CN1845120A - Automatic analysis system and method for malicious code - Google Patents
Automatic analysis system and method for malicious code Download PDFInfo
- Publication number
- CN1845120A CN1845120A CNA200610080454XA CN200610080454A CN1845120A CN 1845120 A CN1845120 A CN 1845120A CN A200610080454X A CNA200610080454X A CN A200610080454XA CN 200610080454 A CN200610080454 A CN 200610080454A CN 1845120 A CN1845120 A CN 1845120A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- module
- file
- api
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000004458 analytical method Methods 0.000 title claims description 22
- 230000006870 function Effects 0.000 claims description 32
- 230000006399 behavior Effects 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 18
- 238000012544 monitoring process Methods 0.000 claims description 8
- 230000035945 sensitivity Effects 0.000 claims description 6
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 230000003542 behavioural effect Effects 0.000 claims description 2
- 238000001514 detection method Methods 0.000 abstract 2
- 238000005516 engineering process Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a malicious code automatic analyze system formed by several independent modules, as malicious code operating module, file detecting module, register detecting module, function transfer detecting module, network data detecting module, program inner operation detecting module, and malicious code operation automatic analyze module. Said method comprises: loading the driving programs of file detection and register detection; loading the sensitive function recorded in pre-definition; in the operation of malicious code, synchronously recording to the transfer of application program interfaced, the access of file and register, and network operation; when the malicious code is over and automatically leaves, the system automatically analyzes said operation, and outputs the result. The invention can completely record the operation of malicious code, without affected by the unknown frame or distortion frame of malicious code. The invention can improve the working efficiency and malicious code analyzer.
Description
Technical field
The present invention relates to a kind of automatically analyzing malicious codes system and method.The present invention is used for the analysis of malicious code (application program) under WINDOWS (a kind of title of the operating system) environment.
Background technology
Traditional malicious code analysis is followed the tracks of by manual debugging and is analyzed, and this just depends on analyst's experience and ability, and in many cases, can omit the behavior of some malicious codes.Along with malicious code occurred to the individual quantity of hundreds of with every day tens, manual quiet one by one in the past, dynamic tracking conversed analysis method has been not suitable for demand now on work efficiency and cost input.Even manually go if having time to analyze, but in the face of new distortion code and unknown shell, the appearance of distortion shell, manual analysis have to spend earlier a large amount of energy analyze and remove the distortion code, above the unknown shell.
Summary of the invention
In order to overcome the deficiency of existing technology, the invention provides a kind of automatically analyzing malicious codes system and method, as long as manually carry out very a spot of participation, just can finish analytical work substantially to malicious code.The user only need import the sample body of malicious code, and system will export the analysis result to this malicious code.
Technical scheme
A kind of automatically analyzing malicious codes system contains following a plurality of relatively independent module and constitutes, and these relatively independent module records malicious codes are in all behaviors that run duration carried out:
Malicious code operation module is used to control the startup of malicious code process, stops, and the startup of thread stops, and being written into of module unloads.
File monitoring module, file monitoring drive by file system and realize, are installed in the operating system with the form of driver.System comes to communicate with driver by DeviceIoControl (WINDOWS API (Applicationprogramming interface application programming interfaces)), acquisition judges whether it is the operation that malicious code carries out according to process ID then to all operations of file.
The registration table monitor module is tackled supervision by the form of driver.
The function call monitor module, system provides API (Application programminginterface) (application programming interfaces) function of a series of sensitivity, by writing down calling of these API (Application programminginterface) (application programming interfaces), and analyze the combination that near other API (Applicationprogramming interface) (application programming interfaces) calls, judge whether this program has malice character.System also can write down the parameter and the return address that are sent by malicious code in record API (Application programming interface) (application programming interfaces) itself.
The network data monitor module in the record network packet, has write down the state of program when sending this packet, the position of network service function call and time.
Program internal act monitor module comprises being written into and unloading of module, the establishment of thread with withdraw from, internal storage access with check;
The automatic analysis module of malicious code behavior according to the result that above each module write down, is selected the behavior that is caused by malicious code operation, picks out the unworthy part of malicious code behavioural analysis, and these behaviors is analyzed gather.
