A static analysis program analyzes a source program without executing an object program relating computer software (hereinafter referred to as “software”) and thus analyzes a fault or the like in the software. The static analysis program provides support information for developing a software by pointing out a part (flow) determined as a fault in a source program.
For example, PTL 1 discloses an analysis device that outputs a warning message, based on a result of analyzing a source program by using a static analysis program. The analysis device generates a file including a result of analyzing a source program relating to each of a plurality of versions, and generates a difference between the files. Next, the analysis device outputs a warning message associated with the generated difference.
On the other hand, when a source program of a software is not disclosed, reverse engineering has been known as a technique for analyzing the software. In the reverse engineering, disassembling an object program of software clarifies a function of the software. In addition, a measure against malware indicating software that executes an illegal action can be realized by reverse engineering on the malware.
For example, PTL 2 discloses a technology for extracting malware from software containing the malware. In addition, PTLs 3 and 4 disclose a technology for analyzing software by analyzing the software in a virtual machine.
PTL 2 discloses an extraction device that extracts malware from software, based on a change in a region of a memory accessed by a process executed by the software.
PTL 3 discloses a verification service providing system for verifying software by using a program and a verification tool for analyzing software. The providing system introduces an analysis tool for analyzing a program into a virtual machine and analyzes software in the virtual machine by using the introduced analysis tool.
PTL 4 discloses a software analysis device that determines, based on session information or the like output in a virtual machine where a malware candidate sample runs, whether or not the sample is malware. When the software analysis device determines that the sample is malware, the software analysis device outputs a signature identifying the malware.
The extraction device disclosed in the above-described PTL 2 extracts a candidate of an original code included in software by executing the software. The extraction device checks a range of memory address accessed by the extracted candidate of an original code, and determines whether or not the candidate of an original code is an actual original code, based on whether or not a change rate of the above-described address range satisfies a predetermined condition.