| 摘要 |
An embodiment of the present application provides technologies for detecting malicious content embedded in a content downloaded from an external source. The downloaded content converted into an opcode sequence by a web browser in a computing device. The opcode sequence is compared with a pre-stored opcode signature. The opcode signature comprises multiple sentences, and each sentence has multiple clauses. Each clause may include a matching opcode, a condition, an instruction, and an identifier. When a matching opcode in a clause matches with an opcode of the opcode sequence, and the condition as specified in the clause is determined to be true, the instruction in the clause is taken and next sentence identified by the identifier is taken to match the opcode sequence. Eventually, the last taken clause in the opcode signature may instruct whether opcode sequence contains malicious code. |
| 主权项 |
1. A method, executed by a computing device, for identifying malicious codes in electronic contents, comprising:
obtaining an opcode (operation code) sequence from a downloaded content, wherein the opcode sequence comprises a first opcode and a second opcode; and comparing the opcode sequence with a pre-stored opcode signature to determine whether the opcode sequence contains any malicious code, wherein the opcode signature comprises a first sentence and a second sentence, the first sentence includes a first matching clause, the first matching clause comprises a first matching opcode, a first condition, a first instruction for a first action to be taken, and an identifier identifying the second sentence; the second sentence comprises one or more second matching clauses and a default clause, each second matching clause includes a second matching opcode, a second condition, and a second instruction for a second action to be taken, and the default clause includes a third instruction for a third action to be taken; and wherein comparing the opcode sequence with a pre-stored opcode signature to determine whether the opcode sequence contains any malicious code comprises: determining whether the first opcode of the opcode sequence matches with the first matching opcode, and the first condition is true; if the first opcode matches with the first matching opcode, and the first condition is true, taking the first action according to the first instruction; searching the second sentence for a matching clause among the one or more second matching clauses, wherein the second opcode of the opcode sequence matches with a matching opcode of the matching clause; if the matching clause in the second sentence is found, and the second condition in the matching clause is true, taking an action according to the second instruction in the matching clause, if the matching clause in the second sentence is not found, taking the third action according to the third instruction in the default clause of the second sentence. |
