CN102023842B - Method and device for removing junk codes - Google Patents

Method and device for removing junk codes Download PDF

Info

Publication number
CN102023842B
CN102023842B CN 201010591156 CN201010591156A CN102023842B CN 102023842 B CN102023842 B CN 102023842B CN 201010591156 CN201010591156 CN 201010591156 CN 201010591156 A CN201010591156 A CN 201010591156A CN 102023842 B CN102023842 B CN 102023842B
Authority
CN
China
Prior art keywords
instruction
register
dis
assembling
internal memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 201010591156
Other languages
Chinese (zh)
Other versions
CN102023842A (en
Inventor
李石磊
童志明
张栗伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ahtech network Safe Technology Ltd
Original Assignee
Beijing Antiy Electronic Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Electronic Equipment Co Ltd filed Critical Beijing Antiy Electronic Equipment Co Ltd
Priority to CN 201010591156 priority Critical patent/CN102023842B/en
Publication of CN102023842A publication Critical patent/CN102023842A/en
Application granted granted Critical
Publication of CN102023842B publication Critical patent/CN102023842B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Advance Control (AREA)

Abstract

The invention provides a method and device for removing junk codes. The invention is characterized in that disassembling instructions in a buffer area; storing the instructions obtained by disassembling; storing all write memory instructions and write memory instruction registers; inversely searching the instructions obtained by disassembling according to the write memory instruction registers; searching all instructions related to the write memory instruction registers; comparing all the instructions obtained by disassembling and the instructions related to the write memory instruction registers; and cancelling different instructions, namely the junk codes. Through the method provided by the invention, the problems that the speed of virtual execution code is slow and the analysis is easyto be out of control are solved.

