[go: up one dir, main page]

WO2023019789A1 - Plug-in detection method and apparatus, electronic device, and storage medium - Google Patents

Plug-in detection method and apparatus, electronic device, and storage medium Download PDF

Info

Publication number
WO2023019789A1
WO2023019789A1 PCT/CN2021/132566 CN2021132566W WO2023019789A1 WO 2023019789 A1 WO2023019789 A1 WO 2023019789A1 CN 2021132566 W CN2021132566 W CN 2021132566W WO 2023019789 A1 WO2023019789 A1 WO 2023019789A1
Authority
WO
WIPO (PCT)
Prior art keywords
thread
suspicious
event
threads
plug
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2021/132566
Other languages
French (fr)
Chinese (zh)
Inventor
严凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Perfect World Zhengqi Shanghai Multimedia Technology Co Ltd
Original Assignee
Perfect World Zhengqi Shanghai Multimedia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Perfect World Zhengqi Shanghai Multimedia Technology Co Ltd filed Critical Perfect World Zhengqi Shanghai Multimedia Technology Co Ltd
Publication of WO2023019789A1 publication Critical patent/WO2023019789A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • AHUMAN NECESSITIES
    • A63SPORTS; GAMES; AMUSEMENTS
    • A63FCARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
    • A63F13/00Video games, i.e. games using an electronically generated display having two or more dimensions
    • A63F13/70Game security or game management aspects
    • A63F13/75Enforcing rules, e.g. detecting foul play or generating lists of cheating players

Definitions

  • the present invention relates to the field of computers, in particular to a plug-in detection method, device, electronic equipment and storage medium.
  • the method of implementing anti-cheat through patches is no longer suitable for the 64-bit Windows system that is now common.
  • Anti-cheat in Windows system Taking anti-cheating of game programs as an example, the so-called handle downgrade refers to traversing the handles of accessing game programs in the system with high frequency. Once cheating is found, the handle authority is reduced, for example, the handle is downgraded to the lowest level, so , the handle cannot perform data read and write operations on the game program, thus realizing anti-cheat.
  • the implementation of the handle power reduction depends on the white list, and once the white list is used by the plug-in thread, it will lose the effectiveness of the plug-in thread detection; and, in the driver layer (that is, the kernel layer) does not have the concept of a handle, so the above-mentioned technical means of lowering the right of the handle is not suitable for countering the plug-in thread of the driver layer (that is, the kernel layer).
  • embodiments of the present invention provide a cheating detection method, device, electronic equipment, and storage medium.
  • a method for detecting cheating comprising: determining a plurality of suspicious threads to be detected for cheating; Instructing the suspicious thread to attach to the target program; under the condition that the suspicious thread triggers the attaching event, determining the frequency of the suspicious thread triggering the attaching event within the preset collision period; based on the The above-mentioned frequency determines whether the suspicious thread is a plug-in thread.
  • a cheat detection device comprising: a first determination module, configured to determine a plurality of suspicious threads to be detected by cheats; a second determination module, configured to monitor each Whether the suspicious thread triggers an anchoring event, and the anchoring event is used to indicate that the suspicious thread is anchored to the target program; the third determining module is configured to, under the condition that the suspicious thread triggers the anchoring event, in the pre-determined It is assumed that the frequency at which the suspicious thread triggers the hanging event is determined during the collision period; a fourth determining module is configured to determine whether the suspicious thread is a hanging thread based on the frequency.
  • an electronic device including a memory, a processor, and a computer program stored on the memory, and when the processor executes the computer program, the method described in the first aspect above is implemented. step.
  • a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method described in the first aspect above are implemented.
  • a computer program product including a computer program, and when the computer program is executed by a processor, the steps of the method described in the first aspect above are implemented.
  • the beneficial effects of the present invention are: according to the technical solution of the embodiment of the present invention, by determining a plurality of suspicious threads to be detected for plug-ins, monitoring whether each suspicious thread triggers an anchoring event, under the condition that the suspicious thread triggers an anchoring event is detected, in The frequency at which the suspicious thread triggers the anchoring event is determined within the preset collision period, and whether the suspicious thread is a cheating thread is determined based on the frequency, thereby realizing the detection of the cheating thread.
