CN103440457B - Based on the binary program analytic system of process simulation - Google Patents

Abstract

A binary program analysis system based on process simulation in the field of electronic data monitoring technology, including: a simulator engine module, a memory management module, a process management module, a system call interface, a thread management module, a central processing module, and an analysis that provides an application program interface Component interface, wherein: the simulator engine module is connected to the memory management module, process management module, system call interface and analysis component interface respectively, the process management module is connected to the memory management module, the central processing module and the system call interface respectively, and the thread management module is connected to the The memory management module, the process management module and the central processing module are connected; the present invention does not depend on the static reverse analysis of the program, but adopts a completely dynamic analysis method, which can avoid the influence caused by most program protection technologies.

Description

Binary Program Analysis System Based on Process Simulation

technical field

The invention relates to a system in the technical field of electronic data monitoring, in particular to a binary program analysis system based on process simulation.

Background technique

In the field of computer security, the reverse analysis of various software, especially malicious programs, is the basic work of program security analysis. Due to the lack of relevant semantic information, the reverse analysis of binary programs is often very difficult and requires a lot of manpower and material resources. Therefore, in order to assist analysts in reverse analysis, corresponding automated program analysis methods and analysis platforms have emerged as the times require.

In order to realize automatic program analysis, it is necessary to monitor the instruction flow, control flow and data flow of the program in a fine-grained manner, and at the same time, it is necessary to obtain relevant information such as the processor and memory in which the program is running. At present, the acquisition of program runtime information is mainly achieved by process debugging, system-wide simulation, and dynamic binary instrumentation. However, there are several problems in the current analysis techniques. The process debugging is implemented by the debugging API of the operating system, and the anti-debugging methods commonly used for malicious programs are often powerless; the whole system simulation technology simulates the entire computer platform, and a large number of Instructions such as the operating system kernel take up most of the simulation time, resulting in low analysis efficiency; and dynamic binary instrumentation changes the instruction flow and control flow of the program, for some protected programs such as packed or obfuscated programs Analysis is often not possible. As a result, current analysis solutions often fall short of analysis requirements in the face of today's increasingly complex procedures.

After searching the existing technology, it was found that Chinese Patent Document No. CN101814053, published on 2010-08-25, records a binary code vulnerability discovery method based on a function model. First, a code function model is established based on a static reverse analysis system, and based on The code function model constructs an initial test case set; secondly, the dynamic test and playback analysis system loads the test case set on the dynamic test platform according to the coverage control and routing strategy, and adopts dynamic path constraint optimization and constraint solving, generation-based The path traversal algorithm is used to adjust the test case set, as well as the fine analysis of exceptions and vulnerability location based on playback analysis; third, both the static reverse analysis system and the dynamic test and playback analysis system store the program attributes obtained by their respective analysis into the function model , and use the program attributes in the functional model to guide their respective analysis and testing work. But the defect and deficiency of this technology compared with the present invention are: first, this technology relies on static reverse analysis, and the widespread use of current software protection technology makes analysts often unable to carry out effective static analysis, so from many current programs In particular, it is difficult to extract static analysis results from malicious programs; second, the analysis method of this technology can only detect the abnormal operation of the program and analyze possible vulnerabilities, but cannot detect the potential malicious attacks of the program, especially At present, various attack methods such as ROP (Return-Oriented Programming) emerge in an endless stream. This technology cannot detect the vulnerabilities in the program that can be exploited by this type of attack; third, in the current situation where various types of dynamic code execution are widely used Under the circumstances, such as plug-ins (Plugin), user scripts (UserScripting), just-in-time compilation (Just-in-time Compilation), etc., this technology cannot effectively analyze this type of dynamically generated or loaded code, thus further limiting its analysis scope.

Contents of the invention

Aiming at the above-mentioned deficiencies in the prior art, the present invention provides a binary program analysis system based on process simulation. Aiming at the deficiencies of the prior art, the program is analyzed from the bottom layer of the program, that is, the system hardware structure and the operating system level. It does not interfere with the normal operation of the program, but monitors the running process of the program, such as data flow, etc. The present invention does not rely on the static reverse analysis of the program, but adopts a completely dynamic analysis method, which can avoid the influence caused by most program protection technologies. By extending the analysis system and customizing the attack behavior, the present invention can detect and intercept the attack code before it is executed; and by introducing dynamic taint analysis and other means, it can analyze and track the flow of sensitive data, avoiding data and privacy violations. leak. Moreover, the present invention does not depend on the static analysis result of the program, and can perform a complete analysis on the dynamically generated code.

