With the development of computer technology, the requirement for anti-virus software is becoming increasingly higher, and when determining whether an executable file is malware or a virus, the anti-virus software in the prior art needs to decompile the executable file, extract relevant information such as the class name, the method name, the constant string, etc. used in the executable file from the obtained source code, and compare the above relevant information with virus features in a virus library, thereby judging whether the executable file is malware or a virus.
In the process of realizing the present invention, the inventor has found that there are at least the following problems in the prior art: the method provided in the prior art needs to perform decompilation on the entire executable file, and the process of decompilation is not only time-consuming, but also occupies much internal memory, and relevant information such as the class name, the method name, the constant string, etc. used in the executable file is also needed to be acquired after decompilation, further increasing the internal memory occupation.