Plug-in program detection method and device, equipment and storage medium

By scanning the operating system kernel layer pages and utilizing the extended page table features constructed by cheat programs, the system detects the one-to-one correspondence and continuity between the virtual machine's physical address and the host's physical address. A threshold is set to judge cheat programs, thus solving the security problem caused by cheat program cheating and realizing application security detection in virtualization environments.

CN122197007APending Publication Date: 2026-06-12SHENZHEN TENCENT TIANYOU TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN TENCENT TIANYOU TECH CO LTD
Filing Date
2024-12-12
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing technologies are insufficient to effectively detect when plug-ins use extended page table technology to cheat, thus jeopardizing application security.

Method used

By scanning the number of suspicious extended page tables in the operating system kernel layer, and taking advantage of the one-to-one correspondence and continuity between the virtual machine physical address and the host physical address in the extended page table constructed by the cheat program, a threshold is set to determine whether a cheat program exists.

Benefits of technology

Ensure application security in virtualized environments, reduce false alarms, and improve detection efficiency and accuracy.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122197007A_ABST
    Figure CN122197007A_ABST
Patent Text Reader

Abstract

A kind of detection method, device and equipment of plug-in and storage medium, belong to network security technical field.The method includes: obtaining at least one kernel layer page;Determine the number of suspicious extension page table contained in at least one kernel layer page;In the case where the number is greater than or equal to the first threshold value, determine that at least one kernel layer page exists the extension page table constructed by plug-in.The above method, for the scene that application program runs in virtualization running environment, fully considers that when plug-in cheats using extension page table technology, the extension page table constructed by it, virtual machine physical address and host physical address are one-to-one corresponding relationship, and the host physical address of continuous extension page table item is also continuous characteristics.Scan and judge whether the kernel layer page in system meets the above characteristics, when determining that the number of suspicious extension page table exceeds the first threshold value, then determine that there is plug-in in system, to ensure the security of application program.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a method, apparatus, device, and storage medium for detecting plug-ins. Background Technology

[0002] As the competition against memory hacks intensifies, many cheats are shifting towards using CPU (Central Processing Unit) virtualization technology. This means the cheats utilize virtualization to create a virtualized environment within the application (such as a game) and run within it. Most of these cheats use Extended Page Tables (EPT) inline hooks to hook into critical system and application functions, using EPT technology to hide their hook code.

[0003] In related technologies, common anti-cheat software can be used to determine whether virtualization technology is being used by analyzing the return values ​​of specific instructions. For example, anti-cheat software can execute specific CPU instructions and use the return values ​​of these instructions to determine whether a virtualization environment or software exists in the system, thus performing security checks.

[0004] In the above methods, when the cheat uses extended page table technology to cheat, the cheat can bypass the security detection of the anti-cheat software by forging specific instruction return values, thereby threatening the security of the application. Summary of the Invention

[0005] This application provides a method, apparatus, device, and storage medium for detecting plug-ins. The technical solution provided by this application is as follows:

[0006] According to one aspect of the embodiments of this application, a method for detecting cheat programs is provided, the method comprising:

[0007] Obtain at least one kernel-level page, where the kernel-level page refers to the virtual memory page used by the operating system kernel;

[0008] Determine the number of suspicious extended page tables contained in the at least one kernel layer page, wherein the suspicious extended page tables refer to extended page tables potentially constructed by the plug-in;

[0009] If the number is greater than or equal to the first threshold, it is determined that an extended page table constructed by the plug-in exists in the at least one kernel layer page.

[0010] According to one aspect of the embodiments of this application, a device for detecting cheat programs is provided, the device comprising:

[0011] The acquisition module is used to acquire at least one kernel-level page, where the kernel-level page refers to the virtual memory page used by the operating system kernel.

[0012] The first determining module is used to determine the number of suspicious extended page tables contained in the at least one kernel layer page, wherein the suspicious extended page table refers to an extended page table potentially constructed by the plug-in program;

[0013] The second determining module is used to determine, when the number is greater than or equal to a first threshold, that an extended page table constructed by the plug-in exists in the at least one kernel layer page.

[0014] According to one aspect of the embodiments of this application, a computer device is provided, the computer device including a processor and a memory, the memory storing a computer program, the computer program being loaded and executed by the processor to implement the above-described method for detecting plug-ins.

[0015] According to one aspect of the embodiments of this application, a computer-readable storage medium is provided, wherein a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above-described method for detecting plug-ins.

[0016] According to one aspect of the embodiments of this application, a computer program product is provided, the computer program product including a computer program stored in a computer-readable storage medium, and a processor reading from the computer-readable storage medium and executing the computer program to implement the above-described method for detecting plug-ins.

[0017] The technical solutions provided in this application have at least the following beneficial effects:

[0018] For applications running in virtualized environments, this design fully considers the characteristics of cheat programs using extended page tables. In these extended page tables, there is a one-to-one correspondence between virtual machine physical addresses and host physical addresses, and consecutive extended page table entries also have consecutive host physical addresses. By scanning and judging whether kernel-level pages in the system meet these characteristics, it determines whether they are suspicious extended page tables. When the number of identified suspicious extended page tables exceeds a first threshold, it is determined that a cheat program exists in the system, thereby ensuring application security. Attached Figure Description

[0019] Figure 1 This is a schematic diagram of an extended page table structure provided in one embodiment of this application;

[0020] Figure 2 This is a schematic diagram of the implementation environment of a solution provided in one embodiment of this application;

[0021] Figure 3 This is a flowchart of a method for detecting plug-ins provided in one embodiment of this application;

[0022] Figure 4 This is a flowchart of a method for detecting plug-ins provided in another embodiment of this application;

[0023] Figure 5 This is a flowchart illustrating the process of determining a suspicious extended page table according to an embodiment of this application;

[0024] Figure 6 This is a block diagram of a plug-in detection device provided in one embodiment of this application;

[0025] Figure 7 This is a structural block diagram of a computer device provided in one embodiment of this application. Detailed Implementation

[0026] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.

[0027] Before introducing and explaining the technical solution of this application, some concepts involved in this application will be defined and explained.

[0028] 1. Extended page table

[0029] Extended page tables are used to manage the memory mapping of virtual machines in a virtualized runtime environment. Extended page tables allow virtual machines to directly access physical memory while maintaining memory isolation between the virtual machine and the host, thereby improving the performance and security of the virtualized runtime environment.

