deal of time and effort are required.

Embodiments of the present disclosure provide a key function evaluation method, apparatus, electronic device, computer-readable storage medium, and computer program product for a software program to implement a setting function. The key function evaluation method for realizing the setting function by the software program comprises the following steps: constructing a first knowledge graph according to m first function call relation pairs acquired when a software program is executed by triggering a setting function, wherein nodes of the first knowledge graph are constructed according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are constructed according to a call relation between the first main call function and the first called function; updating the edge weight of the edge of the first knowledge graph according to the n second function call relation pairs obtained when the set function is not triggered to execute the software program, so as to obtain a second knowledge graph; calculating the point weight of the node in the second knowledge graph; and evaluating the function of the node corresponding to the point weight as a key function when the point weight meets the judging condition.

It should be noted that, the key function evaluation method, apparatus, electronic device, computer readable storage medium and computer program product for implementing the setting function by the software program of the present disclosure may be used in the field of artificial intelligence technology, and may also be used in any field other than the field of artificial intelligence technology, for example, in the financial field, and the field of the present disclosure is not limited herein.

Fig. 1 schematically illustrates an exemplary system architecture 100 of a key function evaluation method, apparatus, electronic device, computer-readable storage medium and computer program product that may implement a set-up function with an application software program according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.

As shown in fig. 1, a system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.

The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the key function evaluation method for implementing the setting function by the software program provided in the embodiments of the present disclosure may be generally executed by the server 105. Accordingly, the key function evaluation device for implementing the setting function by the software program provided in the embodiment of the present disclosure may be generally provided in the server 105. The key function evaluation method for implementing the setting function by the software program provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the key function evaluation device for implementing the setting function by the software program provided in the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The key function evaluation method for realizing the setting function of the software program of the embodiment of the present disclosure will be described in detail below with reference to fig. 2 to 10 based on the scenario described in fig. 1.

Fig. 2 schematically illustrates a flowchart of a key function evaluation method of a software program implementing a setting function according to an embodiment of the present disclosure.

As shown in fig. 2, the key function evaluation method for the software program implementing the setting function of this embodiment includes operations S210 to S240.

In operation S210, a first knowledge graph is constructed according to m first function call relation pairs acquired when the software program is executed by the trigger setting function, wherein nodes of the first knowledge graph are constructed according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are constructed according to a call relation between the first main call function and the first called function. It can be understood that the first knowledge graph is a knowledge graph constructed according to m first function call relation pairs.

In operation S220, according to the n obtained second function call relation pairs when the set function execution software program is not triggered, the edge weight of the edge of the first knowledge graph is updated to obtain a second knowledge graph.

It can be understood that when the set function is triggered to execute the software program, m first function call relation pairs are obtained, wherein each first function call relation pair comprises a first main call function and a first called function, and m is an integer greater than or equal to n; each first function call relation pair is m function call relation pairs obtained when the set function execution software program is not triggered.

When the set function execution software program is not triggered, n second function call relation pairs are obtained, wherein each second function call relation pair comprises a second main call function and a second called function, and n is an integer greater than or equal to 1; each second function call relation pair is n function call relation pairs obtained when the set function is triggered to execute the software program.

In operation S230, point weights of nodes in the second knowledge-graph are calculated.

In operation S240, when the point weight satisfies the determination condition, the function of the node corresponding to the point weight is evaluated as a key function.

As one possible implementation manner, when the point weight satisfies the determination condition, operation S240 evaluates the function of the point weight corresponding node as a key function may include operation S241.

In operation S241, when the point weight exceeds the set threshold, the function of the point weight corresponding node is evaluated as a key function. The set threshold may be a value, and when the value of the point weight exceeds the value, the function of the node corresponding to the point weight is evaluated as a key function.

As another possible implementation manner, when the point weight satisfies the determination condition, operation S240 evaluates the function of the point weight corresponding node as a key function may include operation S242.

In operation S242, the ranking from large to small is performed on all the point weights obtained in operation S230, and the function of the node corresponding to the point weight of x in the top ranking is selected as the key function.

Fig. 3 schematically illustrates a flowchart of acquiring m first function call relation pairs when a set-up function execution software program is triggered, according to an embodiment of the present disclosure.

When the setting function execution software program is triggered, m first function call relation pairs are acquired, including operations S21 to S24.

