CN115688109A

Movatterモバイル変換

Info

Publication number: CN115688109A
Application number: CN202310005435.4A
Authority: CN
Inventors: 操旭; 李宗宇
Original assignee: Hangzhou Cloudaemon Technology Co ltd
Current assignee: Hangzhou Cloudaemon Technology Co ltd
Priority date: 2023-01-04
Filing date: 2023-01-04
Publication date: 2023-02-03
Anticipated expiration: 2043-01-04
Also published as: CN115688109B

Abstract

The scheme provides a malicious code detection alarm system and application, and the system comprises the following steps: the method comprises the following steps of constructing a dynamic library linking module, a macro switch setting module, a detection module and an alarm module, wherein the dynamic library linking module is used for connecting a detection dynamic library to an application to be detected; the macro switch setting module sets a macro switch for each system calling interface to be detected; the detection module acquires the path information of the dependent library of the call interface of the system to be detected and sends the path information to the alarm module; and the alarm module alarms according to the path information of the dependent library. The scheme can determine the interface to be checked according to the difference of sensitivity and security level, and can accurately identify whether the application is infected with malicious codes, without the limitation of an operating system and an architecture instruction set.

Description

Malicious code detection method based on malicious code detection alarm system

Technical Field

The application relates to the field of computer methods, in particular to a malicious code detection method based on a malicious code detection alarm system.

Background

The 21 st century is an information age, information becomes an important strategic resource for social development, social informatization becomes the trend and the core of the development of the world at present, and information security plays an extremely important role in the information society.

Currently, many computer viruses are injected into applications by means of Code Injection (Code Injection), which is a technique for statically or dynamically injecting external program Code (usually a dynamic library) into a target file or program. Static injection modifies a target program, and inserts a code to be executed into a program file, which is an invasive injection technology; dynamic injection, in contrast, is a non-intrusive injection that is a run-time injection of code into a target program for remote modification.

In the prior art, computer virus detection generally analyzes and samples an executable file of a target application through a static analysis tool to obtain used function information and a calling relation table, and then matches the used function information and calling relation label with known Trojan virus characteristic information to judge whether the known Trojan virus is infected; or when the executable file runs, acquiring a loaded dynamic library list through an interface provided by the system, comparing the dynamic library list with a static analysis result, and if the comparison result has a difference or has characteristic information of known Trojan horse viruses, judging that the executable file has infected a dynamic library of an unknown source of a third party.

In summary, in the prior art, the detection result can be obtained only by knowing the characteristic information of the Trojan horse virus, and if the Trojan horse virus newly appears or the malicious dynamic library is named and disguised, accurate judgment cannot be performed; the dynamic library can be loaded and the interface of the dynamic library can be called at any time in the running process of the executable file, and if the time for acquiring the dynamic library list is not good, the accuracy of the judgment result is low; if the library on which the application depends is also in danger of being maliciously modified by the virus, the comparison of the basic information of the library cannot accurately judge whether the application is infected by the virus.

Disclosure of Invention

The scheme of the application provides a malicious code detection method based on a malicious code detection alarm system, which can determine an interface to be checked according to different sensibility and security levels, can accurately identify whether an application is infected with malicious codes, and is not limited by an operating system and an architecture instruction set.

In a first aspect, the present application provides a malicious code detection method based on a malicious code detection alarm system, which is deployed on an application to be detected to detect a malicious code of the application to be detected, where the malicious code detection alarm system includes:

the system comprises a dynamic library linking module, a macro switch setting module, a detection module and an alarm module;

the dynamic library linking module links a dynamic library of the malicious code detection alarm system as a detection dynamic library to an application to be detected;

setting a macro switch for each system calling interface in the application to be detected in the macro switch setting module, wherein each macro switch corresponds to a unique system calling interface, and the system calling interface of the macro switch is selected and opened to serve as the system calling interface to be detected;

when the application to be detected calls the system call interface to be detected, the detection module acquires call stack context information of the system call interface to be detected, acquires dependent library path information of the system call interface to be detected according to the call stack context information and sends the dependent library path information to the alarm module, wherein the dependent library path information records a dynamic library called by the system to be detected before calling the system call interface to be detected;

and the alarm module calls a corresponding dynamic library based on the path information of the dependent library, judges whether the digital signature of the dynamic library is legal or not, and alarms the user if the digital signature of the dynamic library is legal.