[0030] Extended page tables are an important component of virtualization technology, used to implement virtual memory management. The extended page table structure is a data structure used to describe the memory layout of a virtual machine, allowing the virtual machine to access physical memory while providing memory isolation and protection.

[0031] Extended page table structure:

[0032] like Figure 1 As shown, the extended page table structure includes the following layers. Among them, EPTP (Extended Page Table Pointer) is a pointer in the extended page table that points to the root page table of the extended page table and helps the Virtual Machine Monitor (VMM) manage the memory mapping of the virtual machine.

[0033] Extended Page Table PML4 (Page Map Level 4): Also known as the root page table mentioned above, this is the top level of the extended page table structure, used to describe the virtual machine's 4-level page tables. The Extended Page Table PML4 contains 512 entries, each corresponding to an Extended Page Table PDPT (Page Directory Pointer Table).

[0034] Extended Page Table (PDPT): The Extended Page Table (PDPT) is the second level of the extended page table structure, used to describe the virtual machine's three-level page tables. Each PDPT table contains 512 entries, and each entry corresponds to an Extended Page Table (PD) (Page Directory).

[0035] Extended Page Table (PD): The extended page table (PD) is the third level of the extended page table structure, used to describe the virtual machine's level 2 page tables. Each extended page table (PD) contains 512 entries, and each entry corresponds to an extended page table (PT).

[0036] Extended Page Table (PT): The extended page table (PT) is the lowest level of the extended page table structure, used to describe the virtual machine's level 1 page tables. Each extended page table (PT) contains 512 entries, and each entry corresponds to a physical memory page (typically 4KB).

[0037] An Extended Page Table (EPT) Entry contains the following information, as shown in Table 1 below:

[0038] Physical address: The address that points to the actual physical memory page.

[0039] Read / write permissions: Control the read / write access permissions of the virtualized system to this memory page.

[0040] Execution permission: Controls the execution access permissions of the virtualized system for this memory page.

[0041] Memory type: Defines the caching strategy for this memory page (e.g., write-back, write-through, non-cached, etc.).

[0042] Access flags: Used to monitor access to this memory page by the virtualized system.

[0043] Ignore PAT (Page Attribute Table): Used to control whether to ignore memory type settings in the PAT.

[0044] Big page flag: Used to indicate that the entry is a big page (e.g., 2MB (MegaByte) or 1GB (GigaByte)).

[0045] Software bits: Used for software-defined purposes, such as monitoring memory page usage.

[0046] Status bit: dirty status bit, used to indicate whether the page has been written.

[0047] Control bit: In use cases involving VT-d (Virtualization Technology for Directed I / O) and shared extended page tables, the control bit is used for snoop control of VT-d, which refers to Directed I / O virtualization technology used to enhance I / O device management in virtualized environments. Through VT-d, virtual machines can directly access physical I / O devices without needing to go through a Virtual Machine Monitor (VMM), thereby improving I / O performance and security.

[0048] The information contained in the above Extended Page Table Entry is merely illustrative and is not intended to limit the scope of this application.

[0049] By extending the page table structure, virtualization software can flexibly control the virtualized system's access to physical memory, achieving memory isolation and protection. At the same time, the extended page table structure allows the virtualization software to dynamically adjust memory mappings and permissions.

[0050] Table 1

[0051]

[0052] 2. Extended page table inline hook

[0053] The cheat program modifies the translation table from Guest (virtual machine) physical address to Host (host) physical address in the Extended Page Table (PT) table, thereby modifying the host physical address corresponding to the virtual machine physical address of the executable code. By registering an Extended Page Table exception, when the corresponding virtual machine physical address is executed, the modified host physical address is returned. However, when the anti-cheat software reads the virtual machine physical address, the original host physical address is returned. This achieves the purpose of the inline hook being able to specify code but not being scanned by the anti-cheat software. In this application, the aforementioned host physical address is also referred to as the physical address.

[0054] Regarding the extended page table inline hooks used by the aforementioned add-ons, this application fully considers that the add-ons only use extended page table technology to hide the memory they use for inline hooks, and do not need to virtualize all system memory like other virtual machine software. As shown in Table 2 below, add-ons typically construct a consistent page table. This page table can be an extended page table or a PT page table, meaning there is a one-to-one correspondence between the virtual machine physical address and the host physical address. For example, the virtual machine physical address 0xC0800000 corresponds to the host physical address 0xC0800000 in the extended page table. Furthermore, to prevent false alarms, the read / write / execute permission bits of the page table need to be set to 1, that is, the lower 3 bits of the page table need to be set to 1.

[0055] Table 2

[0056]

[0057] In Table 2 above, each physical address (i.e., the host physical address) is represented in hexadecimal. "7dba6000" and "7dba7000" can be used to indicate the address in the parent extended page table (PD). As shown in Table 2, each entry in the extended page table is 64 bits long, where bits 51:12 represent the frame corresponding to the host physical address. For example, as shown in Table 2, the host physical address in the extended page entry "00000000, c0600007" (i.e., oxc0600007) is 0xc0600, and the host physical address in "00000000, c0601007" (i.e., oxc0601007) is 0xc0601. It can be seen that the virtual machine physical address to the host physical address in the externally constructed extended page table is one-to-one, and the host physical addresses in consecutive extended page tables are also consecutive. It should be noted that the number of bits occupied by the physical address in each of the above extended page entries, as well as their positions, are merely exemplary and are not limited in this application.

[0058] In summary, this application fully utilizes the characteristic that the virtual machine physical address to the host physical address is one-to-one in the extended page table constructed by the plug-in, and that the host physical addresses in consecutive extended page table entries are also consecutive. It mainly detects the existence of plug-in programs in the system by identifying the continuity of host physical addresses in the extended page table.

[0059] Please refer to Figure 2 This diagram illustrates an implementation environment provided by one embodiment of the present application. This implementation environment can be implemented as a computer system. The implementation environment may include: a terminal device 10 and a server 20.

[0060] Terminal device 10 can be a PC (Personal Computer), or it can be a mobile phone, a smart voice interaction device, a game console, a wearable device, a multimedia playback device, a vehicle terminal, a smart home appliance, an AR (Augmented Reality) device, a VR (Virtual Reality) device, a MR (Mixed Reality) device, or other electronic devices. This application does not limit the scope of the application.

