A dynamic patching-based evasion malware detection method and system

By employing multi-level dynamic instrumentation and data stream tracing technology, this technology solves the problem of difficulty in identifying evasive malware in existing technologies, achieving efficient and accurate detection of evasive malware, and is suitable for large-scale sample analysis.

CN122365490APending Publication Date: 2026-07-10INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES
Filing Date
2026-04-07
Publication Date
2026-07-10

Smart Images

  • Figure CN122365490A_ABST
    Figure CN122365490A_ABST
Patent Text Reader

Abstract

The application discloses an evasive malicious software detection method and system based on dynamic plug-in. The method is as follows: deploying anti-anti-plug-in strategy, constructing trapping environment; inserting monitoring code in multiple levels of the trapping environment, establishing multi-level and fine-grained program behavior monitoring; for each target program in the trapping environment, after the probe instruction or function in the monitoring code is executed, the memory buffer area or register used for storing the probe result is dynamically identified and marked; the probe result is continuously monitored, when the probe result is tracked to be used for comparison instruction and affects the jump of subsequent conditional branch instruction, it is determined that the target program has a "probe-decision" logic chain; when the target program has one or more "probe-decision" logic chains, it is determined that the target program is evasive malicious software. The application can realize accurate, robust and automatic identification of evasive behavior.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer security technology and relates to a dynamic analysis and detection technology for malware, particularly a method and system for identifying and analyzing malware with anti-detection and anti-analysis evasion behaviors. Background Technology

[0002] The rapid development of information technology has led to the widespread adoption of computer applications, but it has also brought about continuously evolving cybersecurity threats, among which malware is a core element. Early malware had relatively straightforward functions and purposes, while modern advanced malware, especially samples with advanced persistent threat (APS) backgrounds, are designed not only with stealth and destructiveness in mind, but also integrate complex environmental awareness and evasion mechanisms to resist analysis by security personnel and capture by automated detection systems. How to effectively detect these evasive malware programs with "anti-analysis" capabilities has become a critical problem that urgently needs to be solved in the field of cybersecurity.

[0003] In the field of malware analysis, dynamic analysis is the mainstream technique for detecting unknown or obfuscated malware. The core vehicle for dynamic analysis is typically a sandbox, a controlled, isolated execution environment (such as a virtual machine) designed to securely run suspicious programs. A typical dynamic analysis process includes: executing a malicious sample within the sandbox; the monitoring system within the sandbox capturing system calls, API function calls, file read / write operations, registry accesses, and network communications during the sample's execution in real time; and finally, generating an analysis report based on the recorded behavior logs to determine whether the sample is malicious.

[0004] However, dynamic analysis technology needs to focus on a core security risk: the risk of the analysis environment being identified. Attackers (i.e., malware authors) have long used the characteristics of sandbox environments as attack vectors. Before executing its core malicious payload, malware will first perform a series of probing tests, the principle of which is to find the differences between the current running environment and the real physical host environment. These probing behaviors include: (1) Virtualization environment probing: checking for the existence of virtualization vendor-specific files, drivers, services, registry entries, MAC address prefixes or special processor instructions (such as the specific return value of the CPUID instruction); (2) Analysis tool probing: enumerating the system process list to find the existence of debuggers (such as OllyDbg, IDA Pro), packet capture tools (such as Wireshark) or sandbox monitoring tools; (3) Human interaction probing: detecting the existence of user activity signs such as mouse movement and window clicks, or exhausting the limited analysis time of the automated sandbox by executing extremely long delays (such as the sleep function).

[0005] Figure 1This demonstrates the basic working principle of evasive malware. The malware code contains one or more conditional branches. It first executes an environment probing strategy and compares the results with preset values. If the result indicates that the current environment is an analysis environment such as a sandbox, the control flow will switch to executing benign or harmless code paths; otherwise, if it is determined to be a real environment, the malicious code payload is executed. This "probe first, decide later" mechanism completely renders traditional sandbox-based dynamic analysis methods ineffective.

