Malicious code confusion detection method and system, computer device, and medium

Abstract

The invention provides a malicious code confusion detection method, which comprises the following steps: obtaining a code to be detected; enabling the code to be detected to be subjected to a combination of any two of entrance point confusion detection, call instruction post-confusion data detection, subroutine return address modification detection, and conditional jump confusion detection. The invention generalizes the malicious code obfuscation detection method, obtains the common malicious code obfuscation actual situation, and according to the actual situation, formulates the concrete method aiming at various malicious code obfuscation situations, and carries on more comprehensive detection to the malicious code, thereby providing more comprehensive malicious code detection identification information. The invention provides a malicious code confusion detection system, a computer device and a medium, which also have the above-mentioned beneficial effects which are not repeated here.

Description

technical field [0001] The invention relates to the technical field of computer software, in particular to a malicious code confusion detection method, system, computer equipment and media. Background technique [0002] Code obfuscation is one of the main means for malicious code to hide itself. At present, there are mainly the following problems in the anti-detection and analysis technology of malicious code: the detection technology is relatively single, and it is difficult to accurately analyze the anti-detection ability of malicious code obfuscation. Traditional malicious code obfuscation and anti-detection analysis is mainly based on the dynamic running effect of malicious code or the actual debugging status. Such a test has many situations such as environment preparation and status analysis, which will lead to low detection efficiency and long detection time. Malicious code obfuscation and anti-detection capabilities are often not composed of a single technology. For e...

AI Technical Summary

Problems solved by technology

[0002] Code obfuscation is one of the main means for malicious code to hide itself. At present, there are mainly the following problems in the anti-detection and analysis technology of malicious code: the detection technology is relatively single, and it is difficult to accurately analyze the anti-detection ability of malicious code obfuscation

Traditional malicious code obfuscation and anti-detection analysis is mainly based on the dynamic running effect of malicious code or the actual debugging status. Such tests have many situations such as environment preparation and status analysis, which will lead to low detection efficiency and long detection time

Malicious code obfuscation and anti-detection capabilities are often not composed of a single technology. For example, its anti-virtual machine technology has multiple implementation methods, but there is no conflict between the implementation technologies. If the traditional status evaluation is used, the evaluation results are useful for the current environment. a lot of dependence

Traditional malicious code obfuscation detection technology only detects one of the functions, such as abnormal return, etc. Anti-malicious code obfuscation detection requires multiple evaluations and analysis, and it is unreasonable and incomplete to detect only one aspect

Images