  • the efficiency of cheating detection can be improved , to reduce the consumption of computing resources of the device by plug-in detection and the impact on device performance; for plug-in threads, triggering hook events is a necessary operation, and the frequency of triggering hook events can also be regarded as the inherent characteristics of plug-in threads. Therefore, the detection of plug-ins based on the frequency of hooking events triggered by threads can be applied to various plug-ins and various scenarios (including detection of plug-in threads in the driver layer). It can be seen that the above technical solution has higher applicability and compatibility compared with the handle weight reduction in the related art, and can more comprehensively realize the detection of various plug-in threads.
  • Fig. 1 schematically shows a flow chart of an embodiment of a cheating detection method according to an embodiment of the present invention
  • Fig. 2 schematically shows an embodiment flowchart of another cheat detection method according to an embodiment of the present invention
  • Fig. 3 schematically shows a block diagram of an embodiment of a cheating detection device according to an embodiment of the present invention
  • FIG. 4 schematically shows a schematic structural diagram of an electronic device according to an embodiment of the present invention
  • Fig. 5 schematically shows a block diagram for implementing a computer device according to the method of the present invention.
  • Fig. 6 schematically shows a block diagram of a computer program product implementing the method according to the invention.
  • FIG. 1 schematically shows a flow chart of an embodiment of a cheat detection method according to an embodiment of the present invention.
  • the process may include the following steps 101, 102, 103 and 104:
  • step 101 a plurality of suspicious threads to be detected for cheating are determined.
  • the embodiment of the present invention proposes: when performing cheating detection, first determine some threads suspected of cheating (hereinafter referred to as suspicious threads) from multiple surviving threads in the system, and then only perform cheating detection for suspicious threads.
  • suspicious threads some threads suspected of cheating
  • Those skilled in the art can understand that, compared to performing cheating detection on thousands of surviving threads in the system, only performing cheating detection on suspicious threads can reduce the consumption of device computing resources by cheating detection and reduce the risk of cheating. Detect impact on device performance. The following describes how to determine suspicious threads from the surviving threads in the system by way of example.
  • the cheat thread usually reads and writes the target program (such as a game program) based on two system API functions, ReadMemory and WriteMemory, so as to realize the cheating function.
  • the plug-in thread has very high real-time performance, and the read/write operations triggered by it can reach at least 3000-50000 times per second. That is to say, from the perspective of the index of thread activity, the plug-in thread is an extremely active thread, and, as time goes by, the activity of the plug-in thread shows a trend of increasing or maintaining. On the contrary, normal threads belong to inactive or moderately active threads, and, as time goes by, the activity of normal threads is not regular.
  • the surviving threads in the system can be preliminarily screened based on the index of activity to obtain suspicious threads.
  • the activity of each surviving thread in the system is determined, and the surviving thread whose activity meets a set condition is determined as a suspicious thread to be detected for cheating.
  • determining the activity of each surviving thread in the system may include: calling the corresponding system API function according to a set period to obtain the swapcontext value of the surviving thread until a set number of swapcontext values are obtained; and At the same time, for each surviving thread, starting from the second cycle, the swapcontext value obtained in the two cycles before and after is made a difference to obtain the swapcontext difference.
  • the swapcontext difference is positively correlated with the thread activity, that is, the larger the swapcontext difference, the higher the thread activity; conversely, the smaller the swapcontext difference, the lower the thread activity. Therefore, the swapcontext difference of the surviving thread can be used to represent the activity of the surviving thread.
  • determining a thread whose activity satisfies the set condition as a suspicious thread to be detected by cheating may include: for each surviving thread in the system, according to the order of acquisition time, the acquired The swapcontext difference values of the surviving threads are sorted to obtain the swapcontext difference sequence of the surviving threads. If the swapcontext difference sequence is an increasing sequence, it means that the activity of the thread is increasing over time. According to the above description, the surviving thread can be determined as a suspicious thread to be detected for cheating.