In operation S21, the software program is executed when the setting function is triggered, and g instruction address pairs are acquired, where each instruction address pair includes a jump instruction address and a target jump address, and g is an integer greater than or equal to m. For example, when the setup function is triggered and a software program is loaded into memory, instrumentation is implemented based on the Trace interface provided by the dynamic instrumentation analysis tool (pintool). Trace starts with a branch and ends with an unconditional jump, including call, ret, and jmp instructions. And running the mounting program, analyzing whether the tail instruction of each Trace executed by the code analysis program is a call, ret or jmp indirect jump instruction through Trace instrumentation. If the instruction is a jump instruction, analyzing and recording the instruction address to a program jump information file according to the instruction type, thereby obtaining the jump instruction address and the target jump address of the instruction address pair.

In operation S22, a first major function and a first called function are determined according to each of the g instruction address pairs.

As an implementation manner, as shown in fig. 4, operation S22 determines a first major function and a first called function according to each of g instruction address pairs, and may include operation S001 and operation S002.

In operation S001, matching the target jump address in each of the g instruction address pairs with the instruction address of the function in the predetermined first function address library, and when the instruction address is matched, taking the function to which the instruction address belongs as a first called function; it will be appreciated that the first function start address library stores a mapping relationship between each function of the plurality of functions and at least one instruction address, and the mapping relationship between each function of the plurality of functions and the at least one instruction address may be as shown in fig. 5, and fig. 5 is merely an exemplary illustration and is not to be construed as limiting the disclosure.

In operation S002, the jump instruction address in the instruction address pair is matched with the instruction address of the function in the predetermined first function address library, and when the instruction address is matched, the function to which the instruction address belongs is used as the first major function.

Determining the first major function and the first called function from each of the g instruction address pairs may be facilitated by operations S001 and S002.

In operation S23, when the first main call function and the first called function are determined according to the same instruction address pair, the first main call function and the first called function are formed into one of m first function call relation pairs. Wherein the first pair of function call relationships may be represented as F _ij ＝{F _i ，F _j }，F _i Representing a first major function, F _j Representing a first modulated function.

And (S24) traversing g instruction address pairs, and repeatedly executing the operations S22-S23 to obtain m first function call relation pairs. The operation S21 to operation S24 can be used to obtain m first function call relation pairs when the set function execution software program is triggered.

Fig. 6 schematically illustrates a flowchart of pre-determining a first function address library according to an embodiment of the disclosure.

The predetermined first function address library may include operations S310 to S340.

In operation S310, an instruction offset address of each of all instructions of each of all functions of the software program when the setting function is triggered is acquired.

In operation S320, an instruction load address of each of all instructions of each of all functions of the software program when the set function is triggered is acquired. And (5) implementing instrumentation based on an Image interface provided by pintool. And analyzing and processing the code through image instrumentation analysis to obtain the instruction loading address of each instruction in all instructions of each function in all functions of the software program in the running process.

In operation S330, an instruction address of each instruction is calculated according to the instruction offset address and the instruction load address of each instruction. The instruction address of each instruction can be obtained by adding the instruction offset address and the instruction loading address.

In operation S340, the mapping relationship between the instruction address and the corresponding function is stored in the first function address library. The predetermined first function address library may be conveniently implemented through operations S310 to S340.

Fig. 7 schematically illustrates a flowchart of acquiring n second function call relation pairs when the set function execution software program is not triggered according to an embodiment of the present disclosure.

When the setting function execution software program is not triggered, n second function call relation pairs are acquired, including operations S51 to S54.

In operation S51, the software program is executed without triggering the setting function, and k instruction address pairs are acquired, where each instruction address pair includes a jump instruction address and a target jump address, and k is an integer greater than or equal to n. For example, when the setting function is not triggered and the software program is loaded into the memory, instrumentation is implemented based on the Trace interface provided by the dynamic instrumentation analysis tool (pintool). Trace starts with a branch and ends with an unconditional jump, including call, ret, and jmp instructions. And running the mounting program, analyzing whether the tail instruction of each Trace executed by the code analysis program is a call, ret or jmp indirect jump instruction through Trace instrumentation. If the instruction is a jump instruction, analyzing and recording the instruction address to a program jump information file according to the instruction type, thereby obtaining the jump instruction address and the target jump address of the instruction address pair.

In operation S52, a second major function and a second called function are determined according to each of the k instruction address pairs.