The present invention is realized through the following technical solutions, and the present invention comprises: simulator engine module, memory management module, process management module, system call interface, thread management module, central processing module and the analysis component interface that provides application program interface, wherein: The simulator engine module is connected to the memory management module, process management module, system call interface and analysis component interface respectively, and transmits running status information and running instructions, process management and thread scheduling information, system API call data, debugging information and analysis component events, etc. , control and coordinate each module and reduce the coupling between different modules; the process management module is connected with the central processing module, the memory management module and the system call interface respectively, and transmits processor scheduling information and running status information, memory management data and system Information such as call parameter conversion and encapsulation, the thread management module is connected with the process management module, the memory management module and the central processing module respectively, and respectively transmits the thread running status and scheduling information, thread memory data access and processor running status;

The simulator engine module provides unified coordinated control for each component, and drives each component to run to complete the loading, initialization, operation and removal of the simulated process. The simulator engine module includes: a drive unit, an operating system hook unit and a debugging unit. unit, wherein: the drive unit is connected with the memory management module and the process management module, receives the running state information, and sends the running command; the operating system hook unit is connected with the process management module, receives the system API call of the process management module and passes it to the underlying operating system, Return the API call result; the debugging unit connects the system call interface and the analysis component interface for application debugging;

The memory management module includes: a virtual memory management unit, a heap management unit and a stack management unit, wherein: the virtual memory management unit transmits memory access data to the thread management module, and is connected with the driver unit of the simulator engine module to transmit the running state Information; the heap management unit receives heap management instructions from the process management module to complete the management of the heap memory in the process; the stack management unit receives the thread running status from the thread management module to complete the management of the stack memory in all threads.

The virtual memory management unit uses a paging scheme to manage 4GB of virtual memory; at the same time, it simulates the virtual memory management behavior of Windows to complete memory allocation, recovery and access control at the operating system level.

The heap management unit and the stack management unit respectively transmit the management information of the heap in the process, the management of the stack memory of each thread in the process, the allocation and recycling of global virtual memory pages, and the like.

The management information of the heap in the process includes: heap creation and destruction and memory allocation; heap memory permission setting; heap capacity adjustment and reallocation, etc.

The process management module includes: a thread scheduling management unit, a state driver unit and a system API encapsulation unit, wherein: the thread scheduling management unit is connected with the central processing module to receive scheduling information of all threads in the process, and completes the scheduling and creation and destruction of threads ; The state drive unit is connected to the simulator engine module, receives the operation instructions of the simulator engine module, completes the operation drive of the main thread and other threads and transmits the operation status information; the system API encapsulation unit is connected with the system call interface to receive the system of the thread management module API call, encapsulate parameters and transfer to the simulator engine module for calling.

The process management module is used to drive the complete execution process of the process; maintain all threads contained in the process and their scheduling; maintain system handles (Handle) in the process and allocate memory addresses; and process PEB (ProcessEnvironmentBlock) and other data Creation and maintenance of structures.

The thread management module includes: an environment information simulation unit, a driving thread unit and an execution unit, wherein: the environment information simulation unit is connected with the process management unit, receives the runtime state information of the thread and establishes a simulated runtime environment for use by the thread; The thread unit is connected with the process management unit, receives the thread operation instruction and transmits the thread operation state; the execution unit is connected with the thread state unit of the central processing module to complete the processor instruction cycle and terminate the thread at the end.

The simulated runtime environment for threads established by the environment information simulation module includes: entry points, parameters, flags, stack addresses and sizes, and TEB (ThreadEnvironmentBlock);

The thread management module maintains the environment information of a single thread in the simulation process, and drives the execution process of the thread from the entry point, and at the same time judges the termination condition and ends the thread; at the same time, it is used for other modules (DLL) dynamically loaded by the thread loading and initialization;

The central processing module has built-in registers and status units respectively connected to the process management module and the thread management module, and transmits processor scheduling information, thread running status and scheduling information respectively.