[0006] To address the above challenges, existing technologies have developed various detection schemes, but each has its limitations: (1) Virtual Machine Introspection (VMI) based scheme: This type of technology places the monitoring module in the hypervisor and monitors the virtual machine "unobtrusively" from the outside, which is highly concealed. However, its implementation is complex, and the analysis performance is severely limited by the hardware configuration, making it difficult to perform large-scale, high-efficiency sample analysis; (2) Bare-metal based scheme: This type of technology executes the sample on a real physical machine, providing the most difficult-to-disguise operating environment. However, its fatal flaw is that after each analysis, the physical environment is difficult to be quickly and cost-effectively reset to a clean state, resulting in extremely high analysis costs and the inability to automate. In addition, when the sample performs a large number of interfering operations, its false alarm and false negative rates will also increase significantly; (3) Traditional Dynamic Instrumentation (DBI) based scheme: This type of technology traces the execution flow of the target program by instrumenting it. However, existing methods often cannot support the analysis of large-scale samples and have poor scalability. More importantly, they often struggle to accurately track the data flow—from the return value of the environment probe API, to that value being stored in a dynamically allocated memory buffer, and then to the value in that buffer being used in a conditional jump instruction. Without connecting this causal chain of "probe-decision," it's impossible to accurately identify evasion behavior. Summary of the Invention

[0007] To address the problems faced by existing dynamic analysis technologies in detecting evasive malware, such as easy identification and bypass, inability to accurately trace the "probe-decision" causal chain, and susceptibility to anti-instrumentation techniques, the present invention aims to provide an evasive malware detection method and system based on multi-level dynamic instrumentation and data flow tracking, which can achieve accurate, robust, and automated identification of evasion behavior.

[0008] Based on the aforementioned research background, this invention discovers that regardless of how evasion strategies change, their core is inevitably to acquire environmental information through a series of operations and then transfer control flow based on that information. Simply blocking an API or hiding a file is no longer sufficient to deal with the ever-evolving evasion methods. The failure of most existing detection schemes stems from their inability to accurately capture the complete data and control flow from "information acquisition" to "decision execution."

[0009] Based on this discovery, this invention aims to provide a detection method capable of fine-grained, high-precision data flow tracking, starting from the fundamental mechanism of dynamic analysis. This invention proposes to employ the concept of deep dynamic instrumentation: 1) performing fine-grained instrumentation at multiple levels, including instructions, library functions, system calls, and memory, to comprehensively monitor program execution; 2) designing and implementing a data flow tracking mechanism that can dynamically identify memory buffers used to store probe results and continuously track the usage of data within these buffers; 3) focusing on monitoring conditional branch instructions that affect the program execution path, accurately identifying and confirming evasion behavior by analyzing whether their judgment conditions originate from the results of environmental probes; 4) integrating anti-dibling (Anti-DBI) strategies to ensure the robustness and stealth of the detection method itself, preventing it from being bypassed by malware.

[0010] The technical solution of this invention is as follows: A method for detecting evasive malware based on dynamic instrumentation, comprising the following steps: Deploy anti-anti-insertion strategies to create a trapping environment; Monitoring code is inserted at multiple levels of the trapping environment to establish multi-level, fine-grained monitoring of program behavior; For each target program in the trapping environment, after the probe instruction or function in the monitoring code is executed, the memory buffer or register used to store the probe result is dynamically identified and marked; the probe result is continuously monitored, and when the probe result is found to be used for a comparison instruction and affects the jump of subsequent conditional branch instructions, it is determined that the target program has a "probe-decision" logic chain. If the target program has one or more "probe-decision" logic chains, then the target program is determined to be evasive malware.

[0011] Preferably, the anti-anti-instrumentation strategy includes: return information masquerading strategy, execution time masquerading strategy, environment feature hiding strategy, exception handling masquerading and code injection hiding strategy.

[0012] Preferably, the return information spoofing strategy is to intercept the call to the set function and modify its return value to a value under normal conditions in order to deceive anti-debugging detection.

[0013] Preferably, the execution time spoofing strategy is to intercept timing functions and simulate the passage of time through algorithms to mask the performance overhead caused by instrumentation and counter time difference-based detection.

[0014] Preferably, the environmental feature hiding strategy involves modifying the feature markers left by the instrumentation tool to make them consistent with the non-analyzed environment.

[0015] Preferably, the exception handling camouflage and code injection hiding strategy is to simulate the exception handling process of a normal system and obfuscate or hide the injected instrumented code in order to bypass anti-DBI technology based on exception and code scanning.