The operation of malicious code, it is nothing but by the operation of file, registration table, network, API (Application programming interface) (application programming interfaces) etc. is finished that the destruction of computing machine is operated.And native system is behind input malicious code sample body, and above-mentioned all modules begin to start, and all behaviors of record malicious code run duration, and these behaviors draw analysis result by the processing of system.
A kind of automatically analyzing malicious codes method, contain following steps:
Step 1; After the system start-up, the driver that first load document monitors and registration table monitors,
Step 2; Etc. the input of malicious code to be analyzed, in case malicious code input native system, malicious code operation module starts.
Step 3; Load the sensitivity function that predefine will write down,
Step 4; In the process of malicious code operation, synchronous recording API (Application programminginterface) (application programming interfaces) calls, file, the visit of registration table, network operation;
Step 5; When the malicious code process finishes and withdraws from automatically, or think that current analysis enough and after the pressure end malicious code process, system analyzes automatically to these behaviors, exports automatic analysis result as the user;
Step 6;
The invention has the beneficial effects as follows,
Automatic analysis method provided by the invention writes down the behavior that malicious code moves fully, and unaffected for the unknown shell or the distortion shell of malicious code use.Improved malicious code analysis personnel's work efficiency significantly.The present invention analyzes malicious code automatically, the behavior of record malicious code, as file operation, registry operations, network, behaviors such as internal storage access, system API (Application programming interface) (application programming interfaces) call, and the responsive API (Application programminginterface) (application programming interfaces) of configurable record calls.By analyzing the behavior of these records, can determine the kind and the ins and outs of malicious code substantially.The analyst can accurately analyze further targetedly by this result.
The present invention can analyze apace to malicious code, draws analysis result automatically, the artificial work that only need participate in seldom.And existing technology is manually to adopt a large amount of time in analytical work, the energy that costs a lot of money, and efficient is very low.
Description of drawings
Fig. 1 is a structure flow chart of the present invention.
Fig. 2 is monitor module and analysis module structural drawing.
Fig. 3 is system's operational flow diagram.
The present invention is further described below in conjunction with drawings and Examples.
Embodiment
As shown in Figure 1, before malicious code operation, the user at first needs to define a collection of function, and generally speaking, normal application program seldom uses, or there is no need to use these functions, and that malicious code uses the probability of these functions is quite big.
System is before beginning to analyze, can from database, load all API (Applicationprogramming interface) (application programming interfaces) function lists, when malicious code calls the sensitivity function of above-mentioned consumer premise justice, will write down this function calls.
When the api function loaded, system's meeting load driver program is so that write down malicious code to file, registration table, the visit of network and operation.
When malicious code operation finishes, its mechanism is analyzed in the various actions that system will be write down according to the malicious code run duration automatically.
Fig. 2 is monitor module and analysis module graph of a relation.Wherein malicious code operation module is responsible for controlling the operation of malicious code process, moves the malicious code program in the mode of debugging, is started by CreateProcess (WINDOWS API), and this module is responsible for the setting of the inner breakpoint of program simultaneously.
Below describe the embodiment of monitor module in detail.
File monitoring
The foundation of Monitoring Files or file, read-write.The time of log file operation, the type of file operation, as foundation/read/write, the result of file operation is as the length and the position of read-write.
The information of file monitoring is for labor is also very meaningful further, and the analyst can carry out corresponding breakpoint setting according to length and position, the number of times of file read-write, makes the more efficient and purpose of conversed analysis.
This function performing step:
File monitoring drives by file system and realizes, is installed in the operating system with the form of driver.System comes to communicate with driver by DeviceIoControl (WINDOWS API), obtains all operations to file, judges whether it is the operation that malicious code carries out according to process ID (unique identification of process) then.
Registration table monitors
Monitor the foundation of registration table, operations such as read-write.The time of record registry operations, action type, operating result, and the position and the data of record registration table.