The transmission processor scheduling information and thread running status and scheduling information include: processor flags (eflags), running status information; and provide explanation and simulation for x86 instruction set, x87FPU instruction set, MMX instruction set and SSE instruction set function, enabling simulation of the full processor functionality.

The central processing module is provided with an exception manager for transmitting processor exception information and exception processing results. The exception manager constructs abnormal environment information and executes exception processing functions.

The analysis component interface provides an API interface for the system, so that analysts can easily write analysis components to complete automated program analysis;

The emulator engine module is respectively connected to a loader, a disassembly engine, and an additional debugging component to be connected to a debugging interface for debugging an application program, wherein: the loader parses the executable PE file of the process to be analyzed and parses the result Load the simulator engine module to the memory management module, and the disassembly engine disassembles a single x86 instruction, and parses out information such as the instruction's opcode, source operand, and destination operand; the debugging interface is used to transmit debugging information and can be used for applications Debugging of the program and the simulator itself;

The executable PE file of the process to be analyzed refers to: the executable program in Windows exists in PE format, and the emulator loads and parses the PE file so that it can be simulated and executed;

The present invention relates to a process optimization method based on the above system, comprising the following steps:

Step 1. Perform lightweight x86 instruction set simulation on the process to be analyzed, that is, perform x86 instruction set simulation processing and virtual memory environment on the premise that the program running efficiency loss is within two orders of magnitude.

Described step one specifically includes:

1.1 Use a heuristic recursive disassembly algorithm to provide static disassembly information for each processor instruction;

The described heuristic recursive disassembly algorithm comprises the following steps:

1.1.1 Perform the following steps to judge each instruction in the PE file.

1.1.2 Locate the entry point instruction E. When the instruction E is a valid instruction, perform step 1.1.3 after disassembling it, otherwise skip this instruction and re-execute step 1.1.2.

1.1.3 When the disassembled instruction E is a jump instruction, disassemble the jump target of the instruction E.

1.1.4 Add the length information of the instruction at the end of the instruction E and return to step 1.1.2 to process the next instruction until the processing of all instructions is completed and return to the instruction set S obtained by the disassembly process.

1.2 Use disassembly information to simulate the execution flow of each instruction, including the value of registers, memory data and flag bits.

1.3 Extract memory access data and register value change information for program analysis.

The memory access data includes: memory address and memory data, register value, flag bit change information and exception information.

Step 2. Simulate several operating system behaviors to ensure that the process to be analyzed runs in a controllable environment, including:

2.1 The process initialization stage loads and initializes the simulated program, determines the memory distribution of each section (section) in each module in the process, and determines the entry point and termination condition.

2.2 Memory management Use a paged memory management mechanism, including: virtual memory allocation, recycling and access control in units of pages.

2.3 The thread management module is used to maintain the thread creation, destruction and thread scheduling in the multi-thread program, so that the multi-thread program can be executed normally under the shared memory model.

2.4 Exception Handling It is used for the exception handling mechanism of the operating system when the processor is abnormal, so that the exception handling routine of the program can run in the simulation environment.

Step 3, encapsulating the operating system API call in the process, and handing it over to the operating system for direct execution;

The operating system API refers to: the application program interface provided by the operating system to the user process, so that the user program can use the function of the operating system.

3.1 Intercept API calls of all simulated processes, the core API is directly simulated and executed by the simulator engine module, and other APIs are sent to the operating system for execution;

The core API includes: a memory management API, a thread management API, a debugging API, an operating system parameter acquisition API, and the like.

3.2 Complete the parameter conversion when calling the API, including: the mapping between the simulated memory address and the real address.

3.3 After the API is executed, the operating system returns to the simulator engine module to process the execution result.

Step 4: Provide APIs for the dynamic runtime information in the simulation execution process, encapsulate the execution process of each component of the simulator as events, and provide APIs in the form of event processing, so that the analysis program can use these information to perform Program optimization.

The dynamic runtime information includes: instruction flow, data flow and control flow.