In a second aspect, the present disclosure provides an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to perform a malicious code detection method based on a malicious code detection alarm system.

In a third aspect, the present solution provides a readable storage medium having stored therein a computer program comprising program code for controlling a process to execute a process, the process comprising a malicious code detection method based on a malicious code detection alarm system.

Compared with the prior art, the technical scheme has the following characteristics and beneficial effects:

according to the scheme, the dynamic library of the malicious code detection alarm system is linked into the application to be detected and packed together with the application to be detected, so that the malicious code detection can be completed without an additional static analysis tool, the defect that the static analysis tool can detect only by knowing Trojan horse virus characteristic information is avoided, and the detection accuracy is improved; according to the scheme, the macro switch is arranged on each system calling interface to be detected, so that a user can determine the system calling interface to be detected according to the sensitivity and the safety of the system calling interface to be detected, and the flexibility in use is higher; the scheme can be executed on different operating systems and different system architectures and is not limited by interfaces of the operating systems and the system architectures; according to the scheme, the detection dynamic library is set as the first loaded library, detection is carried out under the condition that the operation condition of the application to be detected is not influenced, and the detection accuracy is further improved.

The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more concise and understandable description of the application, and features, objects, and advantages of the application.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

FIG. 1 is a flowchart of a malicious code detection method based on a malicious code detection alarm system according to an embodiment of the present application;

FIG. 2 is a block diagram of a malicious code detection alarm system according to an embodiment of the present application;

fig. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims that follow.

It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.

Example one

The present application scheme provides a malicious code detection method based on a malicious code detection alarm system, which is deployed on an application to be detected to detect a malicious code of the application to be detected, and with reference to fig. 1, the system includes:

when the application to be detected calls the system call interface to be detected, the detection module obtains call stack context information of the system call interface to be detected, obtains dependent library path information of the system call interface to be detected according to the call stack context information and sends the dependent library path information to the alarm module, wherein the dependent library path information records a dynamic library called by the system to be detected before calling the system call interface to be detected;

In some embodiments, in the step of linking the dynamic library of the malicious code detection alarm system as a detection dynamic library to the application to be detected by the dynamic library linking module, the dynamic library of the malicious code detection alarm system is released as a part of the application to be detected.

Specifically, the malicious code detection alarm system in the scheme is integrated into the whole SDK packet of the application to be detected, so that an author of the application to be detected does not need to maintain the whole SDK and the normal operation of the application to be detected is not influenced.

In some embodiments, in the step of "each macro switch corresponds to a unique system call interface", a compiling comparison table is constructed according to a corresponding relationship between the macro switch and the system call interface, the macro switch of the system call interface which needs malicious code detection is selected and turned on, and the application to be detected is compiled and packaged again. The advantages of such an arrangement are: and partial system call interfaces can be selected and opened according to the different security levels and sensitivities of different system call interfaces, and are detected, so that the memory occupation condition of the application to be detected in operation can be reduced to the greatest extent.

It is worth mentioning that when the application to be detected runs, the detection of the system call interface to be detected corresponding to the selected macro switch will take effect.

Specifically, an author or a manager of the application to be detected may open a corresponding macro switch in the compiling comparison table according to the sensitivity and the security level of each system call interface, for example: a system call interface OPEN function corresponds to a macro switch _ INJECTION _ PROTECTION _ OPEN _, if malicious code detection needs to be carried out on the OPEN function, the macro switch _ INJECTION _ PROTECTION _ OPEN _isopened, and the application to be detected is compiled and packaged again.