As an implementation manner, as shown in fig. 8, operation S52 determines a second major function and a second called function according to each of k instruction address pairs, which may include operation S003 and operation S004.

In operation S003, matching the target jump address in each of the k instruction address pairs with the instruction address of the function in the predetermined second function address library, and when the instruction address is matched, using the function to which the instruction address belongs as a second called function of a second function call relation pair; it will be appreciated that the second function start address library stores a mapping of each of the plurality of functions to at least one instruction address.

In operation S004, the jump instruction address in the instruction address pair is matched with the instruction address of the function in the predetermined second function address library, and when the instruction address is matched, the function to which the instruction address belongs is used as the second main call function of the second function call relation pair.

Determining the second major function and the second called function from each of the k instruction address pairs may be facilitated by operations S003 and S004.

Operation S53, when the second main-tuning function and the second called function are determined according to the same instruction address pair, forming n-th main-tuning function and second called function into n-th main-tuning functionOne of the two pairs of function call relationships is a second pair of function call relationships. Wherein the second pair of function call relationships may be represented as F _ab ＝{F _a ，F _b }，F _a Representing a second major function, F _b Representing a second modulated function.

And (S54) traversing k instruction address pairs, repeatedly executing the operations from S52 to S53, and obtaining n second function call relation pairs. The n second function call relation pairs can be obtained conveniently by operations S51 to S54 when the set function execution software program is not triggered.

Fig. 9 schematically illustrates a flowchart of pre-determining a second function address library according to an embodiment of the disclosure.

The predetermined second function address library may include operations S410 to S440.

In operation S410, an instruction offset address of each of all instructions of each of all functions of the software program when the setting function is not triggered is acquired.

In operation S420, an instruction load address of each of all instructions of each of all functions of the software program when the setting function is not triggered is acquired. And (5) implementing instrumentation based on an Image interface provided by pintool. And analyzing and processing the code through image instrumentation analysis to obtain the instruction loading address of each instruction in all instructions of each function in all functions of the software program in the running process.

In operation S430, an instruction address of each instruction is calculated according to the instruction offset address and the instruction load address of each instruction. The instruction address of each instruction can be obtained by adding the instruction offset address and the instruction loading address.

In operation S440, the mapping relationship between the instruction address and the corresponding function is stored in the second function address library. The predetermined second function address library may be conveniently implemented through operations S410 to S440.

According to some embodiments of the present disclosure, the edge weight of the edge of the first knowledge graph is the number of times the first main call function calls the first called function, as shown in fig. 10, and operation S220 updates the edge weight of the edge of the first knowledge graph according to n second function call relation pairs obtained when the setting function is not triggered to execute the software program, to obtain a second knowledge graph, which may include operations S221 to S223.

In operation S221, each of the n second function call relationship pairs is compared with the first function call relationship pair constructing the first knowledge graph.

In operation S222, when the second main call function of the second function call relation pair is the same as the first main call function of the first function call relation pair and the second called function of the second function call relation pair is the same as the first called function of the first function call relation pair, the edge weight of the edge constructed according to the second function call relation pair is reduced by 1.

In operation S223, the knowledge-graph after the edge weight update of the edge of the first knowledge-graph is completed is used as the second knowledge-graph.

It can be understood that, as shown in fig. 11, the process of updating the edge weight of the first knowledge graph to obtain the second knowledge graph may be assumed that in the first function call relationship pair, the first major function a calls 5 times of the first called function a, the first major function a calls 3 times of the first called function b, the first major function a calls 8 times of the first called function c, and in the first knowledge graph, the edge weight between a and a is 5, the edge weight between a and b is 3, and the edge weight between a and c is 8. Assuming that in the second function call relation pair, the second main call function a calls 2 times of second called function a, and the second main call function a calls 1 time of second called function b, the edge weight between a and a in the first knowledge graph needs to be reduced by 2, the edge weight between a and b is reduced by 1, in the obtained second knowledge graph, the edge weight between a and a is 3, the edge weight between a and b is 2, and the edge weight between a and c is 8. Thus, the operations S221 to S223 can facilitate updating the edge weight of the edge of the first knowledge graph according to the n second function call relation pairs obtained when the software program is executed without triggering the setting function, and obtain the second knowledge graph.

Fig. 12 schematically illustrates a flowchart of calculating the point weights of the nodes in the second knowledge-graph, in accordance with an embodiment of the disclosure.