The events include: instruction execution events, memory access events, operating system API call events, and thread scheduling events.

technical effect

1) Perform instruction-level simulation execution of the analyzed program, using a lightweight x86 instruction set interpreter to provide fine-grained runtime information;

2) Contents that are not related to program analysis in the analysis process, such as the execution of system calls, are packaged or simulated, and handed over to the underlying operating system for execution to ensure analysis efficiency;

3) Simulate several operating system behaviors such as memory management, thread management and exception handling, etc., to ensure that the analyzed program runs in a controllable environment;

4) Provide a good interface for the automatic analysis of the program, so that the simulation execution and analysis of the program can be carried out simultaneously and efficiently.

Compared with existing analysis schemes, the present invention is hardly affected by anti-debugging means, and does not modify the original instructions and data of the process to be analyzed. The operating efficiency is one to two orders of magnitude higher than that of the whole system simulation. Compared with binary instrumentation, the compatibility has been greatly improved. On the basis of this analysis system, various automatic analysis methods such as program algorithm and protocol analysis, vulnerability mining and detection, program performance analysis, memory debugging, program behavior analysis, and malicious program detection can be efficiently carried out, which provides a solid foundation for program security analysis. reliable support.

Description of drawings

Fig. 1 is a system structure diagram of the present invention;

Fig. 2 is a schematic structural diagram of a process management module;

Fig. 3 is the structural representation of thread management module;

Fig. 4 is the operation flowchart of the present invention.

Detailed ways

The embodiments of the present invention are described in detail below. This embodiment is implemented on the premise of the technical solution of the present invention, and detailed implementation methods and specific operating procedures are provided, but the protection scope of the present invention is not limited to the following implementation example.

Example 1

Take curl.exe ( http://curl.haxx.se ), a commonly used multi-threaded network communication program, as an example to illustrate the specific implementation process.

As shown in Figure 1, it includes: a simulator engine module, a memory management module, a process management module, a system call interface, a thread management module, a central processing module and an analysis component interface that provides an application program interface, wherein: the simulator engine module is connected separately The memory management module, process management module, system call interface and analysis component interface respectively transmit memory access data, thread scheduling and processor access data, system call parameters and their packaging, simulator events and environment information, control and coordinate each module and Reduce the coupling between different modules; the process management module is connected to the memory management module, the central processing module and the system call interface, respectively, and transmits memory management data such as memory allocation and recovery, processor scheduling information, and system call parameter conversion and packaging information. , the thread management module is respectively connected with the memory management module, the process management module and the central processing module, and respectively transmits the distribution of thread data in the memory, the thread running status and scheduling information, and the processor running status;

The simulator engine module includes: a common system interface, which provides unified coordinated control for each component, and drives each component to run to complete the loading, initialization, operation and removal of the simulated process;

The memory management module is connected with the heap and the stack respectively, and transmits the management information of the heap in the process such as the establishment and destruction of the heap and memory allocation, the management of each thread stack memory in the process, and the memory management module includes: a virtual memory management unit, using The paging scheme manages 4GB of virtual memory; at the same time, it simulates the virtual memory management behavior of Windows to complete memory allocation, recovery and access control at the operating system level;

Memory management module: Simulates the paging memory management mechanism of Windows, which is used for memory allocation and recycling of the process to be analyzed, as well as rights management, provides the underlying simulation implementation for the system's memory management API, and maintains the heap and stack of the process to be analyzed;

The process management module includes: driving the complete execution process of the process; maintaining all threads contained in the process and their scheduling; system handle (Handle) maintenance and memory address allocation in the process; and process PEB (ProcessEnvironmentBlock) Creation and maintenance of data structures;

Process management module: maintain context information related to the process to be analyzed, and manage all threads of the process to be analyzed;

The thread management module includes: maintaining the environmental information of a single thread in the simulation process, such as entry point, parameter, flag, stack address and size, and TEB, etc., and driving the execution process of the thread starting from the entry point, and judging the termination condition at the same time And end the thread; at the same time, it is used for loading and initializing other modules (DLL) dynamically loaded by this thread;