Specifically, the sensitivity and the security level of the system call interface may be comprehensively determined according to the actual situation and the running situation of the subsequent application, and the scheme is not limited herein.

In some embodiments, an environment detection module is added before the detection module, the environment detection module performs environment detection before the application to be detected runs, determines whether the detected dynamic library is a first loaded library, and if the detected dynamic library is not the first loaded library, uses the alarm module to alarm the user.

Further, in the step of "determining whether the detected dynamic library is the first loaded library, and if the detected dynamic library is not the first loaded library, performing an alarm on the user by using the alarm module", the loaded dynamic library list of the application to be detected is obtained first, and whether the detected dynamic library is the first loaded library is determined according to the loaded dynamic library list.

Specifically, in order to prevent the accuracy of the system from being damaged due to the fact that the dynamic library injected by the malicious code is loaded in advance, the system judges whether the malicious code is injected on the premise that the detected system call interface is an actual interface of the system library instead of an interface behind the dynamic library hook injected maliciously, so that the interference can be avoided by using the detected dynamic library as the first loaded library.

Further, hook is a system mechanism provided in windows to replace "interrupts" under DOS, where chinese translates to "hooks" or "hooks". After a hook event has occurred for a particular system event, the program that made the hook event will be notified by the system upon the occurrence of the hook event, and can then respond to the event at a first time.

Specifically, the detection dynamic library is used as the first loading library, so that the code logic of the application to be detected cannot be influenced.

Specifically, the method for acquiring the loaded dynamic library list of the application to be detected is different in acquisition methods in different operating systems, and an EnumProcessmodules system method is called in a Windows operating system to acquire the loaded dynamic library list; calling a system method of _ dyld _ get _ image _ name in a macOS operating system to obtain a loaded dynamic library list; and calling a dl _ iterative _ phdr system method in the Linux operating system to acquire the loaded dynamic library list.

In some embodiments, a registration module is added before the detection module, the registration module registers a system call interface to be detected, and the registration method is as follows: opening up a memory space, backing up an interface function of the system call interface to be detected, storing the interface function into the memory space as a backup function, supplementing a first jump function which jumps to an original interface function at the tail end of the backup function, constructing a jump instruction which jumps to the detection module to cover the memory space where the original interface function is located, and supplementing a second jump function which jumps to the memory space at the tail end of the jump instruction.

Exemplarily, taking an x86 architecture as an example, the registration module first creates a sufficiently large memory space by backing up an interface function of the system call interface to be detected, sets a read-write permission, backs up an assembly instruction set of an interface function start address of the system call interface to be detected, which is at least 5 bytes, and supplementarily jumps to a first jump function of an original interface function at the end; and then setting the writable permission of the 5-byte memory space of the interface function initial address of the system call interface to be detected, constructing a jump instruction for jumping to the initial address of the detection module, covering the 5-byte memory space of the original interface function initial address with the jump instruction, and finally restoring the read-write permission of the 5-byte memory space of the original interface function initial address to finish registration. Similar to the registration method of the x86 architecture, the registration method of the Arm architecture firstly backs up the content of the original interface function and uses a jump instruction to cover the original interface function.

Further, in the step that the detection module acquires the call stack context information of the system call interface to be detected, when the application to be detected runs to the system call interface to be detected, the detection module jumps to the detection module according to a jump instruction, and the detection module continues to execute according to the original code logic after detection is completed.

Specifically, according to the scheme, a jump instruction is inserted into a starting address of an interface function of the system call interface to be detected, the jump instruction jumps back to the address of the system call interface to be detected through the jump function in the jump instruction after the detection of the detection module is completed, and the code of the system call interface to be detected is continuously executed.

In some embodiments, in the step of "obtaining the dependent library path information of the system call interface to be detected according to the call stack context information and sending the dependent library path information to the alarm module", the dependent library path information of the system call interface to be detected is arranged in a whole table, packaged into a message notification, and sent to the alarm module in a message notification manner.