Operation S230 calculates a point weight of a node in the second knowledge-graph, which may include operation S231 and operation S232.

In operation S231, a function corresponding to a node in the second knowledge-graph is matched with a standard function in the library function. The library function is a mode of putting standard functions into the library for others to use, namely, some commonly used functions are compiled and put into a file for different programs to call.

In operation S232, point weights of nodes that are not matched to the standard function in the library function are calculated. It can be appreciated that the node that is not matched to the standard function in the library function indicates that the node is not the standard function, but the program compiler performs the function for completing the set function design, so that the evaluation of the function for completing the set function design by the present disclosure can be conveniently performed through operation S231 and operation S232, without evaluating the standard function, and the computing resource is saved.

According to some embodiments of the present disclosure, the edges of the second knowledge-graph are directed edges, the first modulated function is pointed to by the first dominant function, and the point weight of a node is the sum of the weights of the edges pointing to the node. The sum of the weights of the edges pointing to each node in the second knowledge graph is the number of times the node is called, and the more the number of times the node is called, the more important the function corresponding to the node is explained, so that the obtained node weight can evaluate the key function more accurately.

According to some embodiments of the present disclosure, the evaluated key function and the key module may be visualized, and the evaluated key module and the key function may be identified, so as to help an analyst to intuitively understand the key function call flow.

A key function evaluation method of a software program implementing a setting function according to an embodiment of the present disclosure is described in detail below with reference to fig. 13 and 14. It is to be understood that the following description is exemplary only and is not intended to limit the disclosure in any way.

The method for evaluating the key function of the software program to realize the setting function can acquire the software execution track based on the binary dynamic instrumentation mode on the premise of not depending on the source code and not directly modifying the binary program, constructs the function weighted directed graph of the software execution, realizes the key function positioning of the key module of the software and the key module, does not need to consume a great deal of manpower, and effectively improves the efficiency of reverse analysis.

The method and the device dynamically insert a target program to be operated by utilizing a binary dynamic insert tool PIN on the premise of not modifying a source code, dynamically insert codes into an executable file during the operation of the program by utilizing a pinrools plug-in, track the execution track of the program, take a main call function and a called function as nodes of a directed graph, take a calling relationship as edges, take the calling times as weights, and construct the function weighted directed graph based on the track. After filtering the interference function, calculating the weight sum of each node, and realizing the evaluation and judgment of the key function based on the weight value of each node.

Fig. 13 is a structural framework diagram of a key function evaluation system for realizing a setting function by a software program of the present disclosure. In the system structure, the program track analysis module is used for monitoring program execution instructions in real time and identifying function call information. The data storage module is used for recording the track information after analysis and processing. The function weighted directed graph module reads the data storage file, and constructs a graph by taking the calling relationship as an edge and the function as a node. The basic comparison information module generates basic comparison information by tracking the running track of the target program which does not execute the key function, and the filtering of the interference function is realized based on the basic comparison information. The key function evaluation module realizes the positioning of the key module and the function based on the weight of each node of the constructed directed graph.

The flow of the key function evaluation method for realizing the setting function by the software program of the present disclosure is as follows.

1. And (3) acquiring the function name, the function offset address and whether the function is a library function or not as a key function positioning reference by using a reverse tool IDA Pro static analysis program.

2. And (3) operating the target software, wherein the operation process does not trigger a certain key function, an analysis code is inserted into the target software in the operation process through a binary dynamic instrumentation tool, and real-time monitoring and analysis are performed on the operated instruction to generate basic comparison information data.

1) When the program is loaded into the memory, the instrumentation is realized based on the Trace interface provided by the pintool. Trace starts with a branch and ends with an unconditional jump, containing call, ret, jmp instructions. The mounting program is run, and whether the tail instruction of each Trace executed by the code analysis program is a call, ret, jmp indirect jump instruction is analyzed through Trace instrumentation. If the jump instruction is the jump instruction, analyzing and recording the jump information to a program jump information file according to the instruction type, wherein the jump information file comprises a jump instruction address and an instruction target jump address.

2) And (5) implementing instrumentation based on an Image interface provided by pintool. And analyzing and processing the code through image instrumentation analysis to obtain the module name, the module id, the module type and the module address range loaded by the software in the running process.