The central processing module includes: providing a simulation environment for the complete central processing module, including registers, processor flags (eflags), operating status information, etc.; and x86 instruction set, x87FPU instruction set, MMX instruction set and SSE instruction The set provides an explanation of the simulation function, so as to realize the simulation of the complete processor function; and the exception manager of the sub-module; where the exception manager is connected with the processor module, and transmits the processor exception information and exception handling results;

Thread management module and central processing module: maintain an independent central processing module environment for each thread, including registers, processor flags and other runtime data of registers, and the central processing module simulates, interprets and executes each instruction of the process to be analyzed;

System call interface: take over the API calls in the process to be analyzed, and use simulation execution for core APIs, such as memory-related, while other APIs are handed over to the operating system to run directly to ensure operating efficiency;

The analysis component interface provides an API interface for the system, enabling analysts to easily write analysis components and complete automated program analysis;

The emulator engine module is respectively connected to a loader, a disassembly engine, and an additional debugging component to be connected to a debugging interface for debugging an application program, wherein: the loader parses the executable PE file of the process to be analyzed and parses the result Load the simulator engine module to the memory management module, and the disassembly engine disassembles a single x86 instruction, and parses out information such as the instruction's opcode, source operand, and destination operand; the debugging interface is used to transmit debugging information and can be used for applications Debugging of the program and the simulator itself;

The executable PE file of the process to be analyzed refers to: the executable program in Windows exists in PE format, and the emulator loads and parses the PE file so that it can be simulated and executed;

Example 2

As shown in FIG. 2 , the system of the present invention experiences processes such as loading, initialization, operation analysis, and termination during operation.

Step 1, load the PE file of the process to be analyzed and the dependent dynamic link library, and establish a complete Windowsx86 virtual runtime environment;

The runtime environment includes a linear memory address space, a central processing module environment, and related operating system functions;

Step 2. Simulate and execute instructions for the process to be analyzed, use a lightweight x86 instruction set simulator to provide fine-grained runtime information, and perform subsequent analysis. The specific steps include:

2.1 Use a heuristic recursive disassembly algorithm to try to disassemble all instructions;

2.2 Construct a processor simulation environment, and use the disassembly information to accurately simulate the execution flow of each instruction;

2.3 Extract memory access data, register values and other information for program analysis;

The lightweight x86 instruction set simulator refers to: a high-performance, low-cost x86 instruction set simulator that can simulate the execution of the x86 instruction set without significantly affecting the normal execution of the program ;

The fine-grained division is specifically: accurate to the finest granularity visible to the operating system, that is, the level of instructions and registers, rather than the level of basic blocks or functions commonly used in solutions such as dynamic binary instrumentation;

The runtime information specifically refers to: memory access information such as memory address and memory data, register value, flag bit change information, and possible exception information;

Step 3. Simulate several operating system behaviors to ensure that the process to be analyzed runs in a controllable environment. The specific steps include:

3.1 Load the program body and dependent system module (DLL) of curl.exe, use address space randomization (ASLR) to allocate the base address of each component, determine the memory layout; at the same time determine the program entry point and termination conditions;

3.2 Paging management is adopted for the process virtual memory space, where the page size is 4KB; each page maintains its state information (idle, reserved or submitted) and access control permissions (readable, writable, executable), etc., and is controlled by the virtual The memory management unit uniformly manages the allocation and recycling of memory pages;

3.3 The thread management module is used to manage all threads in the process, including the main thread when the program is initialized, and the establishment and destruction of threads during execution;

3.4 The exception handler takes over the exception handling mechanism of the operating system when the processor is abnormal, and runs the exception handling routine of the program in the simulator environment;

The operating system behavior specifically refers to: process initialization, memory management, thread management, exception handling, etc.;

Step 4. Encapsulate all operating system APIs in the process, and hand them over to the operating system for direct execution. The specific steps include:

4.1 Intercept all API calls of the simulated process, and directly simulate and execute the core API (such as memory allocation APIVirtualAlloc()) by the simulator, and send other APIs (such as network APIsocket()) to the operating system for execution;

4.2 Complete the parameter conversion when calling the API, map the pointer type parameters between the simulated memory address and the real address, and deeply copy and map the complex structure and newly allocated heap data to the simulated memory space;

4.3 After the API is executed, return to the emulator control, clear the stack and analyze the API return result;

The operating system API refers to the application program interface provided by the operating system to the user process, so that the user program can use the functions of the operating system.