Description

Remove method and the device of flower instruction
Technical field
The present invention relates to information security field, particularly remove method and the device of flower instruction.
Background technology
In the current network environment; exist a large amount of malicious codes; and; the author of malicious code analyzes malicious code for the interfere information Security Officer; increase the reverse difficulty of code; regular meeting use to add the flower instruction or inserts method such as rubbish code at random; this had both caused the information security personnel to the malicious code analysis difficulty; also caused the problem that is difficult to extract condition code; cause a file to mate with regard to one section feature of needs; how many files are arranged, just need how many features, this has increased information security personnel's workload undoubtedly.Present technology can only be by the method for virtual execution, executes code, fixingly can solve this problem for the data of extracting feature until decrypting, and the speed of virtual execution is very slow, and has and analyze out of control and cause mistake to move the possibility of malicious code.
Summary of the invention
The invention provides a kind of method and device of removing the flower instruction, it is slow to have solved virtual execution speed, easily analyzes problem out of control.
A kind of method of removing the flower instruction comprises:
Step a: dis-assembling is carried out in the instruction in the core buffer, and preserved the instruction that dis-assembling obtains;
Step b: judge whether the instruction that dis-assembling obtains is to write the internal memory instruction, if, then search and preserve and write the internal memory order register, change steps d, otherwise, change step c;
Step c: judge whether the instruction that dis-assembling obtains is the cycling jump instruction, if, then search and preserve control loop body register, change steps d, otherwise, directly change steps d;
Steps d: judge whether to reach the condition that stops to carry out dis-assembling, if, then change step e, otherwise, step a changeed;
Step e: for any one register of preserving, reversely in all instructions that dis-assembling obtains search the instruction relevant with described register, when the satisfied condition that stops to search, stop to search the instruction relevant with described register;
Step f: behind the dependent instruction of having searched all registers, the instruction different with the dependent instruction of register in all instructions that the deletion dis-assembling obtains.
In the described method, judge whether the instruction that dis-assembling obtains is to write the internal memory instruction to comprise:
Judge whether the destination operand in the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, the internal memory instruction write for non-;
Perhaps, judge whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
In the described method, if the instruction that dis-assembling obtains is the cycling jump instruction, then searches and preserve control loop body register and comprise:
If the cycling jump instruction is then preserved the ECX register for LOOP instruction, LOOPNE instruction or LOOPZ instruction;
If the cycling jump instruction is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and preserves CMP order register, SUB order register, TEST order register, OR order register or AND order register;
If the cycling jump instruction is then searched the combined command that can access loop body for the jmp instruction, preserve described combined command register.
In the described method, preservation is write the internal memory order register and is comprised: will write the internal memory order register and be saved in the register chained list;
Preserving control loop body register comprises: will control the loop body register holds in the register chained list;
Be specially for any one register of preserving: for any one register in the register chained list.
In the described method, judge whether to reach the condition that stops to carry out dis-assembling and be specially:
Judge whether the instruction that dis-assembling obtains is the loop body END instruction;
Perhaps, judge whether the quantity that dis-assembling is instructed reaches default quantity.
In the described method, the satisfied condition that stops to search is specially and finds the instruction that data is read CPU from internal memory.
A kind of device of removing the flower instruction comprises:
The dis-assembling unit is used for dis-assembling is carried out in the instruction of buffer zone, and preserves the instruction that dis-assembling obtains;
First judging unit is used for judging whether the instruction that dis-assembling obtains is to write the internal memory instruction;
Storage unit, be used for when instruction that the first judgment unit judges dis-assembling obtains be when writing internal memory and instructing, search and preserve and write the internal memory order register;
Second judging unit, be used for the instruction that the first judgment unit judges dis-assembling obtains be non-write the internal memory instruction after, judge whether the instruction that dis-assembling obtains is the cycling jump instruction, if then storage unit is searched and preserved and controls the loop body register;
The 3rd judging unit, be used for after instruction that the first judgment unit judges dis-assembling obtains is to write internal memory and instruct, perhaps after whether instruction that the second judgment unit judges dis-assembling obtains is the cycling jump instruction, judge whether to reach the condition that stops to carry out dis-assembling, if do not reach the condition that stops to carry out dis-assembling, then there is the dis-assembling unit that the next instruction of buffer zone is carried out dis-assembling;
Search the unit, be used for the 3rd judgment unit judges reach stop to carry out the condition of dis-assembling after, any one register for the storage unit preservation, in the dis-assembling unit carries out all instructions that dis-assembling obtains, reversely search the instruction relevant with described register, when satisfying when stopping search criterion, stop to search the instruction relevant with described register;
Comparing unit is used for after searching the unit and having searched the dependent instruction of all registers, the instruction different with the dependent instruction of register during all of deleting that dis-assembling obtains are instructed.
In the described device, first judging unit specifically is used for judging whether the destination operand of the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs;
Perhaps, first judging unit is used for specifically judging whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
In the described device, be LOOP instruction, LOOPNE instruction or LOOPZ instruction if second judgment unit judges goes out the cycling jump instruction, then storage unit is preserved the ECX register;