[0016] Preferably, the hierarchy includes instructions, library functions, system calls, and memory; the monitoring code includes: 1) instruction-level instrumentation code, used to capture underlying hardware and environment detection behaviors; 2) library function-level instrumentation code, used to intercept and analyze upper-level functional calls; 3) system call-level instrumentation code and memory-level instrumentation code, used to monitor evasion behaviors that directly interact with the operating system kernel or set key process data.

[0017] An evasive malware detection system based on dynamic instrumentation, characterized in that it includes an anti-DBI module, a program instrumentation module, and a data stream tracing module; The anti-DBI module is used to deploy anti-anti-insertion strategies and construct a trapping environment; The program instrumentation module is used to insert monitoring code at multiple levels of the trapping environment to establish multi-level, fine-grained program behavior monitoring. The data stream tracking module is used to dynamically identify and mark the memory buffer or register used to store the probe result for each target program in the trapping environment after the probe instruction or function in the monitoring code is executed; continuously monitor the probe result, and when the probe result is found to be used for a comparison instruction and affects the jump of subsequent conditional branch instructions, it is determined that the target program has a "probe-decision" logic chain; when the target program has one or more "probe-decision" logic chains, it is determined that the target program is an evasion-type malicious software.

[0018] A server is characterized by comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program including instructions for performing the methods described above.

[0019] A computer-readable storage medium having a computer program stored thereon, characterized in that the computer program implements the above-described method when executed by a processor.

[0020] The advantages of this invention are as follows: 1. This invention improves the comprehensiveness of detection through multi-level, fine-grained instrumentation monitoring. Traditional methods typically focus only on a single level of API calls, while this invention covers multiple dimensions from CPU instructions to memory operations, enabling the identification of more and more covert evasion techniques and significantly reducing the false negative rate.

[0021] 2. This invention achieves accurate identification of causal chains of escape logic through precise data flow tracing. Traditional methods cannot effectively correlate environmental probing with the resulting changes in program behavior, while this invention solves this core problem, accurately determining whether a conditional branch is triggered by an escape strategy, thereby fundamentally improving the accuracy of detection.

[0022] 3. This invention significantly enhances the robustness and stealth of the detection system by integrating multiple anti-DBI strategies. Faced with advanced malware possessing anti-analysis capabilities, this invention can effectively disguise itself, ensuring that the detection process is not interfered with or bypassed, and guaranteeing the reliability of the analysis results.

[0023] 4. This invention combines in-depth analysis with automated processes, achieving both high efficiency and scalability. The entire detection method is designed as an automated system capable of being deployed on virtualized clusters for large-scale sample analysis, solving the problems of high performance overhead in VMI solutions and difficulty in automating bare metal solutions.

[0024] This invention successfully establishes a complete causal chain from environmental probing to program decision-making by performing fine-grained instrumentation at multiple levels and combining precise data flow tracking with proactive anti-DBI countermeasures. This enables comprehensive, accurate, and robust identification and analysis of advanced malware evasion behaviors, providing an effective technical solution for the field of network security dynamic analysis. Attached Figure Description

[0025] Figure 1 A diagram illustrating the basic working principle of evasive malware.

[0026] Figure 2 This is a flowchart of the method of the present invention.

[0027] Figure 3 This is an architecture diagram of an evasive malware detection system based on "dynamic instrumentation".

[0028] Figure 4 This is a schematic diagram of instruction-level and library function instrumentation.

[0029] Figure 5 To evade the execution flowchart of behavioral data flow.

[0030] Figure 6 This is a schematic diagram of the anti-DBI strategy based on time difference detection.

[0031] Figure 7 This is a system diagram of the present invention. Detailed Implementation

[0032] The present invention will now be described in further detail with reference to the accompanying drawings. The examples given are only for explaining the present invention and are not intended to limit the scope of the present invention.

[0033] like Figure 2 As shown, an optional embodiment of the present invention provides a method for detecting evasive malware based on dynamic instrumentation, the steps of which include: Deploy anti-anti-insertion strategies to create a trapping environment; Monitoring code is inserted at multiple levels of the trapping environment to establish multi-level, fine-grained monitoring of program behavior; For each target program in the trapping environment, after the probe instruction or function in the monitoring code is executed, the memory buffer or register used to store the probe result is dynamically identified and marked; the probe result is continuously monitored, and when the probe result is found to be used for a comparison instruction and affects the jump of subsequent conditional branch instructions, it is determined that the target program has a "probe-decision" logic chain. If the target program has one or more "probe-decision" logic chains, then the target program is determined to be evasive malware.

