关键词: 二进制分析, 反汇编, 结构签名, 指令签名, 控制流程图

Abstract: Comparison of executable objects is widely used for software copyright, malware family, updating pattern of abnormity detection and software patch analysis. The traditional comparison methods can not meet the requirements of these applications in terms of speed and accuracy. A function unary structural signature based on adjacency matrix of a CFG, and an unary instruction signature are designed to consider the instruction on a function; according to instruction code and operand, strong/medium/weak signatures about instruction sequences are designed to make instruction comparison easy, and weak signature can handle instruction reorder outweighing small primes product (SPP); three kinds of properties are appended to partition all objects into more groups. And then, comparison methods for functions and basic code blocks are presented using the above signatures and proproties, and the matching policies using both statistical weights and the largest-exclusive are exploited to decrease the false match. Furthermore，the Hash of signtures and properties is used to speed up the match. Finally, a protocol tool PEDiff is implemented using the above methods. Experimental results demonstrate that the method has better performance in terms of matching speed and rich analysis results.

Key words: binary analysis, disassemble, structural signature, instruction signature, control flow graph