For remote malicious code injection attacks, the analysis of injected code behavior has always been the difficulty of malicious code dynamic analysis. In this paper, a remote code injection behavior analysis method based on code refactoring was proposed. By analyzing the behavior of remote code injection attack, extracting the injection behavior pattern rules, analyzing the malicious code by using the dynamic binary analysis platform, identifying the remote injection behavior in the execution process, obtaining the remote injected malicious data, then refactoring and executing the injected code, and finally triggering the hidden behavior of injected code, this method improves the integrity of malicious code behavior analysis. A series of malicious code samples were also used for experimental analysis. And the results showed that this method can obtain more comprehensive behavior information for malicious code with remote injection, and effectively improve the integrity of malicious code analysis.