If going out the cycling jump instruction, second judgment unit judges is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and then storage unit is preserved CMP order register, SUB order register, TEST order register, OR order register or AND order register;
Be the jmp instruction if second judgment unit judges goes out the cycling jump instruction, then storage unit is searched the combined command that can access loop body, and preserves described order register.
In the described device, storage unit specifically is used for writing the internal memory order register and is saved in the register chained list;
Storage unit is preserved control loop body register and is comprised: will control the loop body register holds in the register chained list;
Be specially for any one register of preserving: for any one register in the register chained list.
In the described device, the 3rd judging unit specifically is used for judging whether the instruction that dis-assembling obtains is the loop body END instruction;
Perhaps, the 3rd judging unit is used for specifically judging whether the quantity of dis-assembling instruction reaches default quantity.
In the described device, the satisfied condition that stops to search is specially and finds the instruction that data is read CPU from internal memory.
The invention provides a kind of method and apparatus of removing the flower instruction, by dis-assembling is carried out in the instruction in the buffer zone, and preserve the instruction that all dis-assemblings obtain, preserve all writing the internal memory instruction and write the internal memory order register, according to writing the internal memory order register, reversely search all instructions that dis-assembling obtains, find all instructions relevant with writing the internal memory order register, all instructions that dis-assembling is obtained compare with the register dependent instruction, delete different instructions, the instruction of deletion is the flower instruction, and the instruction of deletion flower does not influence the normal operation of program, and it is slow to have solved virtual execution speed, easily analyzes problem out of control.
Description of drawings
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, the accompanying drawing that describes below only is some embodiment that put down in writing among the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of method flow diagram of removing the flower instruction provided by the invention;
Fig. 2 is a kind of apparatus structure synoptic diagram of removing the flower instruction provided by the invention.
Embodiment
In order to make those skilled in the art person understand technical scheme in the embodiment of the invention better, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing technical scheme among the present invention is described in further detail.
The invention provides a kind of method and device of removing the flower instruction, it is slow to have solved virtual execution speed, easily analyzes problem out of control.
The invention provides a kind of method of removing the flower instruction, comprising:
Step a: dis-assembling is carried out in the instruction in the core buffer, and preserved the instruction that dis-assembling obtains;
Step b: judge whether the instruction that dis-assembling obtains is to write the internal memory instruction, if, then search and preserve and write the internal memory order register, change steps d, otherwise, change step c;
Step c: judge whether the instruction that dis-assembling obtains is the cycling jump instruction, if, then search and preserve control loop body register, change steps d, otherwise, directly change steps d;
Steps d: judge whether to reach the condition that stops to carry out dis-assembling, if, then change step e, otherwise, step a changeed;
Step e: for any one register of preserving, reversely in all instructions that dis-assembling obtains search the instruction relevant with described register, when the satisfied condition that stops to search, stop to search the instruction relevant with described register;
Step f: behind the dependent instruction of having searched all registers, the instruction different with the dependent instruction of register in all instructions that the deletion dis-assembling obtains.
In the described method, judge whether the instruction that dis-assembling obtains is to write the internal memory instruction to comprise:
Judge whether the destination operand in the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, the internal memory instruction write for non-;
Perhaps, judge whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
In the described method, if the instruction that dis-assembling obtains is the cycling jump instruction, then searches and preserve control loop body register and comprise:
If the cycling jump instruction is then preserved the ECX register for LOOP instruction, LOOPNE instruction or LOOPZ instruction;
If the cycling jump instruction is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and preserves CMP order register, SUB order register, TEST order register, OR order register or AND order register;
If the cycling jump instruction is then searched the combined command that can access loop body for the jmp instruction, preserve described combined command register.
In the described method, preservation is write the internal memory order register and is comprised: will write the internal memory order register and be saved in the register chained list;
Preserving control loop body register comprises: will control the loop body register holds in the register chained list;
Be specially for any one register of preserving: for any one register in the register chained list.
In the described method, judge whether to reach the condition that stops to carry out dis-assembling and be specially:
Judge whether the instruction that dis-assembling obtains is the loop body END instruction;
Perhaps, judge whether the quantity that dis-assembling is instructed reaches default quantity.
In the described method, the satisfied condition that stops to search is specially and finds the instruction that data is read CPU from internal memory.
In conjunction with the application of said method, the technical scheme that the present invention relates to done further illustrating, the invention provides a kind of method of removing the flower instruction, as shown in Figure 1, comprising:
S101: dis-assembling is carried out in the instruction in the core buffer, and preserved the instruction that dis-assembling obtains;
S102: judge whether the instruction that dis-assembling obtains is to write the internal memory instruction, if, then carry out S103, otherwise, S104 carried out;
S103: search and preserve all and write the internal memory order register in the register chained list, carry out S106;
Searching and preserve all writes the internal memory order register and comprises to the register chained list:
