Abstract: The present invention discloses methods and systems for an integrated disassembler with a function-queue manager and a disassembly interrupter for rapid, efficient, and scalable code gene extraction and analysis. Methods include the steps of: upon receiving a target binary file, disassembling the target binary file into assembly code; extracting code fragments from the assembly code; as each code fragment is extracted, verifying each code fragment; upon availability, placing each verified code fragment in an extractor queue; and upon availability, submitting each code fragment in the extractor queue to a gene-analysis system having a code genome database. Alternatively, upon determining the extractor queue is empty or determining resources of the gene-analysis system are underutilized, transferring partially-verified code fragments to the extractor queue.

Abstract: The present invention discloses methods and systems for an integrated disassembler with a function-queue manager and a disassembly interrupter for rapid, efficient, and scalable code gene extraction and analysis. Methods include the steps of: upon receiving a target binary file, disassembling the target binary file into assembly code; extracting code fragments from the assembly code; as each code fragment is extracted, verifying each code fragment; upon availability, placing each verified code fragment in an extractor queue; and upon availability, submitting each code fragment in the extractor queue to a gene-analysis system having a code genome database. Alternatively, upon determining the extractor queue is empty or determining resources of the gene-analysis system are underutilized, transferring partially-verified code fragments to the extractor queue.

Abstract: The present invention discloses methods and systems for genetic malware analysis and classification using code reuse patterns. Methods include the steps of: upon receiving a target binary file, disassembling the target binary file into assembly code; extracting individually-identifiable code fragments from the assembly code; normalizing the individually-identifiable code fragments into target genes; and collating the target genes into a code genome database. Alternatively, the step of normalizing includes upon detecting a MOV instruction, corresponding to a command to move values to a register before performing a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes. Alternatively, the step of normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.