Specifically, different ways of obtaining the dependent library path information of the system call interface to be detected in different operating systems are provided, a system interface CaptureStackBackTrace is called in a windows operating system to obtain call stack context information, and then dependent library path information corresponding to each address in the call stack context information is obtained through a system interface getmodulefilenemea; in both the Linux operating system and the macOS operating system, a system interface backtrace is called to obtain call stack context information, and then a call system interface dladdr is used to obtain the path information of the dependent library corresponding to each address in the call stack context information.

In some embodiments, the alarm module operates in one sub-thread independently, and in the monitoring process, if the injection of an unknown dynamic library is monitored, the alarm module pops up an alarm prompt to a user using the application to be detected, records information of the unknown dynamic library, and forcibly exits the application to be detected.

In some specific embodiments, when the alarm module receives the dependent library path information of the system call interface to be detected sent by the detection module, it searches whether the library files corresponding to the dependent library path information have legal digital signatures, if the authorized party of the digital signatures of the library files is a legal source, it determines that the library files are normal, otherwise, it pops up an alarm prompt to the user who is using the application to be detected, records the path information of the dependent library, and forces to quit the application to be detected.

Specifically, in different operating systems, the digital signature retrieval modes are different, and the windows operating system uses a SignTool to perform retrieval; the macOS operating system uses codesign tools for retrieval, and the digital signatures of library files corresponding to the library path information can be conveniently acquired by using the tools.

Specifically, if the environment detection module detects that the detected dynamic library is not the first loaded library, the alarm module is used for giving an alarm to the user and forcibly quitting the application.

Example two

A malicious code detection alarm system, referring to fig. 2, comprising:

the dynamic library linking module is used for linking a dynamic library of the malicious code detection alarm system into an application to be detected as a detection dynamic library and linking the detection dynamic library into the application to be detected, and an author of an application program does not need to maintain the detection dynamic library and can ensure the normal operation of the application;

the macro switch setting module sets a macro switch for each system calling interface in the application to be detected, each macro switch corresponds to a unique system calling interface, the system calling interface of the macro switch is selected and opened to serve as the system calling interface to be detected, the macro switch is used for determining the system calling interface to be detected in the application to be detected, the system calling interface actually monitored by the system can be determined, operability is higher, and the operation fluency of the application to be detected is improved to the maximum extent;

the environment detection module is used for carrying out environment detection before the application to be detected runs and judging whether the detected dynamic library is the first loaded library or not, so that the malicious code detection accuracy of the system can be prevented from being damaged due to the fact that the maliciously injected dynamic library is loaded in advance;

the system comprises a registration module and a detection module, wherein the registration module registers a system calling interface to be detected, and the registration method comprises the following steps: opening up a memory space, backing up an interface function of the system call interface to be detected, storing the interface function into the memory space as a backup function, supplementing a first jump function which jumps to an original interface function at the tail end of the backup function, constructing a jump instruction which jumps to the detection module to cover the original interface function, supplementing a second jump function which jumps to the memory space at the tail end of the jump instruction, and registering the system call interface to be detected by using a registration module to ensure that codes of applications to be detected cannot be damaged in the detection process and smooth operation of the applications to be detected can be ensured in the detection process;

the detection module can acquire call stack context information of the system call interface to be detected, obtain dependent library path information of the system call interface to be detected according to the call stack context information and send the dependent library path information to the alarm module, wherein the dependent library path information records a dynamic library called by the system to be detected before calling the system call interface to be detected, and the detection module can accurately acquire the dynamic library called by the system call interface to be detected by detecting the dynamic library called by the system call interface to be detected;

and the alarm module calls a corresponding dynamic library based on the dependent library path information, judges whether the digital signature of the dynamic library is legal or not, and judges whether a malicious dynamic library exists or not by detecting the digital signature of the dynamic library if the digital signature of the dynamic library is illegal, wherein the malicious dynamic library does not have the digital signature or the digital signature is illegal because the digital signature of the conventional dynamic library is a legal source, and the malicious dynamic library does not have the digital signature or the digital signature, so that whether the malicious dynamic library is injected or not can be discriminated, and the application safety is better guaranteed.