[0061] Terminal device 10 runs a virtual machine, which provides a virtualized runtime environment for the first application running within it. In this virtualized environment, the virtual machine's memory addresses need to be correctly mapped to the host's physical addresses to ensure the first application can function correctly. Specifically, the virtual machine uses virtual machine physical addresses, and the host uses host physical addresses. An extended page table is used to establish the mapping between virtual machine physical addresses and host physical addresses. Through the extended page table, the virtual machine can transparently access the host's physical memory, thereby ensuring the first application can run efficiently in the virtualized environment while guaranteeing memory access security and performance.

[0062] As described above, cheat programs can utilize extended page table inline hook technology to modify the translation table from virtual machine physical address to host physical address in the extended page table, thereby threatening the security of the first application running in the virtualization environment. The cheat program detection method proposed in this application targets scenarios where applications run in a virtualization environment and can detect whether cheat programs are using extended page table technology to cheat in the system. Specifically, it scans the host's kernel layer pages and determines whether the kernel layer pages are extended page tables constructed by cheat programs. When the number of detected extended page tables constructed by cheat programs exceeds a threshold, it is determined that cheat programs are using extended page table technology to cheat in the system, thus achieving cheat program detection. The execution entity of the cheat program detection method proposed in this application can be the terminal device 10 or the server 20. When the execution entity is the server 20, the terminal device 10 is also used to send kernel layer page data to the server 20. The server 20 is used to detect whether cheat programs exist in the terminal device based on the kernel layer page and returns the detection result to the terminal device 10.

[0063] In some embodiments, server 20 is also used to provide background services for clients of a first application running on terminal device 10.

[0064] In this application embodiment, the first application can be any application that supports running in a virtualized runtime environment, including but not limited to any one of the following: game applications, office software applications, social media applications, etc. This application does not limit the type of the first application.

[0065] In some embodiments, server 20 is also used to provide background services for the client of the first application in terminal device 10. For example, server 20 may be a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms, but is not limited to these.

[0066] In some embodiments, the server used to execute the detection method for the plug-in program proposed in this application and the server used to provide background services for the client of the first application may not be the same server, and this application does not limit this.

[0067] Terminal device 10 and server 20 can communicate with each other via a network. This network can be a wired network or a wireless network.

[0068] Please refer to Figure 3 The diagram illustrates a flowchart of a method for detecting plug-ins according to an embodiment of this application. The execution entity for each step of this method can be a computer device; for example, the computer device can be... Figure 2 Terminal device 10 in the middle can also be Figure 2 The method may include at least one of the following steps 310 to 330.

[0069] Step 310: Obtain at least one kernel-level page, which refers to the virtual memory page used by the operating system kernel.

[0070] Kernel-level pages refer to the virtual memory pages used by the host operating system kernel. During virtualization, the hypervisor runs at the highest privilege level, while the guest operating system (virtual machine) runs at a lower privilege level. To achieve memory virtualization, the hypervisor needs to manage the virtual machine's memory accesses and translate them into actual host memory accesses. Extended page tables allow the hypervisor to maintain a page table for each virtual machine, mapping the virtual machine's physical address (Guest Physical Address, GPA) to the host's physical address (HPA). Thus, when a virtual machine accesses its memory, the hardware automatically performs two address translations: first from the virtual address (VA) to the GPA, and then from the GPA to the HPA via the extended page table. Because the extended page table is a critical data structure used by the hypervisor to manage memory virtualization, it must be stored in the host's memory, specifically in the host's kernel virtual memory. In other words, this application fully considers that the extended page table is all allocated kernel virtual memory, so it only needs to scan the kernel virtual memory pages of the host to identify whether there are any cheat programs using the extended page table to cheat.

[0071] In some embodiments, after obtaining at least one kernel layer page, the method of this application further includes: performing a validity check on each kernel layer page, the validity check including detecting whether the kernel layer page has been allocated a physical address; and if at least one kernel layer page passes the validity check, performing a step of determining the number of suspicious extended page tables contained in at least one kernel layer page (i.e., step 320 below).

[0072] Checking whether a kernel-level page has been allocated a physical address refers to checking whether the virtual address in the kernel-level page is mapped to actual physical memory. The above validity check process may include the following steps: (1) Obtain the virtual address of the kernel-level page. This virtual address is allocated by the host operating system kernel, and each virtual address corresponds to a memory page used by the kernel. (2) Use the virtual address to query the page table. This page table is a data structure used by the operating system to map virtual addresses to physical addresses. The purpose of querying the page table is to find the physical address mapping entry corresponding to the virtual address. (3) Check the validity of the mapping entry. Check whether the mapping entry in the page table exists and is valid. If the mapping entry exists and is valid, it means that the virtual address has been allocated a physical address. If the mapping entry does not exist or is invalid, it means that the virtual address has not been allocated a physical address. In some embodiments, after determining that the mapping entry exists and is valid, step (4) is further included to verify the physical address. If the mapping entry exists, the legality of the physical address is further verified. Ensure that the physical address is within the valid physical memory range and can be accessed safely.

[0073] The above method, because cheat programs tamper with the host's physical addresses in the extended page table, requires ensuring that the virtual addresses of these kernel virtual pages are mapped to physical addresses before detecting kernel-level pages. For virtual addresses that are not yet mapped, since there is no association with physical addresses, there is no need to further check whether these pages contain suspicious extended page table entries. This method simplifies the cheat program detection process and improves the efficiency of suspicious extended page table detection.

[0074] Step 320: Determine the number of suspicious extended page tables contained in at least one kernel-level page. Suspicious extended page tables refer to extended page tables potentially constructed by add-ons.

[0075] In some embodiments, the suspicious extended page tables are determined based on the characteristic that there is a one-to-one correspondence between virtual machine physical addresses and host physical addresses in extended page table entries, and that host physical addresses are also consecutive in consecutive extended page table entries. In some embodiments, the step of determining the number of suspicious extended page tables contained in at least one kernel-level page may include: scanning each kernel-level page in the system to determine whether the kernel-level page is a suspicious extended page table; when the kernel-level page is determined to be a suspicious extended page table, updating the number of suspicious extended page tables by 1. After traversing all kernel-level pages in the system, the total number of all suspicious extended page tables contained in at least one kernel-level page is finally determined.

[0076] Step 330: If the number is greater than or equal to the first threshold, determine that at least one kernel layer page contains an extended page table constructed by an external program.

