In many operating systems, various efficiencies may be achieved by sharing a single library containing code, data, or other resources between multiple applications or programs. Computer files that rely on functions offered by such shared libraries typically contain, within a section of the file, a list of the names of each of the functions of the shared library that will be imported or “called” by the file. In certain files, this list of function names may be contained within a table known as an import table.
In recent years, various malware applications have attempted to obfuscate the names of the functions that are to be called or imported by the application from a shared library, such as a dynamic-link library (DLL), in an attempt to disguise the illegitimate intent or purpose of the malware application. Certain malware applications have accomplished this by replacing the names of the functions to be imported or called by the malware application with a list of checksums. In this example, the malware application may identify the function to be called from the shared library by calculating checksums for each function offered by the shared library (based on each function's export address, which may be contained in the shared library's export address table) and then searching the list of checksums contained within the malware application for a checksum that matches one or more of the calculated checksums.
Previous attempts to identify the names of the functions that are called by such malware applications have involved identifying each exported function offered by an operating system, calculating a checksum for each of these exported functions, and then comparing each of these calculated checksums to the list of checksums contained in the malware application in an attempt to identify a match. Unfortunately, this approach is inefficient, slow, and resource intensive. Moreover, if the requisite shared libraries are not present, this approach may be unable to identify each of the functions called or imported by the malware application.