This function performing step:
This function also is to tackle supervision by the form of driver.Driver is realized this function by the API of intercept registration table handling.Registry operations API (Application programming interface) (application programming interfaces) comprising:
RegCloseKey
RegConnectRegistry
RegCreateKeyEx
RegDeleteKey
RegDeleteValue
RegDisablePredefinedCache
RegEnumKeyEx
RegEnumValue
RegFlushKey
RegGetKeySecurity
RegLoadKey
RegNotifyChangeKeyValue
RegOpenCurrentUser
RegOpenKeyEx
RegOpenUserClassesRoot
RegOverridePredefKey
RegQueryInfoKey
RegQueryMultipleValues
RegQueryValueEx
RegReplaceKey
RegRestoreKey
RegSaveKey
RegSetKeySecurity
RegSetValueEx
RegUnLoadKey
The record of function call and API (Application programming interface) (application programming interfaces) record,
System provides the api function of a series of sensitivity, and the probability that general malicious code calls these api functions is very high, but common application program is seldom called these functions.By writing down calling of these API, and the combination of analyzing near API Calls other, can judge whether this program has malice character.System also can write down the parameter and the return address that are sent by malicious code in record API itself.This function performing step:
(1), first code byte of revising each API that need tackle is 0xCC, and preserves former code byte;
(2), in the malicious code operational process,, will carry out 0xCC so, cause producing unusual in case call this api function.Exception handler judges that by judging unusually whether this be owing to carried out first code byte of this API.If then the code at this internal memory place is replaced back original byte, and continues to carry out next bar instruction.When carrying out next bar instruction, again first byte of this API is changed into 0xCC;
(3), write down the api function of intercepting.
Network data monitors
Increasing malicious code is propagated by network.Different with the traditional data packet catcher is that native system has write down the state of program when sending this packet, the position of network service function call and time in the record network packet.This more helps the analysis of malicious code communication behavior.
This function performing step:
The method of the same API of performing step (Application programming interface) (application programming interfaces) record is identical.The transmission of any network packet receives all to be undertaken by network AP I.As send, recv, sendfrom, sendto or the like.When intercepting API, judge to be the API of network data transmission/reception again, get the content of its parameter, can obtain the content of packet.
The supervision of program internal act
These behaviors comprise being written into and unloading of module, the establishment of thread with withdraw from, internal storage access with check.This function performing step:
The WINDOWS system carries this function.When process started with the pattern of DEBUG_ONLY_THIS_PROCES (C language grand name, value is 2), system can be automatically provides interface for the processing of these internal acts.
Malicious code calls WaitForDebugEvent (WINDOWS API) after starting immediately, and invokes thread will enter blocked state, waits for the generation of debug events.When behaviors such as malicious code has being written into and unloading of module, and the establishment of thread is upright and withdraw from, thread will be cancelled obstruction, and returns the information of above-mentioned behavior.
Fig. 3 has described the start-up course of these software systems.As shown in Figure 3, after system start-up, the driver that first load document monitors and registration table monitors, and the input of wait malicious code.At the process of malicious code operation, synchronous recording API Calls, file, the visit of registration table, network operation etc.
Claims (4)
1. automatically analyzing malicious codes method is characterized in that containing following steps:
After step 1, the system start-up, the driver that load document monitors and registration table monitors;
Step 2, wait for the input of malicious code to be analyzed, in case malicious code input native system, malicious code operation module starts;
The sensitivity function that step 3, loading predefine will write down;
Step 4, in the process of malicious code operation, the synchronous recording application programming interfaces call, file, the visit of registration table, network operation;
Step 5, finish and withdraw from automatically when the malicious code process, or think that current analysis enough and after the pressure end malicious code process, system analyzes automatically to these behaviors, exports automatic analysis result as the user.
2. a kind of automatically analyzing malicious codes method according to claim 1, it is characterized in that: file monitoring is installed in the operating system with the form of driver, system comes to communicate with driver by DeviceIoControl (WINDOWSAPI), acquisition judges whether it is the operation that malicious code carries out according to process ID then to all operations of file.
3. a kind of automatically analyzing malicious codes method according to claim 1 is characterized in that: whether determining program has malice character performing step has:
Step (1), first code byte of revising each API that need tackle is 0xCC, and preserves former code byte;
Step (2), in the malicious code operational process,, will carry out 0xCC so in case call this api function, cause producing unusual, exception handler judges that by judging unusually whether this be owing to first code byte of having carried out this API, if, then the code at this internal memory place is replaced back original byte, and continue to carry out next bar instruction, when carrying out next bar instruction, again first byte of this API is changed into 0xCC;
Step (3), the api function that record is intercepted.