EXAMPLE III

The present embodiment further provides an electronic apparatus, referring to fig. 3, which includes amemory 404 and aprocessor 402, where thememory 404 stores a computer program, and theprocessor 402 is configured to execute the computer program to perform the steps in any of the above embodiments of the malicious code detection method based on a malicious code detection alarm system.

Specifically, theprocessor 402 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present application.

Memory 404 may include, among other things,mass storage 404 for data or instructions. By way of example, and not limitation, thememory 404 may include a hard disk drive (hard disk drive, abbreviated HDD), a floppy disk drive, a solid state drive (solid state drive, abbreviated SSD), flash memory, an optical disk, a magneto-optical disk, tape, or a Universal Serial Bus (USB) drive or a combination of two or more of these.Memory 404 may include removable or non-removable (or fixed) media, where appropriate. Thememory 404 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, thememory 404 is a Non-Volatile (Non-Volatile) memory. In particular embodiments,memory 404 includes Read-only memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or FLASH memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a static random-access memory (SRAM) or a dynamic random-access memory (DRAM), where the DRAM may be a fast page mode dynamic random-access memory 404 (FPMDRAM), an extended data output dynamic random-access memory (EDODRAM), a synchronous dynamic random-access memory (SDRAM), or the like.

Memory 404 may be used to store or cache various data files for processing and/or communication use, as well as possibly computer program instructions for execution byprocessor 402.

Theprocessor 402 reads and executes the computer program instructions stored in thememory 404 to implement any one of the implementation procedures of the malicious code detection method based on the malicious code detection alarm system in the above embodiments.

Optionally, the electronic apparatus may further include atransmission device 406 and an input/output device 408, where thetransmission device 406 is connected to theprocessor 402, and the input/output device 408 is connected to theprocessor 402.

The transmittingdevice 406 may be used to receive or transmit data via a network. Specific examples of the network described above may include a wired or wireless network provided by a communication provider of the electronic device. In one example, the transmission device includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmittingdevice 406 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

The input andoutput devices 408 are used to input or output information. In this embodiment, the input information may be dynamic library information, a jump instruction, or the like, and the output information may be a detection result, or the like.

Optionally, in this embodiment, theprocessor 402 may be configured to execute the following steps by a computer program:

s101, a malicious code detection method based on a malicious code detection alarm system is provided, and is deployed on an application to be detected to detect a malicious code of the application to be detected, wherein the system comprises the following steps: the system comprises a dynamic library link module, a macro switch setting module, a detection module and an alarm module;

s102, the dynamic library linking module links a dynamic library of the malicious code detection alarm system serving as a detection dynamic library to an application to be detected;

s103, setting a macro switch for each system calling interface in the application to be detected in the macro switch setting module, wherein each macro switch corresponds to a unique system calling interface, and selecting and opening the system calling interface of the macro switch as the system calling interface to be detected;

s104, when the application to be detected calls the system calling interface to be detected, the detection module acquires call stack context information of the system calling interface to be detected, acquires dependent library path information of the system calling interface to be detected according to the call stack context information and sends the dependent library path information to the alarm module, wherein the dependent library path information records a dynamic library called by the system to be detected before calling the system calling interface to be detected;

and S105, the alarm module calls a corresponding dynamic library based on the path information of the dependent library, judges whether the digital signature of the dynamic library is legal or not, and alarms the user if the digital signature of the dynamic library is legal.

It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.