3) Traversing the whole program jump information file based on the recorded program jump information and function reference information obtained by early static analysis, judging whether the target jump address is the starting address of the function, and if so, processing and analyzing to obtain the modulated function information; and judging the function address range to which the jump instruction address belongs, and processing and analyzing to obtain call function information so as to generate the function call information.

The present disclosure defines the function call information as follows: fij= { Fi, fj }. Wherein Fi represents a major function, fj is a called function, and Fj is called in the Fi function. The function information is represented by a function name, a module name to which the function belongs, and a library function flag, i.e., fi= { fmame, image, flag }. Typically, function names are represented by function symbols or function offset addresses, flag=1 is represented as a system library function, and flag=0 is represented as a non-system library function.

4) Recording function call information to generate a basic information comparison file.

3. And running the target software, executing the key functions of the software, inserting analysis codes into the running process of the target software through a binary dynamic instrumentation tool, performing real-time monitoring and analysis on the running instructions, and generating function call information of the software running.

4. Traversing the obtained software running function call records in step 3, taking the call function in each record as the starting point of the directed graph, taking the called function in each record as the key point of the directed graph, and taking the call times between the two functions as the weight of the current edge. By this construction, a function weighted directed graph is constructed.

Fig. 14 is an example of a constructed function weighted directed graph. In the example of fig. 12, F1 is a software entry function, func 1 is a function name, belonging to a module, a non-system library function. 4 functions in the a module are called in the running process of the software, namely func 1, func 4, func 6 and func 7, wherein the func 4 functions call the func 5 functions in the C module 5 times.

5. Based on the basic information comparison file, the initial function call information executed in the initial stage of the filter program loading process and the like is filtered, and the general function call information in the software execution is filtered. Traversing each record in the basic information comparison file, if the related function call record exists in the constructed function weighted directed graph, updating the weight value of the corresponding edge, subtracting 1 from the weight value of the corresponding edge, and completing updating and filtering of the function weighted directed graph.

6. And starting traversing by taking the weighted directed graph root node as a starting point, and calculating the number of functions in each module called in the software running process. As in the example of fig. 14, the software calls 4 functions in module a, two functions in module b, and 1 function in module c during execution.

7. And (3) traversing by taking the weighted directed graph root node as a starting point, judging whether the function corresponding to the node is a system library function, and if not, calculating the node as the sum of the weights of the regulated points. Traversing the whole function weighted directed graph to obtain weight values of the functions. In the function weighted directed graph example of fig. 14, the software is running with function func 4 called 5 times and func 5 called 6 times.

8. And comparing the weight values of the functions, and evaluating the function with higher ranking of the weight values as a key function.

9. And (3) filtering the modules to which the system library functions belong, and positioning the modules with more functions used in the software running process as key modules.

10. And evaluating the module where the key function is located as a key module.

11. The visualization system identifies the evaluated key modules and key functions, and helps analysts to intuitively know the key function call flow.

The invention further provides a key function evaluation device for realizing the setting function of the software program based on the key function evaluation method for realizing the setting function of the software program. The key function evaluation device 10 for realizing the setting function of the software program will be described in detail below with reference to fig. 15.

Fig. 15 schematically shows a block diagram of the key function evaluation device 10 in which the software program implements the setting function according to the embodiment of the present disclosure.

The key function evaluation device 10 for realizing the setting function by the software program comprises a construction module 1, an updating module 2, a calculation module 3 and an evaluation module 4.

Build module 1, build module 1 is to perform operation 210: and constructing a first knowledge graph according to m first function call relation pairs acquired when the set function is triggered to execute the software program, wherein nodes of the first knowledge graph are constructed according to a first main call function of the first function call relation pair and a first called function of the first function call relation pair, and edges of the first knowledge graph are constructed according to a call relation between the first main call function and the first called function.

Update module 2, update module 2 is configured to perform operation 220: and updating the edge weight of the edge of the first knowledge graph according to the n obtained second function call relation pairs when the set function execution software program is not triggered, so as to obtain a second knowledge graph.

Calculation module 3, calculation module 3 is configured to perform operation 230: and calculating the point weight of the node in the second knowledge graph.

Evaluation module 4, evaluation module 4 is configured to perform operation 240: and when the point weight meets the judging condition, evaluating the function of the node corresponding to the point weight as a key function.