4. an automatically analyzing malicious codes system is characterized in that: contain with lower module;
Malicious code operation module: be used to control the startup of malicious code process, stop, the startup of thread stops, and being written into of module unloads;
File monitoring module: realize by the file system driving, form with driver is installed in the operating system, system comes to communicate with driver by DeviceIoControl (WINDOWS API (Application programminginterface)), acquisition judges whether it is the operation that malicious code carries out according to process ID then to all operations of file;
The registration table monitor module: the form by driver is tackled supervision;
The function call monitor module: system provides the application program interface function of a series of sensitivity, by writing down calling of these application programming interfaces, and analyze near the combination that application programming interfaces call other, judge whether this program has malice character, system also can write down the parameter and the return address that are sent by malicious code in records application program interface itself;
Network data monitor module: in the record network packet, write down the state of program when sending this packet, the position of network service function call and time;
Program internal act monitor module: comprise being written into and unloading of module, the establishment of thread with withdraw from, internal storage access with check;
The automatic analysis module of malicious code behavior: according to the result that above each module write down, select the behavior that is caused by malicious code operation, pick out, and these behaviors are analyzed gather to the unworthy part of malicious code behavioural analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610080454XA CN100461197C (en) | 2006-05-16 | 2006-05-16 | Automatic analysis system and method for malicious code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610080454XA CN100461197C (en) | 2006-05-16 | 2006-05-16 | Automatic analysis system and method for malicious code |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1845120A true CN1845120A (en) | 2006-10-11 |
| CN100461197C CN100461197C (en) | 2009-02-11 |
Family
ID=37064048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610080454XA Expired - Fee Related CN100461197C (en) | 2006-05-16 | 2006-05-16 | Automatic analysis system and method for malicious code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100461197C (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009049555A1 (en) * | 2007-10-15 | 2009-04-23 | Beijing Rising International Software Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
| CN100504903C (en) * | 2007-09-18 | 2009-06-24 | 北京大学 | A Malicious Code Automatic Identification Method |
| CN102208004A (en) * | 2011-05-13 | 2011-10-05 | 南京邮电大学 | Method for controlling software behavior based on least privilege principle |
| CN101414328B (en) * | 2007-10-15 | 2012-07-18 | 北京瑞星信息技术有限公司 | Apparatus and method for exuviations of file |
| CN102779255A (en) * | 2012-07-16 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
| CN102799500A (en) * | 2012-06-25 | 2012-11-28 | 腾讯科技(深圳)有限公司 | System repair method, device and storage medium |
| CN103294947A (en) * | 2012-02-23 | 2013-09-11 | 株式会社日立制作所 | Program analysis system and method thereof |
| US8561192B2 (en) | 2007-10-15 | 2013-10-15 | Beijing Rising Information Technology Co., Ltd. | Method and apparatus for automatically protecting a computer against a harmful program |
| CN101667236B (en) * | 2008-09-02 | 2013-11-20 | 北京瑞星信息技术有限公司 | Method and device for controlling driver installation |
| CN103500306A (en) * | 2011-06-03 | 2014-01-08 | 北京奇虎科技有限公司 | Client terminal program monitoring method and device and client terminal |
| CN103605592A (en) * | 2013-11-29 | 2014-02-26 | 中国航空工业集团公司第六三一研究所 | Mechanism of detecting malfunctions of distributed computer system |
| CN103778367A (en) * | 2013-12-30 | 2014-05-07 | 网秦(北京)科技有限公司 | Method and terminal for detecting safety of application installation package based on application certificate and auxiliary server |
| CN104766007A (en) * | 2015-03-27 | 2015-07-08 | 杭州安恒信息技术有限公司 | Method for quickly recovering sandbox based on file system filter driver |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN104933365A (en) * | 2015-07-08 | 2015-09-23 | 中国科学院信息工程研究所 | Automatic malicious code homology judgment method and system based on calling habits |
| CN105991620A (en) * | 2015-03-05 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Malicious account identification method and device |