Step 5. Provide APIs for dynamic runtime information in the simulation execution process, such as instruction flow, data and control flow, so that the analysis program can use these information for program analysis, specifically: encapsulate the execution process of the simulator as an event , providing APIs in the form of event processing; mainly including instruction execution events, memory access events, operating system API call events, thread scheduling events, etc.; for the execution process of curl.exe, all instruction execution events can be obtained , including parameters such as changes in registers and flags; it can obtain events such as network API calls, and can parse network data from them; at the same time, it can rebuild the program runtime environment to describe program behavior, etc.

Claims (5)

1. A binary program analysis system based on process simulation, is characterized in that, comprises: simulator engine module, memory management module, process management module, system call interface, thread management module, central processing module and the analysis that provides application program interface Component interface, in which: the simulator engine module is respectively connected to the memory management module, process management module, system call interface and analysis component interface, and respectively transmits running status information and running instructions, process management and thread scheduling information, system API call data, and debugging information and analyze component events, control and coordinate each module and reduce the coupling between different modules; the process management module is connected with the central processing module, memory management module and Management data and system call parameter conversion information and encapsulation information, the thread management module is connected with the process management module, the memory management module and the central processing module respectively, and respectively transmits thread running status and scheduling information, thread memory data access and processor running status; The simulator engine module provides unified coordinated control for each component, and drives each component to run to complete the loading, initialization, operation and removal of the simulated process. The simulator engine module includes: a drive unit, an operating system hook unit and a debugging unit. unit, wherein: the drive unit is connected with the memory management module and the process management module, receives the running state information, and sends the running command; the operating system hook unit is connected with the process management module, receives the system API call of the process management module and passes it to the underlying operating system, Return the API call result; the debugging unit connects the system call interface and the analysis component interface for application debugging; The memory management module includes: a virtual memory management unit, a heap management unit and a stack management unit, wherein: the virtual memory management unit transmits memory access data to the thread management module, and is connected with the driver unit of the simulator engine module to transmit the running state Information; the heap management unit receives heap management instructions from the process management module to complete the management of the heap memory in the process; the stack management unit receives the thread running status from the thread management module to complete the management of the stack memory in all threads; The virtual memory management unit adopts a paging scheme to manage 4GB of virtual memory; at the same time, it simulates the virtual memory management behavior of Windows to complete memory allocation, recycling and access control at the operating system level; The management information of the heap in the process transmitted by the heap management unit and the stack management unit, the management of each thread stack memory in the process, and the allocation and recovery of global virtual memory pages; The management information of the heap in the process includes: establishment and destruction of the heap and memory allocation; heap memory permission setting; heap capacity adjustment and reallocation; The process management module includes: a thread scheduling management unit, a state driver unit and a system API encapsulation unit, wherein: the thread scheduling management unit is connected with the central processing module to receive scheduling information of all threads in the process, and completes the scheduling and creation and destruction of threads ; The state drive unit is connected to the simulator engine module, receives the operation instructions of the simulator engine module, completes the operation drive of the main thread and other threads and transmits the operation status information; the system API encapsulation unit is connected with the system call interface to receive the system of the thread management module API calls, encapsulates parameters and transmits them to the simulator engine module for calling; The process management module is used to drive the complete execution process of the process; maintain all threads contained in the process and their scheduling; maintain system handles and allocate memory addresses in the process; and create and maintain the PEB data structure of the process; The thread management module includes: an environment information simulation unit, a driving thread unit and an execution unit, wherein: the environment information simulation unit is connected with the process management unit, receives the runtime state information of the thread and establishes a simulated runtime environment for use by the thread; The thread unit is connected with the process management unit, receives the thread operation instruction and transmits the thread operation state; the execution unit is connected with the thread state unit of the central processing module to complete the processor instruction cycle and terminate the thread at