When writing internal memory instruction and instruct for STOS, directly record register EAX, EDI;
When writing internal memory instruction and instruct for pop, if described pop instruction operation note then records operated register, and reverse first push that finds instructs, and records the phase register;
Other situations then directly record register.
S104: judge whether it is the cycling jump instruction, if then carry out S105, otherwise directly carry out S106;
S105: search and preserve control loop body register to the register chained list, carry out S106;
S106: judge whether to arrive the condition that stops to carry out dis-assembling;
S107: according to any one register that records in the register chained list, reverse searching and storage and described register dependent instruction in the command chain that dis-assembling obtains one by one, when finding when data are read the instruction of CPU from internal memory, stop searching current register;
S108: the instruction different with the register dependent instruction in all instructions that the deletion dis-assembling obtains.
Judge whether the instruction that dis-assembling obtains is to write the internal memory instruction to comprise:
Judge whether the destination operand in the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, the internal memory instruction write for non-;
Perhaps, judge whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
If the instruction that dis-assembling obtains is the cycling jump instruction, then searches and preserve control loop body register and comprise:
If the cycling jump instruction is then preserved the ECX register for LOOP instruction, LOOPNE instruction or LOOPZ instruction;
If the cycling jump instruction is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and preserves CMP order register, SUB order register, TEST order register, OR order register or AND order register;
If the cycling jump instruction is then searched the combined command that can access loop body for the jmp instruction, preserve described combined command register.
Judging whether to reach the condition that stops to carry out dis-assembling is specially:
Judge whether the instruction that dis-assembling obtains is the loop body END instruction;
Perhaps, judge whether the quantity that dis-assembling is instructed reaches default quantity.
The present invention also provides a kind of device of removing the flower instruction, comprising:
Dis-assembling unit 201 is used for dis-assembling is carried out in the instruction of buffer zone, and preserves the instruction that dis-assembling obtains;
First judging unit 202 is used for judging whether the instruction that dis-assembling obtains is to write the internal memory instruction;
Storage unit 203, being used for judging instruction that dis-assemblings obtain when first judging unit 202 is when writing internal memory and instructing, and searches and preserve to write the internal memory order register;
Second judging unit 204, be used for first judging unit 202 judge instruction that dis-assemblings obtain be non-write the internal memory instruction after, judge whether the instruction that dis-assembling obtains is the cycling jump instruction, if then control loop body register is searched and preserved to storage unit 203;
The 3rd judging unit 205, be used for after first judging unit 202 judges that instruction that dis-assemblings obtain is to write internal memory and instruct, perhaps after second judging unit 204 judges whether instruction that dis-assembling obtains is the cycling jump instruction, judge whether to reach the condition that stops to carry out dis-assembling, if do not reach the condition that stops to carry out dis-assembling, then by the dis-assembling unit next instruction in the buffer zone is carried out dis-assembling;
Search unit 206, be used for the 3rd judging unit 205 judge reach stop to carry out the condition of dis-assembling after, any one register for the storage unit preservation, in dis-assembling unit 201 carries out all instructions that dis-assembling obtains, reversely search the instruction relevant with described register, when satisfying when stopping search criterion, stop to search the instruction relevant with described register;
Comparing unit 207 is used for after searching unit 206 and having searched the dependent instruction of all registers, the instruction different with the dependent instruction of register during all of deleting that dis-assembling obtains are instructed.
In the described device, first judging unit 202 specifically is used for judging whether the destination operand of the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs;
Perhaps, first judging unit 202 judges whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
In the described device, be LOOP instruction, LOOPNE instruction or LOOPZ instruction if second judging unit 204 is judged the cycling jump instruction, then storage unit is preserved the ECX register;
If judging the cycling jump instruction, second judging unit 204 is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and then storage unit is preserved CMP order register, SUB order register, TEST order register, OR order register or AND order register;
Be the jmp instruction if second judging unit 204 is judged the cycling jump instruction, then storage unit 203 is searched the combined command that can access loop body, and preserves described order register.
In the described device, storage unit 203 specifically is used for writing the internal memory order register and is saved in the register chained list;
Storage unit 203 is concrete for controlling the loop body register holds to the register chained list;
Be specially for any one register of preserving: for any one register in the register chained list.
In the described device, the 3rd judging unit 205 is concrete for judging whether the instruction that dis-assembling obtains is the loop body END instruction;
Perhaps, the 3rd judging unit 205 is concrete for judging whether the quantity that dis-assembling is instructed reaches default quantity.
In the described device, the satisfied condition that stops to search is specially and finds the instruction that data is read CPU from internal memory.
The invention provides a kind of method and apparatus of removing the flower instruction, by dis-assembling is carried out in the instruction in the buffer zone, and preserve the instruction that all dis-assemblings obtain, preserve all writing the internal memory instruction and write the internal memory order register, according to writing the internal memory order register, reversely search all instructions that dis-assembling obtains, find all instructions relevant with writing the internal memory order register, all instructions that dis-assembling is obtained compare with the register dependent instruction, delete different instructions, the instruction of deletion is the flower instruction, and the instruction of deletion flower does not influence the normal operation of program.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.