[0077] In step 320 above, the detected suspicious extended page tables refer to extended page tables in the kernel layer that are highly likely to be constructed by external programs; that is, the possibility that the suspicious extended page table is a legitimate kernel layer page cannot be absolutely ruled out. To reduce false positives, in step 330, a first threshold is set. When the number of detected suspicious extended page tables is greater than or equal to the first threshold, it is determined that at least one kernel layer page contains an extended page table constructed by an external program, that is, it is determined that an external program exists in the system. If the existence of an external program is judged based on the existence of only one or a few suspicious extended page tables, it may lead to false positives. By setting a reasonable first threshold, the reliability of the detection results can be increased, ensuring that an extended page table constructed by an external program is determined only after the number of detected suspicious extended page tables reaches a certain number. The specific value of the above first threshold can be set according to the experience of relevant personnel, and this application does not limit it in this regard.

[0078] Please refer to Figure 4 The diagram illustrates a flowchart of a method for detecting plug-ins according to another embodiment of this application. The execution entity for each step of this method can be a computer device; for example, the computer device could be... Figure 2 Terminal device 10 in the middle can also be Figure 2 Server 20 in the middle. The method may include the following steps S1 to S7.

[0079] Step S1: Traverse the kernel layer pages.

[0080] Step S2: Determine whether the kernel-level page is valid, that is, perform a validity check on the kernel-level page. The validity check includes checking whether the kernel-level page has been allocated a physical address. When the kernel-level page is valid, proceed to step S3 below; when the kernel-level page is invalid, proceed to step S5 below.

[0081] Step S3: Determine whether the kernel layer page is a suspicious extended page table. If the kernel layer page is determined to be a suspicious extended page table, proceed to step S4 below; if the kernel layer page is determined not to be a suspicious extended page table, proceed to step S5 below.

[0082] Step S4: Increment the number of suspicious extended page tables by 1.

[0083] Step S5: Determine whether to traverse all kernel layer pages. If it is determined that all kernel layer pages should be traversed, execute step S6 below; otherwise, repeat step S1 above.

[0084] Step S6: Determine if the number of suspicious extended page tables exceeds the first threshold. If the number of suspicious extended page tables exceeds the first threshold, proceed to step S7 below; otherwise, end.

[0085] Step S7: Confirm the presence of a cheat program on the system. For a detailed explanation of steps S1 to S7 above, please refer to the corresponding content above.

[0086] In summary, the technical solution provided in this application, targeting scenarios where applications run in virtualized environments, fully considers the characteristic that when cheat programs use extended page table technology to cheat, the virtual machine physical address and the host physical address are in a one-to-one correspondence in the extended page table they construct, and the host physical addresses of consecutive extended page table entries are also consecutive. By scanning and judging whether kernel-level pages in the system meet the above characteristics, it is determined whether they are suspicious extended page tables. When the number of identified suspicious extended page tables exceeds a first threshold, it is determined that a cheat program exists in the system, thereby ensuring the security of the application.

[0087] The following describes the specific implementation method for identifying suspicious extended page tables, which may include the following steps S1 to S3.

[0088] Step S1: For each kernel layer page in at least one kernel layer page, obtain at least two consecutive extended page table entries included in the kernel layer page.

[0089] An extended page table entry refers to an entry in an extended page table. Consecutive extended page table entries refer to two or more adjacent extended page table entries. For example, 0xc0600007 and 0xc0601007 in Table 2 above can be two adjacent extended page table entries.

[0090] Step S2: If at least two consecutive extended page table entries satisfy the first condition, obtain the physical addresses corresponding to the at least two consecutive extended page table entries respectively. The first condition is related to at least one of the read operation, write operation, and execution operation corresponding to the at least two consecutive extended page table entries respectively.

[0091] In some embodiments, each extended page table entry includes read permission, write permission, execute permission, and a physical address, wherein the physical address indicates a physical memory page. Read permission controls the virtual machine / virtualization system's read access to the physical memory page, and may include the ability to read the physical page (also known as readable) and the inability to read the physical memory page (also known as unreadable). Write permission controls the virtual machine / virtualization system's write access to the physical memory page, and may include the ability to write to the physical page (also known as writable) and the inability to write to the physical memory page (also known as non-writable). Execute permission controls whether the virtual machine / virtualization system can execute the data in the physical memory page as code, and may include the ability to execute the physical page (also known as executable) and the inability to execute the physical memory page (also known as non-executable). The read operation, write operation, and execute operation mentioned above can be understood as the same concept as read permission, write permission, and execute permission. The aforementioned read, write, and execute permissions can each be indicated using a single bit. For example, for read permission, bit 1 can indicate that the virtual machine / virtualization system can perform read operations on the physical internal page, and bit 0 can indicate that the virtual machine / virtualization system cannot perform read operations on the physical internal page. Alternatively, bit 0 can indicate that the virtual machine / virtualization system can perform read operations on the physical internal page, and bit 1 can indicate that the virtual machine / virtualization system cannot perform read operations on the physical internal page. This application does not limit this approach.

[0092] In some embodiments, the first condition can be at least one of the following: at least two consecutive extended page table entries correspond to read operations that are readable, at least two consecutive extended page table entries correspond to write operations that are writable, and at least two consecutive extended page table entries correspond to execute operations that are executable. Optionally, the first condition is that at least two consecutive extended page table entries correspond to read operations that are readable, write operations that are writable, and execute operations that are executable, respectively. The above method fully considers the characteristic that read permissions, write permissions, and execute permissions in extended page tables are usually readable, writable, and executable, respectively. By determining that read operations are readable, write operations are writable, and execute operations are executable, false positives are reduced and the detection efficiency of suspicious extended page tables is improved.

[0093] In some embodiments, there may be a one-to-one correspondence between extended page table entries and physical addresses, with one extended page table entry corresponding to one physical address and different extended page table entries corresponding to different physical addresses. In some embodiments, at least one bit of the physical address in the extended page table entry is determined, and the physical address is obtained from the extended page table entry based on this at least one bit. For example, when an extended page table entry is 64 bits, bits 12:51 can be used to locate the physical address. For example, the physical address corresponding to extended page table entry 0xc0600007 is 0xc0600, and the physical address corresponding to extended page table entry 0xc0601007 is 0xc0601.