[0034] An optional embodiment of the present invention discloses a method for detecting evasive malware based on dynamic instrumentation, the steps of which include: Step 1: Environmental camouflage and anti-interference, deploy anti-anti-instrumentation (Anti-DBI) strategy, actively modify environmental characteristics, build a highly concealed trapping environment, and ensure the robustness of detection. In order to prevent malware from changing its behavior by detecting the existence of the DBI framework, this method integrates a variety of anti-countermeasures. The purpose is to camouflage the analysis environment and ensure the concealment of the detection process. (1) Return information camouflage: intercept the call of the function used to retrieve the specified process (such as the NtQueryInformationProcess function) and modify its return value to the value under normal environment to deceive anti-debugging detection; (2) Execution time camouflage: such as Figure 6 As shown, intercept high-precision timers (such as QueryPerformanceCounter, timeGetTime, GetSystemTimes, timeGetSystemTime, QueryInterruptTime, etc.) and simulate time elapsed information through algorithms to cover up the performance overhead caused by instrumentation and resist detection based on time difference; (3) Environment feature hiding: modify the feature flag left in the PEB setting feature (such as NtGlobalFlag feature) due to the running of the instrumentation tool, so that it is no different from the non-analysis environment; (4) Exception handling disguise and code injection hiding: simulate the exception handling process of the normal system and obfuscate or hide the injected instrumentation code to bypass the anti-DBI technology based on exception and code scanning.

[0035] Malware often exploits system API functions to identify whether it is in a monitored environment, with the `NtQueryInformationProcess()` function being a common detection tactic. This function is a low-level native API function in the Windows operating system used to retrieve detailed information about a specified process. It belongs to the `ntdll.dll` library and is typically used internally by the system or by advanced developers when they need to access process information not exposed through the public Win32 API. When a program is being debugged, the function's return value is usually 0. Malware checks this return value to determine the presence of a debugger or similar detection tool, and then takes corresponding evasive actions. To counter this anti-DBI strategy, we modified the function's return value. Specifically, we set its return value to 1. When malware calls `NtQueryInformationProcess()`, the return value misleads it into believing that the current environment is not under debugging, thus bypassing the anti-DBI detection based on the function's return value. This allows `IdentifyEvasion` to perform more covert malware detection and analysis.

[0036] Intel PIN exhibits several typical characteristics during operation, with NtGlobalFlag being a crucial identifier. NtGlobalFlag is a variable within the Process Environment Block (PEB) structure. When Intel PIN runs a 32-bit program on a 64-bit operating system, it stores 0x70 in the 64-bit PEB structure's NtGlobalFlag. During debugging, the debugger also sets NtGlobalFlag to 0x70. Malware detects this value; upon finding it as 0x70, it determines the presence of a debugger and initiates an evasion strategy. To bypass this detection technique, we modified the NtGlobalFlag value in the 64-bit PEB structure within IdentifyEvasion. By setting this value to 0, malware cannot detect the characteristics of Intel PIN or the debugger when detecting NtGlobalFlag, effectively bypassing anti-DBI detection based on this value.