Claims (8)

1. a method of removing the flower instruction is characterized in that, comprising:
Step a: dis-assembling is carried out in the instruction in the core buffer, and preserved the instruction that dis-assembling obtains;
Step b: judge whether the instruction that dis-assembling obtains is to write the internal memory instruction, if, then search and preserve and write the internal memory order register, change steps d, otherwise, change step c;
Step c: judge whether the instruction that dis-assembling obtains is the cycling jump instruction, if, then search and preserve control loop body register, change steps d, otherwise, directly change steps d;
Steps d: judge whether to reach the condition that stops to carry out dis-assembling, if, then change step e, otherwise, step a changeed; It is described that to judge whether to reach the condition that stops to carry out dis-assembling be to judge whether the instruction that dis-assembling obtains is the loop body END instruction, or judge whether the quantity of dis-assembling instruction reaches default quantity;
Step e: for any one register of preserving, reversely in dis-assembling obtains all instructions search the instruction relevant with any one register of described preservation, when satisfying the condition that stops to search, stop to search the instruction relevant with any one register of described preservation; The described condition that stops to search is to find the instruction that data is read CPU from internal memory;
Step f: behind the dependent instruction of having searched all registers, the instruction different with the dependent instruction of register in all instructions that the deletion dis-assembling obtains.
2. the method for claim 1 is characterized in that, judges whether the instruction that dis-assembling obtains is to write the internal memory instruction to comprise:
Judge whether the destination operand in the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, the internal memory instruction write for non-;
Perhaps, judge whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
3. the method for claim 1 is characterized in that, if the instruction that dis-assembling obtains is the cycling jump instruction, then searches and preserves control loop body register and comprise:
If the cycling jump instruction is then preserved the ECX register for LOOP instruction, LOOPNE instruction or LOOPZ instruction;
If the cycling jump instruction is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and preserves CMP order register, SUB order register, TEST order register, OR order register or AND order register;
If the cycling jump instruction is then searched the combined command that can access loop body for the jmp instruction, preserve described combined command register.
4. the method for claim 1 is characterized in that, preservation is write the internal memory order register and comprised: will write the internal memory order register and be saved in the register chained list;
Preserving control loop body register comprises: will control the loop body register holds in the register chained list;
Any one register of described preservation is specially: any one register in the described register chained list.
5. a device of removing the flower instruction is characterized in that, comprising:
The dis-assembling unit is used for dis-assembling is carried out in the instruction of buffer zone, and preserves the instruction that dis-assembling obtains;
First judging unit is used for judging whether the instruction that dis-assembling obtains is to write the internal memory instruction;
Storage unit, be used for when instruction that the first judgment unit judges dis-assembling obtains be when writing internal memory and instructing, search and preserve and write the internal memory order register;
Second judging unit, be used for the instruction that the first judgment unit judges dis-assembling obtains be non-write the internal memory instruction after, judge whether the instruction that dis-assembling obtains is the cycling jump instruction, if then storage unit is searched and preserved and controls the loop body register;
The 3rd judging unit, be used for after instruction that the first judgment unit judges dis-assembling obtains is to write internal memory and instruct, perhaps after whether instruction that the second judgment unit judges dis-assembling obtains is the cycling jump instruction, judge whether to reach the condition that stops to carry out dis-assembling, if do not reach the condition that stops to carry out dis-assembling, then by the dis-assembling unit next instruction in the buffer zone is carried out dis-assembling; It is described that to judge whether to reach the condition that stops to carry out dis-assembling be to judge whether the instruction that dis-assembling obtains is the loop body END instruction, or judge whether the quantity of dis-assembling instruction reaches default quantity;
Search the unit, be used for the 3rd judgment unit judges reach stop to carry out the condition of dis-assembling after, any one register for the storage unit preservation, in the dis-assembling unit carries out all instructions that dis-assembling obtains, reversely search the instruction relevant with any one register of described preservation, when satisfying when stopping search criterion, stop to search the instruction relevant with any one register of described preservation; The described condition that stops to search is to find the instruction that data is read CPU from internal memory;
Comparing unit is used for after searching the unit and having searched the dependent instruction of all registers, the instruction different with the register dependent instruction during all of deleting that dis-assembling obtains are instructed.
6. device as claimed in claim 5 is characterized in that, first judging unit specifically is used for judging whether the destination operand of the instruction that dis-assembling obtains is memory address, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs;
Perhaps, first judging unit is used for specifically judging whether the instruction that dis-assembling obtains is the implicit operands instruction, if, then be defined as writing the internal memory instruction, otherwise, for the non-internal memory of writing instructs.
7. device as claimed in claim 5 is characterized in that, is LOOP instruction, LOOPNE instruction or LOOPZ instruction if second judgment unit judges goes out the cycling jump instruction, and then storage unit is preserved the ECX register;
If going out the cycling jump instruction, second judgment unit judges is the jcc instruction, then reverse first CMP instruction, SUB instruction, TEST instruction, OR instruction or the AND of searching instructs, and then storage unit is preserved CMP order register, SUB order register, TEST order register, OR order register or AND order register;
Be the jmp instruction if second judgment unit judges goes out the cycling jump instruction, then storage unit is searched the combined command that can access loop body, and preserves described order register.
8. device as claimed in claim 5 is characterized in that, storage unit specifically is used for writing the internal memory order register and is saved in the register chained list;
Storage unit specifically is used for will controlling the loop body register holds to the register chained list;
Any one register of described preservation is specially: any one register in the described register chained list.
CN 201010591156 2010-12-16 2010-12-16 Method and device for removing junk codes Active CN102023842B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010591156 CN102023842B (en) 2010-12-16 2010-12-16 Method and device for removing junk codes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010591156 CN102023842B (en) 2010-12-16 2010-12-16 Method and device for removing junk codes