  • the surviving thread can be determined as a suspicious thread to be detected by the plug-in.
  • the swapcontext difference is 0, it means that the thread is not active. Therefore, before sorting the swapcontext difference values of the surviving threads, the inactive surviving threads can be filtered out based on the swapcontext difference values.
  • step 102 it is monitored whether each suspicious thread triggers a hooking event, and the hooking event is used to indicate that the suspicious thread is hooked to the target program.
  • Windows stipulates that when a thread reads and writes across processes (that is, reads and writes data of other processes other than the process it belongs to), it must first be attached to the other process (hereinafter referred to as the target program), and after the read and write operations are completed , and then unhook from the target program.
  • the plug-in thread can trigger at least 3,000-50,000 read/write operations per second, which means that the plug-in thread can trigger 3,000-50,000 times of hooking events per second. It can be seen that, for the plug-in thread, the frequency of triggering the hooking event is relatively high.
  • the specified offset address in the thread kernel object such as offset 0xb8
  • the specified offset address in the thread kernel object will save the kernel object address of the target program.
  • the data content at the specified offset address will change from the kernel object address of the target program to the kernel object address of the process to which the thread belongs. It can be seen that every time a thread triggers a hooking event, the data content at the specified offset address in its kernel object will change once.
  • the embodiment of the present invention proposes to capture whether the thread triggers the hooking event by acquiring the data content at the specified offset address in the thread kernel object.
  • the frequency of hooking events triggered by the plug-in thread is relatively high, that is, the frequency of changing the data content at the specified offset address in the thread kernel object to the kernel object address of the target program is relatively high;
  • the hooking operation is completed instantaneously, that is, the data content at the specified offset address in the thread kernel object is the kernel object address of the target program, which is fleeting. Therefore, how to capture the thread triggering the anchor event has become a technical pain point.
  • the embodiment of the present invention is based on the inspiration of the Phalanx system applied on warships: the launch speed of supersonic missiles is very fast, but the Phalanx that launches 20,000 rounds of intercepting missiles per second can still intercept supersonic missiles, and proposes the following to determine suspicious Whether the thread triggers the implementation of the anchor event, the specific process is shown in Figure 2.
  • another plug-in detection method may include the following steps:
  • Step 201 Obtain the data content at the specified offset address in the suspicious thread kernel object.
  • Step 202 Determine whether the obtained data content is the kernel object address of the target program; if yes, execute step 203; if not, execute step 204.
  • Step 203 determine that the suspicious thread triggers the hooking event.
  • Step 204 determine whether the set duration is reached; if yes, execute step 205 , if not, return to execute step 201 .
  • Step 205 determine that the suspicious thread does not trigger a hooking event.
  • steps 201 to 205 that in the embodiment of the present invention, for each suspicious thread, within a set period of time (for example, 1 second), cyclically obtain the specified offset address in the suspicious thread kernel object without delay. In this way, the high-frequency acquisition of the data content at the specified offset address in the suspicious thread kernel object is realized.
  • After obtaining the data content at the specified offset address in the suspicious thread kernel object each time, determine whether the obtained data content is the kernel object address of the target program. ; If not, the above steps can continue to be executed in a loop without delay until the set duration is reached.
  • the set duration if the content of the data obtained each time is not the kernel object address of the target program, it can be determined that the suspicious thread has not triggered the anchoring event.
  • no delay means that there is no time interval between two executions of the above-mentioned acquisition of the data content at the specified offset address in the kernel object of the suspicious thread.
  • the high-frequency detection of suspicious threads is equivalent to the interception principle of the Phalanx system used on warships, which realizes intensive and high-frequency detection of suspicious threads. Therefore, even if the external threads The attaching and unattaching operations are completed instantly, and it is also possible to capture the attaching event triggered by the hooking thread with a high probability.
  • the embodiment of the present invention proposes to execute the process shown in FIG. Suspicious threads for cheating detection.
  • the embodiment of the present invention proposes to group multiple suspicious threads according to activity, wherein the activity of suspicious threads in the same group is within the same set activity range, and the set activity corresponding to different groups The ranges do not overlap, and then for each group, batch monitor whether the suspicious threads in the group trigger the anchor event.
