Abstract: A malicious process method, a data processing apparatus and a recording medium according to the present invention reads data stored in a buffer memory in terms of bytes and sequentially analyzes what kind of instruction code is included in a plurality of instruction sequence having different read positions. It is determined that a malicious code is included in an instruction sequence when an int instruction is included in an analyzed instruction sequence, an instruction code has a particular emergence pattern and a character code corresponding to “/” is included in stored command data.

Abstract: A malicious-process-determining method, a data processing apparatus, and a recording medium according to the present invention each consists of reading the data stored in a buffer memory by one byte, and for a plurality of instruction sequences each having a different read address, sequentially analyzing what kind of instruction code is contained therein. When the int instruction is contained in the analyzed instruction sequence, the number of times the immediate value is pushed to the stack is greater than 1, and the character code corresponding to “/” is contained in the virtual stack, a determination is made that a malicious code is contained in the relevant instruction sequence.

Abstract: The branch origin address and branch destination address of a branch instruction (jmp instruction) are stored, a judgment is made as to whether or not a call instruction for calling an instruction code group for executing an external command is associated with the branch destination address, a judgment is made as to whether or not the call destination address is between the branch origin address and the branch destination address if the call instruction is associated with the branch destination address, and information indicating that malicious code was detected is generated if the call destination of the call instruction is between the branch origin address and the branch destination address.