Publications (2)

Publication Number Publication Date
CN102023842A CN102023842A (en) 2011-04-20
CN102023842B true CN102023842B (en) 2013-09-11

Family

ID=43865166

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010591156 Active CN102023842B (en) 2010-12-16 2010-12-16 Method and device for removing junk codes

Country Status (1)

Country Link
CN (1) CN102023842B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106682498B (en) * 2016-08-16 2019-12-06 腾讯科技(深圳)有限公司 Sample execution method and device
CN110837372B (en) * 2019-11-04 2021-01-26 贵阳动视云科技有限公司 Method, apparatus, medium, and device for clearing confusion of assembly code

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101154259A (en) * 2007-08-27 2008-04-02 电子科技大学 General automated shelling engine and method
CN101162491A (en) * 2007-08-14 2008-04-16 电子科技大学 Virtual executive system and method based on code slice
CN101714118A (en) * 2009-11-20 2010-05-26 北京邮电大学 Detector for binary-code buffer-zone overflow bugs, and detection method thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040030963A1 (en) * 2002-08-12 2004-02-12 Sun Microsystems, Inc., A Delaware Corporation Method and apparatus for debugging computer program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101162491A (en) * 2007-08-14 2008-04-16 电子科技大学 Virtual executive system and method based on code slice
CN101154259A (en) * 2007-08-27 2008-04-02 电子科技大学 General automated shelling engine and method
CN101714118A (en) * 2009-11-20 2010-05-26 北京邮电大学 Detector for binary-code buffer-zone overflow bugs, and detection method thereof