the end; The simulated runtime environment used by the thread provided by the environment information simulation module includes: entry point, parameter, flag, stack address and size, and TEB; The thread management module maintains the environmental information of a single thread in the simulation process, and drives the execution process of the thread from the entry point, and judges the termination condition and ends the thread at the same time; it is used for loading and processing of other modules dynamically loaded by the thread at the same time. initialization; The central processing module has built-in registers and state units connected to the process management module and the thread management module respectively, and transmits processor scheduling information, thread running status and scheduling information respectively; Described transmission processor scheduling information and thread running state and scheduling information include: processor flag bit, running state information; And x86 instruction set, x87FPU instruction set, MMX instruction set and SSE instruction set provide explanation simulation function, thereby Realize the simulation of complete processor functions; The central processing module is provided with an exception manager for transmitting processor exception information and exception processing results, and the exception manager constructs abnormal environment information and executes exception handling functions; The analysis component interface provides an API interface for the system, so that analysts can easily write analysis components to complete automated program analysis; The emulator engine module is respectively connected to a loader, a disassembly engine, and an additional debugging component to be connected to a debugging interface for debugging an application program, wherein: the loader parses the executable PE file of the process to be analyzed and parses the result The emulator engine module is loaded to the memory management module, and the disassembly engine disassembles a single x86 instruction, and parses out the operation code, source operand, and destination operand information of the instruction; the debugging interface is used to transmit debugging information, and can be used for application And the debugging of the simulator itself; The executable PE file of the process to be analyzed means that the executable program in Windows exists in PE format, and the emulator loads and parses the PE file so that it can be simulated and executed. 2. A process optimization method based on the system according to claim 1, comprising the following steps: Step 1. Perform lightweight x86 instruction set simulation on the process to be analyzed, that is, perform simulation processing of x86 instruction set and virtual memory environment on the premise that the program running efficiency loss is within two orders of magnitude; Step 2. Simulate several operating system behaviors to ensure that the process to be analyzed runs in a controllable environment; Step 3, encapsulating the operating system API call in the process, and handing it over to the operating system for direct execution; Step 4: Provide APIs for the dynamic runtime information in the simulation execution process, encapsulate the execution process of each component of the simulator as events, and provide APIs in the form of event processing, so that the analysis program can use these information to perform Program optimization. 3. method according to claim 2, is characterized in that, described step 1 specifically comprises: Step 1.1) Provide static disassembly information for each processor instruction using a heuristic recursive disassembly algorithm; 1.1.1 Perform the following judgments for each instruction in the PE file; 1.1.2 Locate the entry point instruction E. When the instruction E is a valid instruction, execute step 1.1.3 after disassembling it; otherwise, skip this instruction and re-execute step 1.1.2; 1.1.3 When the disassembled instruction E is a jump instruction, disassemble the jump target of the instruction E; 1.1.4 Add the length information of the instruction at the end of the instruction E and return to step 1.1.2 to process the next instruction until the processing of all instructions is completed and return to the instruction set S obtained by the disassembly process; Step 1.2) Use the disassembly information to simulate the execution flow of each instruction, including registers, memory data and flag values; Step 1.3) Extract memory access data and register value change information for program analysis. 4. method according to claim 2, is characterized in that, described step 2 specifically comprises: Step 2.1) In the process initialization phase, load and initialize the simulated program, determine the memory distribution of each segment in each module in the process, and determine the entry point and termination condition; Step 2.2) Memory management uses a paged memory management mechanism, including: virtual memory allocation, recycling and access control in units of pages; Step 2.3) The thread management module is used to maintain the thread establishment, destruction and thread scheduling in the multi-threaded program, so that the multi-threaded program can be executed normally under the shared memory model; Step 2.4) Exception handling is used as an operating system exception handling mechanism when an exception occurs in the processor, so that the exception handling routine of the program can run in the simulation environment. 5. the method according to claim 2, is characterized in that, described step 3 is specifically: Step 3.1) Intercept all API calls of the simulated process, the core API is directly simulated and executed by the simulator engine module, and other APIs are sent to the operating system for execution; Step 3.2) Complete the parameter conversion when calling the API, including: the mapping between the simulated memory address and the real address; Step 3.3) After the API is executed, the operating system returns to the simulator engine module to process the execution result.