| CN107766716A (en) * | 2016-08-16 | 2018-03-06 | 阿里巴巴集团控股有限公司 | Certificate detection method and device, electronic equipment |
| CN109948336A (en) * | 2019-01-29 | 2019-06-28 | 北京中安兴坤科技有限公司 | Malicious code detecting method and device |
| CN111026599A (en) * | 2019-07-24 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Data collection method and device based on API call and storage device |
| CN114417340A (en) * | 2022-01-26 | 2022-04-29 | 北京八分量信息科技有限公司 | Feature analysis method and device of malicious application program and related product |
| CN114741695A (en) * | 2022-04-02 | 2022-07-12 | 安天科技集团股份有限公司 | Malicious code monitoring method and device, electronic equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1282083C (en) * | 2001-09-14 | 2006-10-25 | 北京瑞星科技股份有限公司 | Computer memory virus monitoring method and method for operation with virus |
| ATE426858T1 (en) * | 2002-04-13 | 2009-04-15 | Computer Ass Think Inc | SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE |
| US7832012B2 (en) * | 2004-05-19 | 2010-11-09 | Computer Associates Think, Inc. | Method and system for isolating suspicious email |
| US20060015940A1 (en) * | 2004-07-14 | 2006-01-19 | Shay Zamir | Method for detecting unwanted executables |
| CN100374972C (en) * | 2005-08-03 | 2008-03-12 | 珠海金山软件股份有限公司 | A system and method for detecting and defending computer malicious programs |
-
2006
- 2006-05-16 CN CNB200610080454XA patent/CN100461197C/en not_active Expired - Fee Related
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100504903C (en) * | 2007-09-18 | 2009-06-24 | 北京大学 | A Malicious Code Automatic Identification Method |
| US8561192B2 (en) | 2007-10-15 | 2013-10-15 | Beijing Rising Information Technology Co., Ltd. | Method and apparatus for automatically protecting a computer against a harmful program |
| CN101414328B (en) * | 2007-10-15 | 2012-07-18 | 北京瑞星信息技术有限公司 | Apparatus and method for exuviations of file |
| US8898775B2 (en) | 2007-10-15 | 2014-11-25 | Bejing Rising Information Technology Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
| WO2009049555A1 (en) * | 2007-10-15 | 2009-04-23 | Beijing Rising International Software Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
| CN101667236B (en) * | 2008-09-02 | 2013-11-20 | 北京瑞星信息技术有限公司 | Method and device for controlling driver installation |
| CN102208004A (en) * | 2011-05-13 | 2011-10-05 | 南京邮电大学 | Method for controlling software behavior based on least privilege principle |
| CN102208004B (en) * | 2011-05-13 | 2013-07-03 | 南京邮电大学 | Method for controlling software behavior based on least privilege principle |
| CN103500306A (en) * | 2011-06-03 | 2014-01-08 | 北京奇虎科技有限公司 | Client terminal program monitoring method and device and client terminal |
| CN103294947A (en) * | 2012-02-23 | 2013-09-11 | 株式会社日立制作所 | Program analysis system and method thereof |
| CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
| CN102799500A (en) * | 2012-06-25 | 2012-11-28 | 腾讯科技(深圳)有限公司 | System repair method, device and storage medium |
| CN102799500B (en) * | 2012-06-25 | 2014-04-30 | 腾讯科技(深圳)有限公司 | System repair method and device |
| CN102779255A (en) * | 2012-07-16 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| CN102779255B (en) * | 2012-07-16 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| US9158918B2 (en) | 2012-07-16 | 2015-10-13 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining malicious program |
| CN103605592A (en) * | 2013-11-29 | 2014-02-26 | 中国航空工业集团公司第六三一研究所 | Mechanism of detecting malfunctions of distributed computer system |
| CN103778367A (en) * | 2013-12-30 | 2014-05-07 | 网秦(北京)科技有限公司 | Method and terminal for detecting safety of application installation package based on application certificate and auxiliary server |
| CN105991620B (en) * | 2015-03-05 | 2019-09-06 | 阿里巴巴集团控股有限公司 | The recognition methods of malice account and device |
| CN105991620A (en) * | 2015-03-05 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Malicious account identification method and device |
| CN104766011B (en) * | 2015-03-26 | 2017-09-12 | 国家电网公司 | The sandbox detection alarm method and system of Intrusion Detection based on host feature |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN104766007A (en) * | 2015-03-27 | 2015-07-08 | 杭州安恒信息技术有限公司 | Method for quickly recovering sandbox based on file system filter driver |
| CN104766007B (en) * | 2015-03-27 | 2017-07-21 | 杭州安恒信息技术有限公司 | A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver |
| CN104933365A (en) * | 2015-07-08 | 2015-09-23 | 中国科学院信息工程研究所 | Automatic malicious code homology judgment method and system based on calling habits |