[0094] Step S3: If at least two consecutive extended page table entries correspond to consecutive physical addresses, determine that the kernel layer page is a suspicious extended page table.

[0095] In some embodiments, if at least two consecutive extended page table entries correspond to physical addresses that are not consecutive, then the kernel-level page is determined not to be a suspicious extended page table.

[0096] Contiguous physical addresses refer to at least two consecutive extended page table entries whose physical addresses are consecutive in memory; that is, these addresses are adjacent in physical memory. Specifically, if the physical addresses in the extended page table entries are arranged sequentially, and the difference between each address and its preceding address is 1, then these physical addresses are considered contiguous; otherwise, they are non-contiguous physical addresses. For example, suppose two consecutive extended page table entries are 0xc0600007 and 0xc0601007, and their corresponding physical addresses are 0xc0600 and 0xc0601, respectively. Since the difference between them is 1, then the physical addresses 0xc0600 and 0xc0601 are determined to be contiguous. For example, suppose two consecutive extended page table entries are 0xc0600007 and 0xc0603007, and their corresponding physical addresses are 0xc0600 and 0xc0603, respectively. The difference between the two is 2, not 1. Therefore, it is determined that the two physical addresses 0xc0600 and 0xc0603 are not consecutive.

[0097] In some embodiments, if the number of at least two consecutive extended page table entries is greater than or equal to a second threshold, and the physical addresses corresponding to at least two consecutive extended page table entries are consecutive addresses, then the kernel-level page is determined to be a suspicious extended page table. The specific value of the second threshold can be set based on the experience of the personnel, and this application does not limit it in this regard.

[0098] Please refer to Figure 5 This document illustrates a flowchart of a method for determining a suspicious extended page table, according to an embodiment of this application. The method may include the following steps S1 to S11:

[0099] Step S1: Obtain the kernel layer page.

[0100] Step S2: Determine whether the first extended page table entry included in the kernel layer page satisfies the first condition. For example, the first condition could be that the first extended page table entry indicates read permission is readable, write permission is writable, and execute permission is executable. If the first extended page table entry included in the kernel layer page satisfies the first condition, proceed to step S3 below. Otherwise, proceed to step S11 below.

[0101] Step S3: Read the physical address corresponding to the first extended page table entry.

[0102] Step S4: Execute i = i + 1, where i is a positive integer.

[0103] Step S5: Read the i-th extended page table entry.

[0104] Step S6: Determine whether the i-th extended page table entry included in the kernel layer page satisfies the first condition. For example, the first condition could be that the i-th extended page table entry indicates read permission is readable, write permission is writable, and execute permission is executable. If the i-th extended page table entry included in the kernel layer page satisfies the first condition, proceed to step S7. Otherwise, proceed to step S11.

[0105] Step S7: Read the physical address corresponding to the i-th extended page table entry.

[0106] Step S8: Determine whether the physical address corresponding to the i-th extended page table entry is consecutive to the physical address corresponding to the (i-1)-th extended page table entry. If the physical address corresponding to the i-th extended page table entry is consecutive to the physical address corresponding to the (i-1)-th extended page table entry, proceed to step S9 below. Otherwise, proceed to step S11 below.

[0107] Step S9: Determine if i equals the second threshold, such as whether i equals 40. If i equals 40, it means that there are 40 consecutive extended page table entries that satisfy the first condition mentioned above, and the physical addresses corresponding to these 40 consecutive extended page table entries are all consecutive. If i equals the second threshold, proceed to step S10 below. Otherwise, proceed to step S4 above and continue the above process.

[0108] Step S10: Determine that the kernel layer page is a suspicious extended page table, and end.

[0109] Step S11: Determine that the kernel layer page is not a suspicious extended page table, and then end.

[0110] Table 3 below shows a code example for determining whether 40 consecutive extended page table entries satisfy the first condition and that their corresponding physical addresses are all consecutive.

[0111] Table 3

[0112]

[0113]

[0114] In some embodiments, the i-th extended page table entry can be obtained from the kernel-level page according to the following formula: ulltemp i = ulAddr + k × i. Where ulltemp i refers to the i-th extended page table entry, ulAddr is the base address of the extended page table entry, and k is the number of bytes or bits occupied by each extended page table entry. For example, assuming each extended page table entry occupies 8 bytes (i.e., 64 bits), and k can be 8, then the address of the i-th extended page table entry is ulAddr + 8 × i. The above ulltemp1 can be the i-th extended page table entry, and ulltemp2 is the (i+1)-th extended page table entry.

[0115] The above method, relying solely on the contiguous physical addresses of a small number of consecutive extended page table entries to determine whether a kernel-level page is a suspicious extended page table, may lead to false positives. Under normal circumstances, a small number of consecutive extended page table entries may appear, which does not necessarily indicate malicious behavior by a cheat program. By setting a reasonable second threshold, requiring at least a certain number, such as 40 consecutive extended page table entries, to be considered a suspicious extended page table, the possibility of false positives can be significantly reduced, thereby improving the reliability of suspicious extended page table detection.

[0116] The following describes how, after identifying a suspicious extended page table, the specific physical address that has been tampered with in the suspicious extended page table is determined, including the following steps S1 to S3.

[0117] Step S1: Identify at least one forged physical address in the suspicious extended page table. A forged physical address refers to a physical address that has been tampered with by a cheat program.

[0118] In some embodiments, the step of determining at least one forged physical address in a suspicious extended page table may include: obtaining the physical addresses corresponding to each extended page table entry contained in the suspicious extended page table; determining the virtual machine physical address corresponding to each physical address; and if the physical address and the virtual machine physical address corresponding to the physical address do not match, then determining that the physical address is a forged physical address.

[0119] In some embodiments, if the physical address and the corresponding virtual machine physical address match, then it is determined that the physical address is not a forged physical address.

[0120] In some embodiments, based on the characteristic of a one-to-one correspondence between the virtual machine physical address and the host physical address in the extended page table of the add-on construction, this one-to-one correspondence means that the virtual machine physical address and the host physical address are the same address. In some embodiments, the physical address (i.e., the host physical address) is compared with the virtual machine physical address. When the physical address matches the virtual machine physical address, it is determined that the physical address and the virtual machine physical address match. When the physical address and the virtual machine physical address do not match, it is determined that the physical address and the virtual machine physical address do not match.