According to some embodiments of the present disclosure, the key function evaluation device for implementing a setting function by a software program may further include a first obtaining module, where the first obtaining module is configured to obtain m first function call relation pairs when the setting function is triggered to execute the software program, and the first obtaining module may include a first obtaining unit, a first determining unit, a second determining unit, a third determining unit, and a first repeating unit.

The first obtaining unit is configured to execute the software program when the setting function is triggered, and obtain g instruction address pairs, where each instruction address pair includes a jump instruction address and a target jump address, and g is an integer greater than or equal to m.

And a first determining unit, wherein the first determining unit is used for matching the target jump address in one instruction address pair of the g instruction address pairs with the instruction address of the function in the predetermined first function address library, and when the instruction address is matched, the function to which the instruction address belongs is used as a first tuned function.

And a second determining unit, wherein the second determining unit is used for matching the jump instruction address in the instruction address pair with the instruction address of the function in the predetermined first function address library, and when the jump instruction address is matched with the instruction address, the function to which the instruction address belongs is used as a first main call function.

And a third determining unit, wherein the third determining unit is configured to, when determining the first calling function and the first called function according to the instruction address pair, form the first calling function and the first called function into one of m first function calling relationship pairs in operation S24.

And the first repeated execution unit is used for traversing g instruction address pairs in operation S25, repeatedly executing operations S22-S24 and obtaining m first function call relation pairs.

According to some embodiments of the present disclosure, the key function evaluation device for implementing the setting function by the software program may further include a first predetermined module for predetermined the first function address library, and the first predetermined module may include a second acquiring unit, a third acquiring unit, a first calculating unit, and a first storing unit.

And the second acquisition unit is used for acquiring the instruction offset address of each instruction in all instructions of each function in all functions of the software program when the setting function is triggered.

And the third acquisition unit is used for acquiring the instruction loading address of each instruction in all instructions of each function in all functions of the software program when the setting function is triggered.

The first calculation unit is used for calculating the instruction address of each instruction according to the instruction offset address and the instruction loading address of each instruction.

The first storage unit is used for storing the mapping relation between the instruction address and the corresponding function to the first function address library.

According to some embodiments of the present disclosure, the key function evaluation device for implementing the setting function by the software program may further include a second obtaining module, where the second obtaining module is configured to obtain n second function call relation pairs when the setting function is not triggered to execute the software program, and the second obtaining module may include a fourth obtaining unit, a fourth determining unit, a fifth determining unit, a sixth determining unit, and a second repeating unit.

And a fourth acquiring unit configured to execute the software program when the setting function is not triggered, and acquire k instruction address pairs, where each instruction address pair includes a jump instruction address and a target jump address, and k is an integer greater than or equal to n, in operation S41.

And a fourth determining unit, configured to match the target jump address in one of the k instruction address pairs with an instruction address of a function in a predetermined second function address library, and when the instruction address is matched, use the function to which the instruction address belongs as a second called function of a second function call relation pair in operation S42.

And a fifth determining unit, configured to match the jump instruction address in the instruction address pair with the instruction addresses of the functions in the predetermined second function address library, and when the jump instruction address is matched with the instruction address, take the function to which the instruction address belongs as the second main call function of the second function call relation pair in operation S43.

And a sixth determining unit, configured to, when determining the second main call function and the second called function according to the instruction address pair, form the second main call function and the second called function into one of n second function call relation pairs in operation S44.

And the second repeating unit is used for traversing k instruction address pairs in operation S45, repeatedly executing operations S42-S44 and obtaining n second function call relation pairs.

According to some embodiments of the present disclosure, the key function evaluation device for implementing the setting function by the software program may further include a second predetermined module for predetermined a second function address library, and the second predetermined module may include a fifth acquiring unit, a sixth acquiring unit, a second calculating unit, and a second storage unit.

And a fifth acquisition unit for acquiring an instruction offset address of each of all instructions of each of all functions of the software program when the setting function is not triggered.

And a sixth acquisition unit for acquiring an instruction load address of each instruction of all instructions of each function of the software program when the setting function is not triggered.

And the second calculation unit is used for calculating the instruction address of each instruction according to the instruction offset address and the instruction loading address of each instruction.

The second storage unit is used for storing the mapping relation between the instruction address and the corresponding function to the second function address library.

According to some embodiments of the present disclosure, the update module may include a comparison unit, an update unit, and a seventh determination unit for the number of times the first adjusted function is called by the first major function.