  • the suspicious threads with the swapcontext difference greater than 1000 are divided into one group, the suspicious threads with the swapcontext difference greater than 200 and less than 1000 are divided into another group, and the swapcontext Suspicious threads whose difference is lower than 200 are divided into another group, that is, three groups are obtained. Afterwards, for each group, whether the suspicious thread in the group triggers the hooking event is monitored in batches.
  • the swapcontext difference based on the grouping is the last swapcontext difference obtained according to the set period.
  • the number of threads with high activity in the Windows system is relatively small compared to the number of threads with low activity (generally speaking, threads with high activity account for less than 10%). Therefore, in the above multiple groups Among them, the higher the activity corresponding to the group, that is, the larger the swapcontext difference, the fewer threads in the group. In some implementations, within the same set time period, the fewer threads are monitored in batches, the more times each thread is monitored, so the monitoring hit rate is higher. This can improve the accuracy of plug-in detection.
  • the suspicious thread that triggers a hang-up event captured during the batch monitoring process can be determined as a high-risk thread, and then, for the high-risk thread, monitor whether it is Trigger the anchor event. That is to say, in the embodiment of the present invention, under the condition that any suspicious thread in the above group is detected to trigger the hooking event, for the suspicious thread again, whether the suspicious thread triggers the hanging event is individually monitored. It can be seen that, in the embodiment of the present invention, by combining batch detection and individual detection, while improving the accuracy of cheat detection results, the efficiency of cheat detection can also be taken into account.
  • step 103 under the condition that the suspicious thread triggers the hanging event, the frequency of the suspicious thread triggering the hanging event is determined within a preset collision period.
  • the suspicious thread of the event that is, the above-mentioned high-risk thread respectively performs the following steps: Obtain the data content at the specified offset address in the kernel object of the high-risk thread, determine whether the obtained data content is the kernel object address of the target program, and if so, use Add 1 to the flag value representing the number of times that suspicious threads trigger hooking events, then, at the end of the preset collision period, the number of times that suspicious threads are detected to trigger hooking events within the preset collision period can be obtained, and then based on this number, Then the frequency of the hooking event triggered by the suspicious thread can be obtained.
  • the preset collision period here may be the same as or different from the set duration described in step 102 above, which is not limited in this embodiment of the present invention.
  • step 104 it is determined based on the frequency whether the suspicious thread is a plug-in thread.
  • the frequency at which the suspicious thread triggers the hooking event is compared with the set threshold. If the frequency is greater than the set threshold, it means that the frequency of the suspicious thread triggering the hanging event is relatively high. Combined with the above description "plug-in The frequency of threads triggering hooking events is relatively high", here the suspicious thread can be identified as a hanging thread. On the contrary, if the comparison shows that the frequency is less than or equal to the set threshold, it means that the frequency of the suspicious thread triggering the hanging event is moderate, so it can be determined that the suspicious thread is not a hanging thread.
  • set thresholds are not static, that is, users can adjust the set thresholds according to actual business needs or foresight experience, and artificial intelligence algorithms can also be used according to historical plug-in detection results.
  • the set threshold is adjusted intelligently, which is not limited in this embodiment of the present invention.
  • the method of determining whether a suspicious thread is a plug-in thread based on the frequency described in the above embodiment is only an optional implementation method, and in practice, it can also be implemented in other ways. For example, multiple suspicious threads may be sorted in descending order of frequency, and the suspicious threads ranked in the top N places in the sorting result may be determined as cheating threads.
  • the embodiment of the present invention does not limit the specific implementation manner of determining whether a suspicious thread is a plug-in thread based on frequency.
  • the suspicious threads are determined within the preset collision period.
  • the frequency at which the thread triggers the hooking event determines whether the suspicious thread is a cheating thread based on the frequency, and realizes the detection of the cheating thread.
  • the accuracy of cheating detection can be improved.
