Computer program instruction-level monitoring and analyzing system and method

Abstract

The invention discloses a computer program instruction-level monitoring and analyzing system and method. The monitoring and analyzing system comprises a cloud server, a host machine, a virtual machine, a database DB and a local analyzing system. The cloud server is used for recording data and meanwhile serves as a non-local data analyzing system to analyze the data. The host machine is used for providing an environment storage dynamic link library and enabling functions in the dynamic link library to be operated in time of need. The virtual machine is used for calling an init function and a callback function and providing a function SetCallback for setting the callback function. The database DB is used for storing data obtained through instruction-level monitoring, and the data can be called and analyzed by the local analyzing system at any time. Through the instruction-level monitoring, all operation details in any program are monitored simply and accurately in real time, data analysis is performed on the details, and huge progresses are brought to automatic analysis or auxiliary analysis of programs of malicious codes, backdoor spy and the like.

Description

technical field [0001] The invention relates to computer security and program analysis technology, in particular to a computer program instruction-level monitoring and analysis system and method. Background technique [0002] Existing computer program monitoring and analysis technologies can only monitor and analyze at the function level, but cannot monitor and analyze at the instruction level. The "function" here refers to a subroutine in a computer program that implements a specific function, while the "instruction" refers to each code that implements a certain control or operation, and refers to the CPU instruction, which is the smallest unit of computer operation. . [0003] Function-level monitoring refers to the monitoring of a certain function or some specific functions by the monitored program in the prior art, including whether the function (s) has been called, the time of the call, the call parameters and the execution result, etc., in order to determine Whether ...

AI Technical Summary

Problems solved by technology

However, the number of functions of the operating system itself is huge, and it is impossible to realize complete monitoring. At the same time, it has other disadvantages, such as: the technical details of many functions are not disclosed, and some functions may change, etc.

Moreover, even if the monitoring can be "forcibly" realized, the operating system itself will be affected due to the large monitoring code, changing the execution environment of the monitored program, and making the monitoring distorted

[0008] These three defects lead to some inevitable results that the monitoring of the program cannot be comprehensive and detailed: since only a few functions of the operating system itself can be monitored, a large number of self-owned functions in the monitored program will not be able to be monitored. The behavior of the program will be "in the dark"; the monitored program calls the operating system function that has not been hooked in advance, and these actions will not be known, that is, the situation of "unknown"; at the same time, the real automatic analysis of behavior cannot be realized

Images