And the comparison unit is used for comparing each second function call relation pair of the n second function call relation pairs with the first function call relation pair for constructing the first knowledge graph.

And the updating unit is used for subtracting 1 from the edge weight of the edge constructed according to the second function call relation pair when the second main call function of the second function call relation pair is the same as the first main call function of the first function call relation pair and the second called function of the second function call relation pair is the same as the first called function of the first function call relation pair.

And the seventh determining unit is used for taking the knowledge graph with the updated edge weight of the edge of the first knowledge graph as a second knowledge graph.

According to some embodiments of the present disclosure, the computing module may include a matching unit and a third computing unit.

And the matching unit is used for matching the function corresponding to the node in the second knowledge graph with the standard function in the library function.

And a third calculation unit for calculating the point weights of the nodes that are not matched to the standard function in the library function.

According to the key function evaluation device 10 for realizing the setting function by the software program in the embodiment of the disclosure, a first knowledge graph can be constructed according to the first function call relation pair, the edge weight of the edge of the first knowledge graph can be updated according to the second function call relation pair to obtain a second knowledge graph, and the edge weight of the second knowledge graph can reflect the importance degree of the call relation between functions of the software program for realizing the setting function because the data difference between the first function call relation pair and the second function call relation pair is the data when the software program is triggered to be executed by the setting function, and the importance degree of the functions of the software program for realizing the setting function can be reflected according to the point weight calculated according to the edge weight. The method disclosed by the invention has high intelligent degree, can ensure the evaluation accuracy of the key function, can improve the evaluation efficiency, and reduces the consumption of labor time and energy.

In addition, according to an embodiment of the present disclosure, any of the plurality of modules of the constructing module 1, the updating module 2, the calculating module 3, and the evaluating module 4 may be combined in one module to be implemented, or any of the plurality of modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module.

According to embodiments of the present disclosure, at least one of the building module 1, the updating module 2, the computing module 3, and the evaluation module 4 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuits, or in any one of or a suitable combination of any of the three implementations of software, hardware, and firmware.

Alternatively, at least one of the building module 1, the updating module 2, the computing module 3 and the evaluation module 4 may be at least partly implemented as a computer program module, which, when executed, may perform the respective functions.

Fig. 16 schematically illustrates a block diagram of an electronic device adapted to implement the above-described method according to an embodiment of the present disclosure.

As shown in fig. 16, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.

In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of the following components connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to an input/output (I/O) interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods of embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims

1. A key function evaluation method for realizing a setting function by a software program, comprising:

constructing a first knowledge graph according to m first function call relation pairs acquired when the set function execution software program is triggered, wherein nodes of the first knowledge graph are constructed according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are constructed according to call relations between the first main call function and the first called function;

Updating the edge weights of the edges of the first knowledge graph according to n second function call relation pairs obtained when the set function execution software program is not triggered, so as to obtain a second knowledge graph, wherein n is an integer greater than or equal to 1, and m is an integer greater than or equal to n;

calculating the point weight of the node in the second knowledge graph; and

and when the point weight meets the judging condition, evaluating the function of the node corresponding to the point weight as a key function.

2. The method according to claim 1, wherein the obtaining m first function call relation pairs when the setting function is triggered to execute a software program includes:

operation S21, executing a software program when the setting function is triggered, and obtaining g instruction address pairs, where each instruction address pair includes a jump instruction address and a target jump address, and g is an integer greater than or equal to m;

operation S22, determining a first main call function and a first called function according to each instruction address pair of the g instruction address pairs;

operation S23, when the first main call function and the first called function are determined according to the same instruction address pair, forming the first main call function and the first called function into one of m first function call relationship pairs; and

And S24, traversing the g instruction address pairs, repeatedly executing the operations S22 to S23, and obtaining m first function call relation pairs.

3. The method of claim 2, wherein determining a first major function and a first called function from each of the g instruction address pairs comprises:

matching the target jump address in each instruction address pair of the g instruction address pairs with the instruction address of a function in a predetermined first function address library, and taking the function to which the instruction address belongs as a first called function when the instruction address is matched; and

and matching the jump instruction address in the instruction address pair with the instruction address of a function in a predetermined first function address library, and taking the function to which the instruction address belongs as a first major function when the instruction address is matched.