  • the plug-in detection can be applied to various plug-ins and various scenarios (including detecting the plug-in thread of the driver layer) by the frequency of the thread triggering the hooking event. It can be seen that the above technical solution is compared with the related art. In terms of lowering the right of the handle, it has high applicability and compatibility, and can more comprehensively realize the detection of various plug-in threads.
  • a cheating detection device is also provided.
  • the plug-in detection device of the present invention will be described below with specific embodiments in conjunction with the accompanying drawings.
  • FIG. 3 schematically shows a block diagram of an embodiment of a cheat detection device according to an embodiment of the present invention.
  • the device may include:
  • the first determination module 31 is configured to determine a plurality of suspicious threads to be detected by cheating
  • the second determining module 32 is configured to monitor whether each of the suspicious threads triggers a hooking event, and the hanging event is used to indicate that the suspicious thread is hooked to a target program;
  • the third determination module 33 is configured to determine the frequency of the suspicious thread triggering the hanging event within a preset collision period under the condition that the suspicious thread triggers the hanging event;
  • the fourth determining module 34 is configured to determine whether the suspicious thread is a cheating thread based on the frequency.
  • the first determination module 31 may include (not shown in the figure):
  • the liveness determination submodule is used to determine the liveness of each surviving thread in the system
  • the suspicious thread determination sub-module is configured to determine the surviving thread whose activity meets a set condition as a suspicious thread to be detected by cheating.
  • the activity determination submodule can be used to perform the following steps for each surviving thread in the system:
  • the suspicious thread determination submodule can be used for:
  • swapcontext difference sequence is an increasing sequence, then determine the surviving thread as a suspicious thread to be detected for cheating.
  • the second determination module 32 may be configured to execute the following steps within a set period of time for each suspicious thread:
  • the loop continues until the set duration is reached, and it is determined that the suspicious thread does not trigger a hooking event.
  • the second determination module 32 may be used to:
  • the set durations corresponding to different groups are different, and the settings corresponding to the groups are active
  • the upper limit of the degree range is positively related to the set duration.
  • the second determination module 32 may also be used for:
  • the fourth determining module 34 may be used to:
  • Fig. 4 schematically shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
  • the electronic device 400 shown in FIG. 4 may include: at least one processor 401 , a memory 402 , at least one network interface 404 and other user interfaces 403 .
  • Various components in the electronic device 400 are coupled together through the bus system 405 .
  • the bus system 405 is used to realize connection and communication between these components.
  • the bus system 405 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled as bus system 405 in FIG. 4 .
  • the user interface 403 may include a display, a keyboard, or a pointing device (eg, a mouse, a trackball, a touch pad, or a touch screen, etc.).
  • a pointing device eg, a mouse, a trackball, a touch pad, or a touch screen, etc.
  • the memory 402 in the embodiment of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories.
  • the non-volatile memory can be a read-only memory (Read-OnlyMemory, ROM), a programmable read-only memory (ProgrammableROM, PROM), an erasable programmable read-only memory (ErasablePROM, EPROM), an electronic Erasable programmable read-only memory (Electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (Random Access Memory, RAM), which acts as an external cache.
  • RAM Static RAM
  • DRAM Dynamic RAM
  • DRAM Synchronous DRAM
  • SDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • DoubleDataRate SDRAM DDRSDRAM
  • Enhanced Synchronous Dynamic Random Access Memory Enhanced SDRAM, ESDRAM
  • Synchronous Connection Dynamic Random Access Memory Synchronous Connection Dynamic Random Access Memory
  • DirectRambusRAM Direct Memory Bus Random Access Memory Access memory
  • the memory 402 stores the following elements, executable units or data structures, or their subsets, or their extended sets: an operating system 4021 and an application program 4022 .
  • the operating system 4021 may include various system programs, such as framework layer, core library layer, driver layer, etc., for implementing various basic services and processing hardware-based tasks.
  • the application program 4022 includes various application programs, such as a media player (MediaPlayer), a browser (Browser), etc., and is used to implement various application services.
  • the program for realizing the method of the embodiment of the present invention may be included in the application program 4022 .