[0121] For example, as shown in Table 4 below, for extended page table entry 0xc2a00007, its physical address is 0xc2a00, and its corresponding virtual machine physical address is also 0xc2a00. Since they match, it is determined that physical address 0xc2a00 is not a forged physical address. For extended page table entry 0xb2309007, its physical address is 0xb2309, and its corresponding virtual machine physical address is 0xc2a01. Since they do not match, it is determined that physical address 0xb2309 is a forged physical address. Through the above steps, the physical addresses modified by cheat programs can be effectively screened out, thereby further improving the accuracy of detection and the security of applications.

[0122] Table 4

[0123]

[0124] Step S2: Determine the actual physical address corresponding to at least one forged physical address. The actual physical address refers to the physical address to which the virtual machine physical address corresponding to the forged physical address should originally be mapped.

[0125] In some embodiments, the virtual machine physical address corresponding to the forged physical address is determined; the host physical address corresponding to the virtual machine physical address is determined by querying the valid extended page table, and this host physical address is used as the actual physical address. The valid extended page table is used to record the mapping relationship between virtual machine physical addresses and host physical addresses.

[0126] Step S3: Restore at least one forged physical address to its corresponding actual physical address.

[0127] The above method has two advantages. First, it can accurately identify suspicious forged physical addresses based on the one-to-one correspondence between virtual machine physical addresses and host physical addresses. Second, by restoring the forged physical address to its corresponding actual physical address, the normal memory mapping of the virtual machine can be restored, rendering the malicious behavior of the cheat program ineffective.

[0128] In some embodiments, the method of this application further includes: obtaining the virtual machine physical address corresponding to the forged physical address; and determining a first function related to the virtual machine physical address.

[0129] The first function refers to the key function or code segment corresponding to the virtual machine's physical address. The cheat program tampers with the actual physical address corresponding to the virtual machine's physical address, changing it to a forged physical address. This causes the system to execute the forged function when the first function is called. The forged function refers to the function or code segment corresponding to the forged physical address. This forged function can contain additional malicious code or modify certain key logic, thereby altering the behavior of the first function and achieving the cheat program's purpose. In this way, the cheat program can hijack or modify the functionality originally executed by the first function to achieve its illegal purposes, such as cheating or data tampering. That is, the cheat program modifies the virtual machine's physical address mapping, making the system believe that the first function is located at a forged physical address, when in fact the forged physical address is a forged function prepared in advance by the cheat program. When the system attempts to call the first function, it actually executes the forged function, thus achieving the cheat program's goal of controlling program behavior. This mechanism reveals the technical means by which cheat programs hijack or tamper with key functions by modifying the virtual machine's physical address mapping.

[0130] In some embodiments, the cheat program may not directly replace the first function, but instead tamper with the data that the first function depends on. For example, the cheat program can map the virtual machine's physical address to a fake physical address, where modified data is stored. When the first function is executed, it uses this tampered data, causing abnormal behavior or achieving the cheat program's purpose. This method is usually more covert; therefore, on the surface, the first function appears unchanged, but the actual execution result has completely deviated from normal logic. This tampering may manifest as score manipulation in game applications. Thus, when the system calls the first function, although it is calling the first function, the actual behavior is controlled by the cheat program because of the tampered data.

[0131] In some embodiments, the code of the first function can be analyzed to identify potential security vulnerabilities, such as buffer overflows, pointer errors, and insufficient input validation. These vulnerabilities may be exploited by cheat programs. By fixing these vulnerabilities, the security of the entire system can be enhanced. Specifically, the code of the first function can be analyzed in detail to identify potential security vulnerabilities. For example, buffer overflow vulnerabilities may be exploited by cheat programs to execute malicious code; pointer errors may be used to access unauthorized memory regions; and insufficient input validation may lead to the direct use of tampered data. By fixing these potential vulnerabilities, the security of the entire system can be significantly enhanced. For example, the implementation of the first function can be scanned using static code analysis tools to discover risky code that may cause memory overflows; additional input validation logic can also be added to the function's critical input points to ensure the integrity and legitimacy of externally input data. For specific industry scenarios (such as financial or medical systems), security analysis needs to be further customized and optimized in conjunction with domain characteristics.

[0132] In some embodiments, the forged physical address is associated with the first application, and processing information for the plug-in is determined based on the configuration information of the security policy of the first application and at least one forged physical address.

[0133] The security policy configuration information instructs the behavior and response rules of the first application when facing security threats. The processing information refers to the specific actions and measures taken by the first application after detecting spoofed physical addresses and plug-in activity, based on the security policy configuration information. Processing information may include penalty information, which refers to punitive measures against abnormal behavior, such as disabling user accounts, restricting access permissions, and issuing alarm notifications. For example, warning notifications are used to alert users or administrators of potential security risks in real time. Access restrictions are used to restrict data access related to spoofed addresses to prevent further tampering or spread. Dynamic isolation is used to isolate affected virtual machine environments to prevent the threat from spreading to the entire system. Logging is used to record abnormal behavior in detail, including the access path of the spoofed address, user information, and timestamps, for subsequent analysis. Banning operations are used to directly and permanently ban high-risk users or devices to prevent them from continuing to use plug-ins.

[0134] In some embodiments, the security policy configuration information includes different types of threats and their severity. Specific response rules and measures are defined for different threat levels. For example, it can include low-level threats, medium-level threats, and high-level threats. Low-level threats refer to minor violations, such as slight spoofing of physical addresses. Medium-level threats refer to moderate violations, such as repeated spoofing of physical addresses. High-level threats refer to serious violations, such as using plug-ins to launch large-scale attacks. Specifically, it can include the following steps: (1) Real-time monitoring of spoofing of physical addresses and plug-in activities. Detailed data on abnormal behavior can be collected, such as the time of occurrence, address, user, process, etc. (2) Based on the detected abnormal behavior, it is classified into different threat types, such as data tampering threats, code tampering threats, or system-level interference threats. (3) Matching specific response rules with the threat level (low, medium, high) defined in the security policy. For example, for low-level threats, the system may only issue a warning; while for high-level threats, the user account is directly banned and the system is isolated.

[0135] The above method fully considers the direct correlation between the spoofed physical address and the first application. By combining the security policy configuration information of the first application with at least one detected spoofed physical address, specific handling information for the plug-in program can be determined. This security policy configuration information can include response rules and behavioral guidelines for the first application when facing different levels of security threats. For example, for low-risk threats, the system may only log; for medium-risk threats, it may temporarily restrict certain functions; and for high-risk threats, it may trigger mandatory measures such as disabling accounts and isolating the system.