In general, the various embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects of the invention may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the invention is not limited thereto. While various aspects of the invention may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

Embodiments of the invention may be implemented by computer software executable by a data processor of the mobile device, such as in a processor entity, or by hardware, or by a combination of software and hardware. Computer software or programs (also called program products) including software routines, applets and/or macros can be stored in any device-readable data storage medium and they include program instructions for performing particular tasks. The computer program product may include one or more computer-executable components configured to perform embodiments when the program is run. The one or more computer-executable components may be at least one software code or a portion thereof. Further in this regard it should be noted that any block of the logic flow as in figure 3 may represent a program step, or an interconnected logic circuit, block and function, or a combination of a program step and a logic circuit, block and function. The software may be stored on physical media such as memory chips or memory blocks implemented within the processor, magnetic media such as hard or floppy disks, and optical media such as, for example, DVDs and data variants thereof, CDs. The physical medium is a non-transitory medium.

It should be understood by those skilled in the art that various technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, the scope of the present description should be considered as being described in the present specification.

The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims

1. A malicious code detection method based on a malicious code detection alarm system is deployed on an application to be detected to detect the malicious code of the application to be detected, and is characterized in that the malicious code detection alarm system comprises:

the system comprises a dynamic library link module, a macro switch setting module, a detection module and an alarm module;

2. The malicious code detection alarm system according to claim 1, wherein in the step of "each macro switch corresponds to a unique system call interface", a compiling comparison table is constructed according to a corresponding relationship between the macro switch and the system call interface, the macro switch of the system call interface which needs to be subjected to malicious code detection is selected and turned on, and the application to be detected is compiled and packaged again.

3. The malicious code detection alarm system according to claim 1, wherein an environment detection module is added before the detection module, the environment detection module performs environment detection before the application to be detected runs, determines whether the detected dynamic library is a first loaded library, and uses the alarm module to alarm a user if the detected dynamic library is not the first loaded library.

4. The malicious code detection alarm system according to claim 3, wherein in the step of "determining whether the detected dynamic library is the first loaded library, and if the detected dynamic library is not the first loaded library, using the alarm module to alarm the user", a list of the loaded dynamic libraries of the application to be detected is obtained first, and whether the detected dynamic library is the first loaded library is determined according to the list of the loaded dynamic libraries.

5. The malicious code detection alarm system according to claim 1, wherein a registration module is added before the detection module, the registration module registers a system call interface to be detected, and the registration method is: opening up a memory space, backing up an interface function of the system call interface to be detected, storing the interface function into the memory space as a backup function, supplementing a first jump function which jumps to an original interface function at the tail end of the backup function, constructing a jump instruction which jumps to the detection module to cover the original interface function, and supplementing a second jump function which jumps to the memory space at the tail end of the jump instruction.

6. The malicious code detection alarm system according to claim 5, wherein in the step that the detection module obtains the call stack context information of the system call interface to be detected, when the application to be detected runs to the system call interface to be detected, the detection module jumps to according to a jump instruction, and after the detection by the detection module is completed, the detection module continues to execute according to original code logic.

7. The malicious code detection alarm system according to claim 1, wherein in the step of obtaining the dependent library path information of the system call interface to be detected according to the call stack context information and sending the dependent library path information to the alarm module, the dependent library path information of the system call interface to be detected is sorted into a whole table, encapsulated into a message notification, and sent to the alarm module in the form of the message notification.

8. The malicious code detection alarm system according to claim 1, wherein the alarm module operates in a sub-thread independently, and in the monitoring process, if the injection of an unknown dynamic library is monitored, the alarm module pops up an alarm prompt to a user using the application to be detected, records information of the unknown dynamic library, and forcibly exits the application to be detected.

9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform a malicious code detection method based on a malicious code detection alarm system according to any one of claims 1 to 8.

10. A readable storage medium having stored therein a computer program comprising program code for controlling a process to execute a process, the process comprising a malicious code detection method according to any one of claims 1 to 8 based on a malicious code detection alarm system.