4. A method according to claim 3, wherein the predetermined first function address library comprises:

acquiring an instruction offset address of each instruction in all instructions of each function in all functions of the software program when the setting function is triggered;

Acquiring an instruction loading address of each instruction in all instructions of each function in all functions of the software program when the setting function is triggered;

calculating an instruction address of each instruction according to the instruction offset address and the instruction loading address of each instruction; and

and storing the mapping relation between the instruction address and the corresponding function to a first function address library.

5. The method according to claim 1, wherein the obtaining n second function call relation pairs when the setting function is not triggered to execute a software program includes:

operation S51, executing a software program when the setting function is not triggered, and obtaining k instruction address pairs, where each instruction address pair includes a jump instruction address and a target jump address, and k is an integer greater than or equal to n;

operation S52, determining a second main call function and a second called function according to each instruction address pair of the k instruction address pairs;

operation S53, when the second main call function and the second called function are determined according to the same instruction address pair, forming the second main call function and the second called function into one second function call relation pair of n second function call relation pairs; and

And S54, traversing the k instruction address pairs, repeatedly executing the operations S52 to S53, and obtaining n second function call relation pairs.

6. The method of claim 5, wherein said determining a second master function and a second called function from each of said k instruction address pairs comprises:

matching the target jump address in each instruction address pair of the k instruction address pairs with instruction addresses of functions in a predetermined second function address library, and taking the function to which the instruction address belongs as a second called function of a second function call relation pair when the instruction address is matched; and

and matching the jump instruction address in the instruction address pair with instruction addresses of functions in a second function address library, and taking the function to which the instruction address belongs as a second main call function of the second function call relation pair when the instruction address is matched.

7. The method of claim 6, wherein the predetermined second function address library comprises:

acquiring an instruction offset address of each instruction in all instructions of each function in all functions of the software program when the setting function is not triggered;

Acquiring an instruction loading address of each instruction in all instructions of each function in all functions of the software program when the setting function is not triggered;

and storing the mapping relation between the instruction address and the corresponding function to a second function address library.

8. The method according to claim 1, wherein the edge weight of the edge of the first knowledge graph is the number of times the first main call function calls the first called function, and the updating the edge weight of the edge of the first knowledge graph according to the n second function call relation pairs obtained when the setting function is not triggered to execute the software program to obtain the second knowledge graph includes:

comparing each of the n second pair of function call relationships with the first pair of function call relationships constructing the first knowledge graph;

when the second main call function of the second function call relation pair is the same as the first main call function of the first function call relation pair and the second called function of the second function call relation pair is the same as the first called function of the first function call relation pair, subtracting 1 from the edge weight of the edge constructed according to the second function call relation pair; and

And taking the knowledge graph with the updated edge weight of the edge of the first knowledge graph as a second knowledge graph.

9. The method of claim 1, wherein the calculating the point weights of the nodes in the second knowledge-graph comprises:

matching a function corresponding to the node in the second knowledge graph with a standard function in a library function; and

point weights of nodes in the library functions that do not match to the standard function are calculated.

10. The method of claim 9, wherein the edges of the second knowledge-graph are directed edges, the first tuned function is pointed to by the first dominant function, and the point weight of the node is the sum of the weights of the edges pointing to the node.

11. A key function evaluation device for realizing a setting function by a software program, comprising:

the building module is used for executing a first knowledge graph according to m first function call relation pairs acquired when the set function execution software program is triggered, wherein nodes of the first knowledge graph are built according to a first main call function and a first called function of the first function call relation pair, and edges of the first knowledge graph are built according to a call relation between the first main call function and the first called function;

The determining module is used for executing the steps of updating the edge weights of the edges of the first knowledge graph according to n second function call relation pairs obtained when the set function execution software program is not triggered to obtain a second knowledge graph, wherein n is an integer greater than or equal to 1, and m is an integer greater than or equal to n;

the calculation module is used for executing calculation of the point weights of the nodes in the second knowledge graph; and

and the evaluation module is used for evaluating the function of the node corresponding to the point weight as a key function when the point weight meets the judging condition.

12. An electronic device, comprising:

one or more processors;

one or more memories for storing executable instructions which, when executed by the processor, implement the method of any of claims 1-10.

13. A computer readable storage medium, characterized in that the storage medium has stored thereon executable instructions which, when executed by a processor, implement the method according to any of claims 1-10.