[0136] In some embodiments, the method of this application further includes: obtaining the virtual machine physical address corresponding to the forged physical address; and determining a first process related to the virtual machine physical address.

[0137] The first process refers to a specific process running within a virtual machine, associated with the virtual machine's physical address. Specifically, the first process can be a process executing at that virtual machine's physical address and may be the initiator of actions leading to the spoofing of physical addresses. Identifying the first process allows for monitoring and analysis of the source of security threats, understanding the initiator and context of abnormal behavior. For example, suppose a spoofed physical address 0x1234567 is detected in a virtualization environment; the virtual machine manager determines that this address corresponds to the virtual machine's physical address 0xc6001; and the first process corresponding to virtual machine physical address 0xc6001 is determined to be the process of malicious_app.exe. In this case, the following measures can be taken: terminating the process, disabling user accounts, logging, etc. These measures can effectively address and handle security threats, protecting the security and stability of the virtualization environment.

[0138] The aforementioned method, through the plug-in detection method of this application, can monitor spoofed physical addresses and plug-in activity in real time, thereby promptly detecting potential security threats. Furthermore, it can classify detected abnormal behavior into different threat types and assess their severity, facilitating the accurate identification and handling of threats at different levels.

[0139] In some embodiments, at least one forged physical address is sent to the server, which is used to determine processing information for the cheat program based on the at least one forged physical address.

[0140] In some embodiments, detected spoofed physical addresses are sent to a server for in-depth analysis. The server models the behavioral patterns of the spoofed physical addresses, analyzing information such as access frequency, access duration, and associated users or processes. Through this behavioral feature extraction, the server can further assess the scope and severity of the threat. For example, when the same spoofed address is accessed by multiple users, the server may determine that this is a cross-user cheating attack, thereby triggering a network-wide security policy adjustment.

[0141] The processed information may include at least one of the following: warning messages, ban messages, log records, response strategies, and data analysis. For example, the server may generate warning messages to alert system administrators or users of the presence of cheat programs. For example, the server may send warnings to the developers of the first application, notifying them that cheating behavior is occurring. For example, the server may generate temporary or permanent ban messages to temporarily or permanently ban accounts or devices suspected of using cheats, preventing further cheating. For example, log records may include abnormal log records; the server may generate detailed operation logs, recording all operations and events related to spoofed physical addresses for subsequent analysis and auditing. The server may also record abnormal behavior, including access patterns and frequencies of spoofed physical addresses, to help identify potential cheats. For example, the server may dynamically adjust defense strategies based on the characteristics of spoofed physical addresses, such as dynamically updating anti-cheat rules. For example, the server may perform in-depth analysis of spoofed physical address behavior to identify the behavioral patterns and characteristics of cheat programs.

[0142] The above method involves sending forged physical addresses to the server, which can then perform in-depth analysis and processing of these forged physical addresses to generate processing information for the cheat program.

[0143] The following are embodiments of the apparatus described in this application, which can be used to execute the embodiments of the method described in this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the method described in this application.

[0144] Please refer to Figure 6The diagram illustrates a block diagram of a plug-in detection device according to an embodiment of this application. The device 600 may include: an acquisition module 610, a first determination module 620, and a second determination module 630.

[0145] The acquisition module 610 is used to acquire at least one kernel layer page, wherein the kernel layer page refers to the virtual memory page used by the operating system kernel.

[0146] The first determining module 620 is used to determine the number of suspicious extended page tables contained in the at least one kernel layer page, wherein the suspicious extended page table refers to an extended page table potentially constructed by the plug-in program.

[0147] The second determining module 630 is used to determine, when the number is greater than or equal to a first threshold, that an extended page table constructed by the plug-in exists in the at least one kernel layer page.

[0148] In some embodiments, the acquisition module 610 is configured to, for each kernel layer page in the at least one kernel layer page, acquire at least two consecutive extended page table entries included in the kernel layer page; if the at least two consecutive extended page table entries satisfy a first condition, acquire the physical addresses corresponding to the at least two consecutive extended page table entries respectively, wherein the first condition is related to at least one of a read operation, a write operation, and an execution operation corresponding to the at least two consecutive extended page table entries respectively; and if the physical addresses corresponding to the at least two consecutive extended page table entries are consecutive addresses, determine that the kernel layer page is the suspicious extended page table.

[0149] In some embodiments, the device 600 further includes: a third determining module ( Figure 6 (Not shown in the image).

[0150] The third determining module is used to determine at least one forged physical address in the suspicious extended page table, wherein the forged physical address refers to the physical address tampered with by the plug-in program; determine the actual physical address corresponding to the at least one forged physical address, wherein the actual physical address refers to the physical address to which the virtual machine physical address corresponding to the forged physical address should originally be mapped; and restore the at least one forged physical address to the corresponding actual physical address.

[0151] In some embodiments, the third determining module is used to obtain the physical addresses corresponding to each extended page table entry contained in the suspicious extended page table; determine the virtual machine physical address corresponding to each physical address; if the physical address and the virtual machine physical address corresponding to the physical address do not match, then determine that the physical address is the forged physical address.

[0152] In some embodiments, the device 600 further includes: a fourth determining module ( Figure 6 (Not shown in the image).

[0153] The fourth determining module is used to obtain the virtual machine physical address corresponding to the forged physical address; and to determine a first function related to the virtual machine physical address.

[0154] In some embodiments, the fourth determining module is used to: determine processing information for the cheat program based on the configuration information of the security policy of the first application and the at least one forged physical address; and send the at least one forged physical address to the server, wherein the server is used to determine the processing information for the cheat program based on the at least one forged physical address.

[0155] In some embodiments, the device 600 further includes: an inspection module ( Figure 6 (Not shown in the image).

[0156] The inspection module is used to perform validity checks on each of the kernel layer pages, the validity check including detecting whether the kernel layer page has been allocated a physical address; if at least one kernel layer page passes the validity check, the step of determining the number of suspicious extended page tables contained in the at least one kernel layer page is executed.

