0

Suppose I've obtained a CFG(control-flow-graph) of a function, and suppose one of the basic block makes a call to another function (of course, the call being made in the last instruction of the Basic Block) .

My Question is: should I embed the CFG of the called Function within the CFG of the outer function?

Things to keep in mind:

  • Im maintaining a CFGs for ALL the functions in the disassembled binary.
  • The project im dealing with , is malware detection using static analysis .
  • If any one of the CFGs in the test binary sample matches with any one of the CFGs in the malware sample.

The test sample is malicious.

Frank C.
  • 7,758
  • 4
  • 35
  • 45
D.B.K
  • 410
  • 2
  • 15
  • This embedding of CFG of called function to the place of call is kind of inlining and is interprocedure analysis. When the program has many functions and deep call chains (or recursion), inlining of all calls with exponentially grow your CFG. You should detect malware with accounting nested CFGs, but you probably don't want to inline all calls. (Call is not last instruction in basic block; it will return and it is not branch in caller: http://ag-kastens.uni-paderborn.de/lehre/material/uebii/folien/comment09-20.2.pdf) – osgx Mar 04 '17 at 09:06
  • @osgx , Thanks a lot, sir ! – D.B.K Mar 04 '17 at 11:47

0 Answers0