Automatic analysis method and system of malicious codes based on API (application program interface) HOOK

Abstract

The invention provides an automatic analysis method and system of malicious codes based on an API (application program interface) HOOK. An API HOOK technology and a remote thread implantation technology are utilized to monitor samples; influences of the malicious codes on the whole system in an operation process are recorded, and a dynamic analysis report is automatically generated; influences of malicious code samples on a file, a network, and a registry and a key process are recorded, and when the operation of the samples ends, the system recovers the state before the samples are executed; the whole monitoring, recording and reduction process ends automatically without manual intervention; monitoring software can only run a sample each time, the monitoring software is used for monitoring the host process of the samples and process threads created by the host process of the samples, and when the monitoring software finishes the monitoring, the system recovers the state before the samples are operated; behaviors such as creation, deletion, modification and the like of the malicious code samples on the file are detected, operation behaviors of the malicious code samples on the network are detected, behaviors such as addition, deletion, modification and the like of the malicious code samples on the registry are detected, and operation behaviors of the malicious code samples on the create process are detected; and finally the dynamic monitoring report on the malicious code samples is submitted, and when the monitoring is finished, the monitoring software carries out inversion operation to restore the system to the state before the samples are operated according to the operations and influences of the samples on an operating system. The intelligent analysis technology of the malicious codes is suitable for analyzing a great deal of samples without the manual intervention, and is quicker in analysis speed and less in garbage in the analysis report.

Description

technical field [0001] The present invention relates to malicious code. Background technique [0002] The present invention monitors samples by utilizing API hook technology and remote thread injection technology. The invention records the influence of the malicious code on the entire system during the running process, and automatically generates a dynamic analysis report to record the influence of the malicious code sample on the file, network, registry, and process. After the sample runs, the system is restored to the sample state before execution. It not only has an automatic analysis function (the whole process of monitoring, recording and restoration does not require manual intervention), but also is suitable for the analysis of a large number of samples without manual intervention, the analysis speed is relatively fast, and the useless information in the analysis report is relatively small. [0003] At present, there are also some related patents, as follows: [000...

AI Technical Summary

Problems solved by technology

If this method is used to identify a large number of malicious code samples, the speed of analysis and detection will be very slow

Images