[0157] The technical solution provided in this application addresses scenarios where applications run in virtualized environments. It fully considers the characteristic that when cheat programs use extended page table technology to cheat, the virtual machine physical address and the host physical address are in a one-to-one correspondence within the extended page table, and that consecutive extended page table entries also have consecutive host physical addresses. By scanning and judging whether kernel-level pages in the system meet the above characteristics, it determines whether they are suspicious extended page tables. When the number of identified suspicious extended page tables exceeds a first threshold, it is determined that a cheat program exists in the system, thereby ensuring application security.

[0158] Please refer to Figure 7 The diagram shows a structural block diagram of a computer device 700 provided in one embodiment of this application.

[0159] Typically, computer device 700 includes a processor 710 and a memory 720.

[0160] Processor 710 may include one or more processing cores, such as a quad-core processor, an octa-core processor, etc. Processor 710 may be implemented using at least one hardware form selected from DSP (Digital Signal Processing), FPGA (Field Programmable Gate Array), and PLA (Programmable Logic Array). Processor 710 may also include a main processor and a coprocessor. The main processor, also known as a CPU (Central Processing Unit), is used to process data in the wake-up state; the coprocessor is a low-power processor used to process data in the standby state. In some embodiments, processor 710 may integrate a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the screen. In some embodiments, processor 710 may also include an AI processor for handling computational operations related to machine learning.

[0161] The memory 720 may include one or more computer-readable storage media, which may be non-transitory. The memory 720 may also include high-speed random access memory and non-volatile memory, such as one or more disk storage devices or flash memory devices. In some embodiments, the non-transitory computer-readable storage media in the memory 720 are used to store a computer program configured to be executed by one or more processors to implement the aforementioned method for detecting plug-ins.

[0162] Those skilled in the art will understand that Figure 7 The structure shown does not constitute a limitation on the computer device 700, and may include more or fewer components than shown, or combine certain components, or use different component arrangements.

[0163] In some embodiments, a computer-readable storage medium is also provided, wherein a computer program is stored in the storage medium, the computer program being loaded and executed by a processor to implement the above-described method for detecting plug-ins.

[0164] Optionally, the computer-readable storage medium may include: ROM (Read-Only Memory), RAM (Random-Access Memory), SSD (Solid State Drives), or optical disc, etc. The random access memory may include ReRAM (Resistance Random Access Memory) and DRAM (Dynamic Random Access Memory).

[0165] In some embodiments, a computer program product is also provided, the computer program product including a computer program stored in a computer-readable storage medium, and a processor reading from the computer-readable storage medium and executing the computer program to implement the above-described method for detecting plug-ins.

[0166] It should be understood that "multiple" as used herein refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. Furthermore, the step numbers described herein are merely illustrative of one possible execution order. In some other embodiments, the steps may not be executed in numerical order, such as two steps with different numbers being executed simultaneously, or two steps with different numbers being executed in the reverse order of the illustration. This application does not limit this.

[0167] The above description is merely an exemplary embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. A method for detecting cheat programs, characterized in that, The method includes: Obtain at least one kernel-level page, where the kernel-level page refers to the virtual memory page used by the operating system kernel; Determine the number of suspicious extended page tables contained in the at least one kernel layer page, wherein the suspicious extended page tables refer to extended page tables potentially constructed by the plug-in; If the number is greater than or equal to the first threshold, it is determined that an extended page table constructed by the plug-in exists in the at least one kernel layer page.

2. The method according to claim 1, characterized in that, After obtaining at least one kernel-level page, the process further includes: For each kernel layer page in the at least one kernel layer page, obtain at least two consecutive extended page table entries included in the kernel layer page; If at least two consecutive extended page table entries satisfy a first condition, obtain the physical addresses corresponding to the at least two consecutive extended page table entries respectively. The first condition is related to at least one of the read operation, write operation, and execution operation corresponding to the at least two consecutive extended page table entries respectively. If the physical addresses corresponding to at least two consecutive extended page table entries are consecutive addresses, the kernel layer page is determined to be the suspected extended page table.

3. The method according to claim 1 or 2, characterized in that, The method further includes: Identify at least one forged physical address in the suspicious extended page table, wherein the forged physical address refers to the physical address that has been tampered with by the plug-in program; Determine the actual physical address corresponding to each of the at least one forged physical address, wherein the actual physical address refers to the physical address to which the virtual machine physical address corresponding to the forged physical address should originally be mapped; The at least one forged physical address is restored to its corresponding actual physical address.

4. The method according to claim 3, characterized in that, The step of determining at least one forged physical address in the suspicious extended page table includes: Obtain the physical address corresponding to each extended page table entry contained in the suspected extended page table; Determine the virtual machine physical address corresponding to each of the physical addresses; If the physical address and the corresponding virtual machine physical address do not match, then the physical address is determined to be the forged physical address.

5. The method according to claim 3 or 4, characterized in that, The method further includes: Obtain the virtual machine physical address corresponding to the forged physical address; Determine the first function associated with the physical address of the virtual machine.

6. The method according to any one of claims 3 to 5, characterized in that, The forged physical address is associated with the first application, and the method further includes at least one of the following: Based on the security policy configuration information of the first application and the at least one forged physical address, the processing information for the plug-in program is determined. The server sends the at least one forged physical address to the server, which then determines processing information for the cheat program based on the at least one forged physical address.

7. The method according to any one of claims 1 to 6, characterized in that, The method further includes: Perform a validity check on each of the kernel layer pages, the validity check including checking whether the kernel layer page has been allocated a physical address; If all at least one kernel-level page passes the validity check, the step of determining the number of suspicious extended page tables contained in the at least one kernel-level page is performed.

8. A device for detecting plug-in programs, characterized in that, The device includes: The acquisition module is used to acquire at least one kernel-level page, where the kernel-level page refers to the virtual memory page used by the operating system kernel. The first determining module is used to determine the number of suspicious extended page tables contained in the at least one kernel layer page, wherein the suspicious extended page table refers to an extended page table potentially constructed by the plug-in program; The second determining module is used to determine, when the number is greater than or equal to a first threshold, that an extended page table constructed by the plug-in exists in the at least one kernel layer page.

9. A computer device, characterized in that, The computer device includes a processor and a memory, the memory storing a computer program that is loaded and executed by the processor to implement the method as claimed in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, which is loaded and executed by a processor to implement the method as described in any one of claims 1 to 7.

11. A computer program product, characterized in that, The computer program product includes a computer program that is loaded and executed by a processor to implement the method as described in any one of claims 1 to 7.