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
代码迷惑及其有效性研究;徐长征等;《计算机应用研究》;20090930;第26卷(第9期);3502-3505 *
子程序花指令加密算法研究;孙国梓等;《计算机工程与应用》;20090131;第45卷(第3期);130-132 *
孙国梓等.子程序花指令加密算法研究.《计算机工程与应用》.2009,第45卷(第3期),130-132.
左黎明等.恶意代码族群特征提取与分析技术.《华中科技大学学报(自然科学版)》.2010,第38卷(第4期),46-49. *
徐长征等.代码迷惑及其有效性研究.《计算机应用研究》.2009,第26卷(第9期),3502-3505.

Also Published As

Publication number Publication date
CN102023842A (en) 2011-04-20

Similar Documents

Publication Publication Date Title
KR101480821B1 (en) Dynamic execution prevention to inhibit return-oriented programming
US8429745B1 (en) Systems and methods for data loss prevention on mobile computing systems
US20080195799A1 (en) Systems, methods and computer program products for operating a data processing system in which a file delete command is sent to an external storage device for invalidating data thereon
US20170308329A1 (en) Methods and Systems for Processing PRP/SGL Entries
CN102388368B (en) Method and device for monitoring memory
KR100866627B1 (en) Method for page preload using control flow and system thereof
CN104007993A (en) Method and device for eliminating sensitive data of Linux system memory
CN104123495B (en) A kind of method for being used to remove the Malware for preventing computer from running
US11062020B2 (en) Processor checking method, checking device and checking system
US20140359211A1 (en) Method for disk defrag handling in solid state drive caching environment
CN102662882A (en) Method and device for unloading mobile storage equipment
CN102023842B (en) Method and device for removing junk codes
CN103294951A (en) Malicious code sample extraction method and system based on document type bug
CN102280134A (en) Method for improving data security in removable storage device
KR20080098104A (en) Method of storing meta-data and system for storing meta-data
CN103186746A (en) Protection method and system of executable file
CN105550582A (en) Method and system for accessing to virtual disk
CN105892995B (en) Search the method, apparatus and processor of negative
CN103049534B (en) A kind of method of quick destruction database data
EP2487573A2 (en) Electronic device and method for separating drawing content
JP7285907B2 (en) Internet of Things Device and Method for Detecting and Treating Malware Using Server Resources
CN102103490B (en) Method for improving memory efficiency by using stream processing
CN104423927A (en) Method and device for processing instructions and processor
US8166243B2 (en) Information processing system and program for controlling the information processing system
EP2405360A1 (en) Information processing system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100190 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Applicant after: Beijing Antiy Electronic Installation Co., Ltd.

Address before: 100085, 2B-521, bright city, No. 1, Nongda South Road, Beijing, Haidian District

Applicant before: Beijing Antiy Electronic Installation Co., Ltd.

C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 100190 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a

Patentee after: Beijing ahtech network Safe Technology Ltd

Address before: 100190 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Patentee before: Beijing Antiy Electronic Installation Co., Ltd.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and device for removing junk codes

Effective date of registration: 20170821

Granted publication date: 20130911

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2017990000776

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20180817

Granted publication date: 20130911

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2017990000776

PC01 Cancellation of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and device for removing junk codes

Effective date of registration: 20180817

Granted publication date: 20130911

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2018990000700

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20191021

Granted publication date: 20130911

Pledgee: CITIC Bank Harbin branch

Pledgor: Beijing ahtech network Safe Technology Ltd

Registration number: 2018990000700

PC01 Cancellation of the registration of the contract for pledge of patent right