[0037] Step Two: Establish multi-level, fine-grained program behavior monitoring. Load the "target program to be monitored" into the Dynamic Binary Instrumentation (DBI) framework (Intel PIN), and insert monitoring code at multiple levels, including instructions, library functions, system calls, and memory, to capture potential evasion behaviors. For example... Figure 3As shown, this instrumentation process forms the basis for subsequent analysis, and its purpose is to comprehensively cover various environmental probing points that malware may utilize. (1) Instruction-level instrumentation: such as Figure 4 As shown, instrumentation is performed on 25 CPU instructions (such as CPUID, RDTSC, INT 3) used to probe virtual environments or debuggers to capture underlying hardware and environment detection behaviors; (2) Library function level instrumentation: such as Figure 4 As shown, instrumentation is performed on 68 Windows API functions commonly used for environment awareness (such as IsDebuggerPresent) to intercept and analyze upper-layer functional calls; (3) System call level instrumentation and memory level instrumentation: instrumentation is performed on 29 key system calls and specific memory operations (such as reading and writing the IsDebugged flag in the PEB structure) to monitor more covert evasion behaviors that directly interact with the operating system kernel or key process data. Among them, system call level instrumentation is used to obtain the evasion behavior of malware through system calls; this paper implements behavioral modeling and analysis of 29 system calls, whose functions cover memory management, debugging, system information query, thread and execution control, handle and object operations, time checking, thread context, etc. Memory level instrumentation is used to monitor and record the memory usage of malware programs in real time by inserting code into the memory access operations of malware programs; this invention implements a memory monitor that can track and record specific memory operations, such as the address and data of memory access. The memory monitor can monitor the modification of key data structures and detect abnormal memory access areas. By instrumenting and monitoring access to and modification operations on critical data structures such as PEB, malware attempting to modify debugging flags in these data structures (e.g., PEB→IsDebugged) is identified as evasion behavior. The research revealed that some evasion behaviors exhibit specific memory access patterns. By analyzing the frequency and sequence of memory access patterns, the potential evasion strategies employed by malware can be identified, such as interfering with detection tools through frequent memory read / write operations. Specific evasion strategies fall into two categories: direct memory manipulation (e.g., PEB→IsDebugged) and register access operations (e.g., Check_EIP).

[0038] Step 3: Track the "probe-decision" data flow to detect whether the "target program to be tested" exhibits evasion behavior. For example... Figure 5As shown, when the probe instruction or function in the monitoring code inserted in step two is executed, this method will: (1) identify and mark the result buffer: dynamically identify and mark the memory buffer or register used to store the probe result (such as API return value, register status); (2) trace data transfer: continuously monitor the probe result, and even if it is copied to other memory locations, still keep tracking its flow; (3) determine the condition branch: when it is found that the probe result is used for comparison instructions and thus affects the jump of subsequent condition branch instructions, it is determined that a complete "probe-decision" logic chain has been found. This process is the key to accurately locating evasion behavior by clearly tracking how the "target program to be detected" changes its execution flow according to the environmental probe result.

[0039] Step 4: Comprehensive Judgment. Based on the results of Steps 2 and 3, when one or more logical chains from environment probing to control flow transfer are confirmed in the "target program to be detected," the system determines that the malware has used an evasion strategy. It records the type of evasion behavior, the triggered instructions / functions, the complete data flow path, and generates corresponding logs, thus determining that this "target program to be detected" belongs to "evasion-type" malware.

[0040] In one optional embodiment, the steps of the method for detecting evasive malware based on "dynamic instrumentation" include: Step 1: Environment camouflage and anti-interference, deploy anti-anti-instrumentation (Anti-DBI) strategy, actively modify environmental features, build a highly concealed trapping environment, and ensure the robustness of detection. In order to prevent malware from changing its behavior by detecting the existence of DBI framework, this method integrates a variety of anti-countermeasures. The purpose is to camouflage the analysis environment and ensure the concealment of the detection process. (1) Return information camouflage: intercept the call of functions such as NtQueryInformationProcess and modify its return value to the value under normal environment to deceive anti-debugging detection; (2) Execution time camouflage: intercept timing functions such as QueryPerformanceCounter and simulate time flow information through algorithms to cover up the performance overhead brought by instrumentation and resist time difference-based detection; (3) Environment feature hiding: modify the feature flags left in places such as NtGlobalFlag of PEB due to the running of instrumentation tools to make them no different from non-analysis environment; (4) Anomaly handling camouflage and code injection hiding: simulate the anomaly handling process of normal system and obfuscate or hide the injected instrumentation code to bypass anti-DBI technology based on anomaly and code scanning.

[0041] Malware might identify whether it's being detected by detecting the difference between normal execution time and execution time under a DBI environment. Within the DBI framework, the need to insert additional instrumentation code to monitor program behavior inevitably introduces performance overhead, slowing down program execution. Malware can use high-precision timers (such as the QueryPerformanceCounter function in Windows) to record the execution time of code segments and then compare it with a pre-set normal execution time threshold. If a significantly longer execution time is detected, the presence of a DBI tool is suspected. To counter this anti-DBI strategy, we employ time masquerading techniques. Time-related system calls are intercepted and modified within the instrumentation code. For example, when malware calls the QueryPerformanceCounter() function, we use an algorithm to simulate normal time elapsed, making the time information obtained by the malware similar to that in a normal execution environment. This masks the performance overhead of the DBI tool, making it difficult for the malware to detect the detection behavior through time difference detection.

