Search

CN-120973412-B - Reverse analysis method and device of PLC (programmable logic controller) program

CN120973412BCN 120973412 BCN120973412 BCN 120973412BCN-120973412-B

Abstract

The application discloses a reverse analysis method and device of a PLC program. The method comprises the steps of obtaining a file to be processed, carrying out structural analysis processing on the file to be processed to obtain program entry address information and memory initialization information, carrying out subprogram identification processing on the file to be processed according to the program entry address information and the memory initialization information to obtain program flow characteristic data, carrying out identification processing based on library function signatures on the program flow characteristic data to obtain standard function block data, carrying out parameter extraction processing on the program flow characteristic data to obtain control behavior parameter data, and carrying out visual modeling processing on the program entry address information, the memory initialization information, the program flow characteristic data, the standard function block data and the control behavior parameter data to obtain reverse analysis result data. The reverse reconstruction capability of the automatic and structured control program is realized.

Inventors

  • ZHANG PENG
  • LI SHIZE
  • YANG TIANCHANG
  • LIU CEYUE
  • BAO ZIYANG
  • Su Yujian
  • WANG KAI
  • ZHANG HAI
  • Zhai Yunjiao
  • ZHANG JIAHAO

Assignees

  • 中国电子科技集团公司第十五研究所

Dates

Publication Date
20260512
Application Date
20250804

Claims (9)

  1. 1. The reverse analysis method of the PLC program is characterized by being applied to a CODESYS platform to realize the reverse system analysis of the industrial PLC compiler, and comprises the following steps: Obtaining a file to be processed, wherein the file to be processed is a binary file of a PLC compiler; Carrying out structural analysis processing on the file to be processed to obtain program entry address information and memory initialization information; Performing sub-program identification processing on the file to be processed according to the program entry address information and the memory initialization information to obtain program flow characteristic data, wherein the program flow characteristic data is characteristic data for representing a program control flow, and comprises the steps of performing identification processing on the file to be processed based on function boundaries and a register calling range to obtain function unit data, wherein the function unit data is data for representing all function units in the file to be processed; performing first program flow analysis processing based on control flow reconstruction on the function unit data to obtain first program flow characteristic data, wherein the first program flow characteristic data are data used for representing a control flow relation chart in a file to be processed; performing second program flow analysis processing on the function unit data based on physical interaction behavior extraction to obtain second program flow characteristic data, wherein the second program flow characteristic data is characteristic data for representing physical equipment interaction; Performing recognition processing based on library function signatures on the program flow characteristic data to obtain standard function block data; Parameter extraction processing is carried out on the program flow characteristic data to obtain control behavior parameter data; And performing visual modeling processing on the program entry address information, the memory initialization information, the program flow characteristic data, the standard function block data and the control behavior parameter data to obtain reverse analysis result data.
  2. 2. The reverse analysis method according to claim 1, wherein performing a first program flow analysis process based on control flow reconstruction on the function unit data, obtaining first program flow feature data includes: Performing skip relation identification processing based on symbol execution on the function unit data to obtain skip relation characteristic data, wherein the skip relation characteristic data is characteristic data used for representing transfer and calling target addresses of registers and/or stack variables; And carrying out dynamic jump path generation processing on the function unit data and the jump relation characteristic data to obtain the first program flow characteristic data.
  3. 3. The reverse analysis method according to claim 1, wherein performing a second program flow analysis process based on physical interaction behavior extraction on the function unit data, obtaining second program flow feature data includes: Performing TRG mapping-based mapping relation extraction processing on the function unit data to obtain I/O address mapping relation data; Extracting the function unit data based on memory access operation to obtain an access instruction sequence; and performing region contrast processing on the access instruction sequence and the I/O address mapping relation data to obtain the second program flow characteristic data.
  4. 4. The reverse analysis method according to claim 1, wherein performing recognition processing based on a library function signature on the program flow characteristic data to obtain standard function block data comprises: Performing function unit extraction processing on the program flow characteristic data to obtain function unit data; Performing matching processing based on function signatures on the function unit data in a preset function signature library to obtain library functions; and carrying out function labeling processing on the function unit data according to the library function to obtain standard function block data.
  5. 5. The reverse analysis method according to claim 1, wherein performing parameter extraction processing on the program flow characteristic data to obtain control behavior parameter data comprises: performing function execution symbol recognition processing on the program flow characteristic data to obtain a function execution symbol; Performing an execution operation on the function execution symbol to obtain transfer parameter position data; And modeling the parameter transmission path of the transmission parameter position data to obtain the control behavior parameter data.
  6. 6. The reverse analysis method according to claim 1, wherein performing visual modeling processing on the program entry address information, the memory initialization information, the program flow characteristic data, the standard function block data, and the control behavior parameter data to obtain reverse analysis result data comprises: Performing visualized structure map generation processing on the program entry address information, the memory initialization information, the program flow characteristic data, the standard function block data and the control behavior parameter data to obtain structure map data; Node identification is carried out on the structural map data to obtain map node data; and carrying out node hyperlink loading processing on the map node data to obtain the reverse analysis result data, wherein the reverse analysis result data is used for representing an interactable PLC program analysis structure map.
  7. 7. A reverse analysis device of a PLC program, applied to a CODESYS platform, for implementing a reverse system analysis of an industrial PLC compiler, the device comprising: The input module is used for acquiring a file to be processed, wherein the file to be processed is a binary file of a PLC compiler; the structure extraction module is used for carrying out structural analysis processing on the file to be processed to obtain program entry address information and memory initialization information; The program flow analysis module is used for carrying out subprogram identification processing on the file to be processed according to the program entry address information and the memory initialization information to obtain program flow characteristic data, wherein the program flow characteristic data are characteristic data used for representing a program control flow, and comprises the steps of carrying out identification processing on the file to be processed based on function boundaries and register calling ranges to obtain function unit data, wherein the function unit data are data used for representing all function units in the file to be processed; performing first program flow analysis processing based on control flow reconstruction on the function unit data to obtain first program flow characteristic data, wherein the first program flow characteristic data are data used for representing a control flow relation chart in a file to be processed; performing second program flow analysis processing on the function unit data based on physical interaction behavior extraction to obtain second program flow characteristic data, wherein the second program flow characteristic data is characteristic data for representing physical equipment interaction; The library function signature recognition module is used for carrying out recognition processing based on library function signatures on the program flow characteristic data to obtain standard function block data; the function parameter extraction module is used for carrying out parameter extraction processing on the program flow characteristic data to obtain control behavior parameter data; And the visual output module is used for performing visual modeling processing on the program entry address information, the memory initialization information, the program flow characteristic data, the standard function block data and the control behavior parameter data to obtain reverse analysis result data.
  8. 8. A computer-readable storage medium storing computer instructions for causing the computer to perform the inverse analysis method of the PLC program according to any one of claims 1 to 6.
  9. 9. An electronic device comprising at least one processor and a memory communicatively coupled to the at least one processor, wherein the memory stores a computer program executable by the at least one processor to cause the at least one processor to perform the inverse analysis method of the PLC program of any of claims 1-6.