| CN104933365B (en) * | 2015-07-08 | 2018-04-27 | 中国科学院信息工程研究所 | A kind of malicious code based on calling custom automates homologous decision method and system |
| CN107766716A (en) * | 2016-08-16 | 2018-03-06 | 阿里巴巴集团控股有限公司 | Certificate detection method and device, electronic equipment |
| CN109948336A (en) * | 2019-01-29 | 2019-06-28 | 北京中安兴坤科技有限公司 | Malicious code detecting method and device |
| CN111026599A (en) * | 2019-07-24 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Data collection method and device based on API call and storage device |
| CN114417340A (en) * | 2022-01-26 | 2022-04-29 | 北京八分量信息科技有限公司 | Feature analysis method and device of malicious application program and related product |
| CN114741695A (en) * | 2022-04-02 | 2022-07-12 | 安天科技集团股份有限公司 | Malicious code monitoring method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100461197C (en) | 2009-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1845120A (en) | Automatic analysis system and method for malicious code | |
| US9727436B2 (en) | Adding a profiling agent to a virtual machine to permit performance and memory consumption analysis within unit tests | |
| CN103729288B (en) | The adjustment method of application program under a kind of embedded multi-core environment | |
| CN100451989C (en) | Software testing system and testing method | |
| CN1159649C (en) | An automatic circular storage method for log information | |
| US20080243968A1 (en) | Method and system for object age detection in garbage collection heaps | |
| CN1248116C (en) | General purpose testing arrangement for embedded module and subsystem based on host machine platform | |
| CN1614555A (en) | Apparatus and method for autonomic hardware assisted thread stack tracking | |
| CN1540517A (en) | Just-My-Code modulation tech | |
| CN100351785C (en) | Method for debuging embedded system and equipment | |
| CN101354675B (en) | Method for detecting embedded software dynamic memory | |
| CN1959652A (en) | Method and apparatus for debugging computer program in distributed debugger | |
| CN101043692A (en) | Patrol checking method and patrol checking server | |
| CN1719925A (en) | Method and apparatus for automatically testing CDMA cell phone software | |
| CN101060436A (en) | A fault analyzing method and device for communication equipment | |
| CN1851667A (en) | Graphic user interface test method and system | |
| CN1371499A (en) | Object property meta model emulator for legacy data structures | |
| CN101114253A (en) | Program crashing information report method and system thereof | |
| CN1885275A (en) | Embedded system and real-time monitoring and processing method thereof | |
| CN1641601A (en) | Software unit measuring method | |
| CN1949185A (en) | Parallel adjusting and performance analyzing method of supporting multi-language multi-platform under isomerized environment | |
| CN104980552B (en) | Realize the method and system of Android mobile terminal automatic test | |
| CN1295600C (en) | Windows program abnormality capturing and positioning method | |
| CN103777978A (en) | Automatic user-mode 3G-USB network interface card detecting method based on Linux kernel | |
| CN1555014A (en) | A method for man-machine command testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: South Avenue, Haidian District, Beijing, Zhongguancun Patentee after: Beijing Venus Information Technology Co., Ltd. Address before: South Avenue, Haidian District, Beijing, Zhongguancun Patentee before: Beijing Qiming Xingchen Information Technology Co., Ltd. |
|
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING QIMINGXINGCHEN INFORMATION TECHNOLOGY CO., Free format text: FORMER NAME: BEIJING QIMING XINGCHEN INFORMATION TECHNOLOGY CO. LTD. |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING QIMINGXINCHEN INFORMATION SECURITY TECHNOL |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100081 ZHONGGUANCUN SOUTH AVENUE, HAIDIAN DISTRICT, BEIJING CITY TO: 100193QIMINGXINGCHEN BUILDING, BUILDING 21, ZHONGGUANCUN SOFTWARE PARK, NO.8, DONGBEIWANG WEST ROAD, HAIDIAN DISTRICT, BEIJING CITY |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100507 Address after: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Co-patentee after: Beijing Venusense Information Security Technology Co., Ltd. Patentee after: Beijing Venus Information Technology Co., Ltd. Address before: 100081 Haidian District Zhongguancun South Avenue, Beijing Patentee before: Beijing Venus Information Technology Co., Ltd. |
|
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090211 Termination date: 20130516 |