[0042] The principle of anti-DBI strategy based on time difference detection is as follows: Figure 6 As shown, the steps include: 1. Before and after executing a piece of core code, malware attempts to detect the presence of a DBI environment by measuring the execution time of the code, and calls a high-precision timer function (such as QueryPerformanceCounter()).

[0043] 2. When the "anti-escape detection" module running on the DBI framework captures a malicious software's call to QueryPerformanceCounter(), the system will directly intercept the call.

[0044] 3. While intercepting the call, the anti-escape detection module accesses the system's real time counter to obtain the actual time.

[0045] 4. The "Anti-Escape Detection" module calculates the acquired "actual time" against the known performance overhead (i.e., the time consumed by instrumentation code) introduced by the current DBI framework. Through algorithmic calculation of the spoofed time, the system "deducts" the additional latency caused by monitoring and instrumentation from the actual elapsed time, simulating the normal elapsed time of the program in a clean environment without DBI interference.

[0046] 5. Return the calculated "disguise time" to the malware.

[0047] 6. After receiving the disguise time, the malware determines that it is in an environment where DBI does not exist, and thus continues to execute subsequent core code without triggering the escape detection mechanism.

[0048] Step Two: Establish multi-level, fine-grained program behavior monitoring. Load the "target program to be monitored" into the Dynamic Binary Instrumentation (DBI) framework (Intel PIN), and insert monitoring code at multiple levels, including instructions, library functions, system calls, and memory, to capture potential evasion behaviors. For example... Figure 3 As shown, this instrumentation process forms the basis for subsequent analysis, and its purpose is to comprehensively cover various environmental probing points that malware may utilize. (1) Instruction-level instrumentation: such as Figure 4 As shown, instrumentation is performed on 25 CPU instructions (such as CPUID, RDTSC, INT 3) used to probe virtual environments or debuggers to capture underlying hardware and environment detection behaviors; (2) Library function level instrumentation: such as Figure 4 As shown, instrumentation is performed on 68 Windows API functions commonly used for environment awareness (such as IsDebuggerPresent) to intercept and analyze upper-level functional calls; (3) System call level instrumentation and memory level instrumentation: instrumentation is performed on 29 key system calls and specific memory operations (such as reading and writing the IsDebugged flag in the PEB structure) to monitor more covert evasion behaviors that directly interact with the operating system kernel or key process data.

[0049] Step 3: Track the "probe-decision" data flow to detect whether the "target program to be tested" has evasion behavior. When the probe instruction or function in Step 2 is executed, this method will: (1) identify and mark the result buffer: dynamically identify and mark the memory buffer or register used to store the probe results (such as API return values, register status); (2) track data transfer: continuously monitor the probe result, and even if it is copied to other memory locations, still keep tracking its flow. (3) determine the condition branch: when the probe result is tracked to be used for comparison instructions and thus affects the jump of subsequent condition branch instructions, it is determined that a complete "probe-decision" logic chain has been found. This process is the key to accurately locating evasion behavior by clearly tracking how the "target program to be tested" changes its execution flow according to the environmental probe results. Taking the inspection of the virtualization environment as an example, the execution of the evasion behavior data flow is as follows Figure 6 As shown, the malware uses copied string addresses for value comparison, and the execution result of the conditional branch instruction varies depending on the detection result. In this case, the exit routine, or malicious behavior, may be manipulated by the conditional branch, and the execution result may be completely opposite.

[0050] Step 4: Comprehensive Judgment. Based on the results of Steps 2 and 3, when one or more logical chains from environment probing to control flow transfer are confirmed in the "target program to be detected," the system determines that the malware has used an evasion strategy. It records the type of evasion behavior, the triggered instructions / functions, the complete data flow path, and generates corresponding logs, thus determining that this "target program to be detected" belongs to "evasion-type" malware.