Description

Reverse analysis method and device of PLC (programmable logic controller) program Technical Field The application relates to the field of industrial control, in particular to a reverse analysis method and device of a PLC program. Background In the wave of increasingly digital and networked Industrial Control Systems (ICS), PLCs are used as core components of industrial control automation, and the integrity and reliability of control programs thereof are key in industrial information security. For multiple demands of functionality, security, version adaptation and the like, static or dynamic reverse engineering of binary files (particularly PRG files compiled by CODESYS platforms) executed by PLCs has become one of the important fundamental research directions in industrial control security research. However, unlike the traditional IT domain instruction set architecture, compiler versatility, file format standardization (e.g., ELF, PE), the ICS domain is highly orthogonal, vendor-closed. These features lead to a PLC level: Lack of standardized reverse tools; The common analysis framework (e.g., IDAPro, ghidra, angr) cannot be directly processed; control logic and data structures combine severe, lack of sign and semantic information; highly dependent on context, physical interactions (I/O). Particularly, CODESYS is widely used by 250+ global manufacturers, but file formats, symbol tables and operation specifications are not disclosed, the structure, functions and flow of the PRG binary cannot be automatically understood, and the feasibility of tasks such as security detection, program tracking and function restoration is severely restricted. Because of these difficulties, current PLC binary analysis is still in a "semi-manual" stage of high workload, experience-dependent, inefficiency, and lack of systematic automated methods. Accordingly, the present application has been made keeping in mind the problems occurring in the prior art for PLC binary analysis. Disclosure of Invention The application mainly aims to provide a reverse analysis method and device for a PLC program, so as to solve the problems and realize the technical effect of carrying out automatic reverse analysis on a PLC binary file. In order to achieve the above object, a first aspect of the present application provides a method for reverse analysis of a PLC program, applied to a CODESYS platform, to implement reverse system analysis of an industrial PLC compiler, the method comprising: Obtaining a file to be processed, wherein the file to be processed is a binary file of a PLC compiler; Carrying out structural analysis processing on the file to be processed to obtain program entry address information and memory initialization information; performing subprogram identification processing on the file to be processed according to the program entry address information and the memory initialization information to obtain program flow characteristic data, wherein the program flow characteristic data is characteristic data for representing a program control flow; Performing recognition processing based on library function signatures on the program flow characteristic data to obtain standard function block data; Parameter extraction processing is carried out on the program flow characteristic data to obtain control behavior parameter data; And performing visual modeling processing on the program entry address information, the memory initialization information, the program flow characteristic data, the standard function block data and the control behavior parameter data to obtain reverse analysis result data. Further, performing sub-program identification processing on the file to be processed according to the program entry address information and the memory initialization information, and obtaining program flow characteristic data includes: performing recognition processing based on function boundaries and a register calling range on the file to be processed to obtain function unit data, wherein the function unit data are data used for representing all function units in the file to be processed; Performing first program flow analysis processing based on control flow reconstruction on the function unit data to obtain first program flow characteristic data, wherein the first program flow characteristic data are data used for representing a control flow relation chart in a file to be processed; Performing second program flow analysis processing on the function unit data based on physical interaction behavior extraction to obtain second program flow characteristic data, wherein the second program flow characteristic data is characteristic data for representing physical equipment interaction; And determining the program flow characteristic data according to the first program flow characteristic data and the second program flow characteristic data. Further, performing a first program flow analysis process based on control flow reconstruction on the function un