[0051] like Figure 7 As shown, an optional embodiment of the present invention provides an evasive malware detection system based on dynamic instrumentation, characterized in that it includes an anti-DBI module, a program instrumentation module, and a data stream tracing module; The anti-DBI module is used to deploy anti-anti-insertion strategies and construct a trapping environment; The program instrumentation module is used to insert monitoring code at multiple levels of the trapping environment to establish multi-level, fine-grained program behavior monitoring. The data stream tracking module is used to dynamically identify and mark the memory buffer or register used to store the probe result for each target program in the trapping environment after the probe instruction or function in the monitoring code is executed; continuously monitor the probe result, and when the probe result is found to be used for a comparison instruction and affects the jump of subsequent conditional branch instructions, it is determined that the target program has a "probe-decision" logic chain; when the target program has one or more "probe-decision" logic chains, it is determined that the target program is an evasion-type malicious software.

[0052] An optional embodiment of the present invention provides a server, characterized in that it includes a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program including instructions for performing the method.

[0053] An optional embodiment of the present invention provides a computer-readable storage medium having a computer program stored thereon, characterized in that the computer program implements the method when executed by a processor.

[0054] Although specific embodiments of the invention have been disclosed for illustrative purposes to aid in understanding and implementing the invention, those skilled in the art will understand that various substitutions, variations, and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, the invention should not be limited to the content disclosed in the preferred embodiments, and the scope of protection claimed by the invention is defined by the claims.

Claims

1. A method for detecting evasive malware based on dynamic instrumentation, comprising the following steps: Deploy anti-anti-instrumentation strategies to create a trapping environment; Monitoring code is inserted at multiple levels of the trapping environment to establish multi-level, fine-grained monitoring of program behavior; For each target program in the trapping environment, after the probe instruction or function in the monitoring code is executed, the memory buffer or register used to store the probe result is dynamically identified and marked; the probe result is continuously monitored, and when the probe result is found to be used for a comparison instruction and affects the jump of subsequent conditional branch instructions, it is determined that the target program has a "probe-decision" logic chain. If the target program has one or more "probe-decision" logic chains, then the target program is determined to be evasive malware.

2. The method according to claim 1, characterized in that, The anti-anti-instrumentation strategies include: return information masquerading strategy, execution time masquerading strategy, environment feature hiding strategy, exception handling masquerading and code injection hiding strategy.

3. The method according to claim 2, characterized in that, The returned information spoofing strategy involves intercepting the call to a set function and modifying its return value to a value under normal conditions to deceive anti-debugging detection.

4. The method according to claim 2, characterized in that, The execution time masquerading strategy involves intercepting timing functions and simulating the passage of time using algorithms to mask the performance overhead of instrumentation and counter time-difference-based detection.

5. The method according to claim 2, characterized in that, The environmental feature hiding strategy involves modifying the feature markers left by the instrumentation tool to make them consistent with the non-analyzed environment.

6. The method according to claim 2, characterized in that, The aforementioned exception handling camouflage and code injection hiding strategy simulates the exception handling process of a normal system and obfuscates or hides the injected instrumented code in order to bypass anti-DBI technology based on exception and code scanning.

7. The method according to claim 1, characterized in that, The hierarchy includes instructions, library functions, system calls, and memory; the monitoring code includes: 1) instruction-level instrumentation code, used to capture underlying hardware and environment detection behaviors; 2) library function-level instrumentation code, used to intercept and analyze upper-level functional calls; 3) system call-level instrumentation code and memory-level instrumentation code, used to monitor evasion behaviors that directly interact with the operating system kernel or set key process data.

8. A dynamic instrumentation-based evasive malware detection system, characterized in that, Includes anti-DBI modules, program instrumentation modules, and data stream tracing modules; The anti-DBI module is used to deploy anti-anti-insertion strategies and construct a trapping environment; The program instrumentation module is used to insert monitoring code at multiple levels of the trapping environment to establish multi-level, fine-grained program behavior monitoring. The data stream tracking module is used to dynamically identify and mark the memory buffer or register used to store the probe result for each target program in the trapping environment after the probe instruction or function in the monitoring code is executed; continuously monitor the probe result, and when the probe result is found to be used for a comparison instruction and affects the jump of subsequent conditional branch instructions, it is determined that the target program has a "probe-decision" logic chain; when the target program has one or more "probe-decision" logic chains, it is determined that the target program is an evasion-type malicious software.

9. A server, characterized in that, It includes a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program including instructions for performing the method of any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the method of any one of claims 1 to 7.