  • the processor 401 by calling the program or instruction stored in the memory 402, which may be the program or instruction stored in the application program 4022, the processor 401 is used to execute the method steps provided by each method embodiment, for example, the executable Steps include:
  • the methods disclosed in the foregoing embodiments of the present invention may be applied to the processor 401 or implemented by the processor 401 .
  • the processor 401 may be an integrated circuit chip and has signal processing capability. In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in the processor 401 or an instruction in the form of software.
  • the above-mentioned processor 401 may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates Or transistor logic devices, discrete hardware components.
  • DSP Digital Signal Processor
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the methods disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software units in the decoding processor.
  • the software unit may be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 402, and the processor 401 reads the information in the memory 402, and completes the steps of the above method in combination with its hardware.
  • the processing unit can be implemented in one or more application-specific integrated circuits (Application Specific Integrated Circuits, ASIC), digital signal processor (Digital Signal Processing, DSP), digital signal processing device (DSPDevice, DSPD), programmable logic device (ProgrammableLogicDevice, PLD ), Field-Programmable Gate Array (Field-Programmable GateArray, FPGA), general-purpose processor, controller, microcontroller, microprocessor, other electronic units for performing the functions described in this application, or a combination thereof.
  • ASIC Application Specific Integrated Circuits
  • DSP digital signal processor
  • DSPDevice digital signal processing device
  • PLD programmable logic device
  • Field-Programmable Gate Array Field-Programmable GateArray
  • FPGA Field-Programmable GateArray
  • the electronic device according to the embodiment of the present invention may be an electronic device as shown in FIG. 4, which can perform all the steps of the cheat detection method shown in FIG. 1-FIG. 2, and then realize the technology of the cheat detection method shown in FIG. For the effect, please refer to the relevant descriptions in Fig. 1-Fig. 2 for details.
  • the various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof.
  • a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the cheat detection device according to the embodiment of the present invention.
  • DSP digital signal processor
  • the present invention can also be implemented as programs/instructions (eg, computer programs/instructions and computer program products) of devices or means for performing part or all of the methods described herein.
  • Such programs/instructions for implementing the present invention may be stored on a computer-readable medium, or may exist in the form of one or more signals, such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any form Available in other formats.
  • a storage medium which may be a computer-readable medium.
  • One or more programs in the storage medium can be executed by one or more processors, so as to realize the above-mentioned cheating detection method executed on the electronic device side.
  • the processor is used to execute the cheat detection program stored in the memory, so as to realize the following steps of the cheat detection method performed on the electronic device side:
  • Computer-readable media including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information.
  • Information may be computer readable instructions, data structures, modules of a program, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic cassettes, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by computing devices.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • ROM read only memory
  • EEPROM Electrically Er
  • FIG. 5 schematically shows a computer device capable of implementing the cheat detection method according to the present invention.
  • the computer device includes a processor 510 and a computer-readable medium in the form of a memory 520 .
  • the memory 520 is one example of a computer readable medium having a storage space 530 for storing a computer program 531 .
  • the computer program 531 is executed by the processor 510, various steps in the cheating detection method described above can be realized.
  • Fig. 6 schematically shows a block diagram of a computer program product implementing the method according to the invention.
  • the computer program product includes a computer program 610.
  • the computer program 610 is executed by a processor such as the processor 510 shown in FIG. 5, various steps in the cheat detection method described above can be realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed in the present invention are a plug-in detection method and apparatus, an electronic device, and a storage medium. The method comprises: determining a plurality of suspicious threads to be subjected to plug-in detection; monitoring whether each of the suspicious threads triggers a suspension event, the suspension event being used for indicating that the suspicious thread is suspended to a target program; when it is monitored that the suspicious thread triggers the suspension event, determining, within the preset collision period, the frequency that the suspicious thread triggers the suspension event; and determining, on the basis of the frequency, whether the suspicious thread is a plug-in thread. In this way, more comprehensive plug-in detection can be realized, and the detection efficiency is relatively high.

Description

外挂检测方法、装置、电子设备及存储介质Plug-in detection method, device, electronic equipment and storage medium

交叉引用cross reference

本申请要求于2021年8月19日提交、申请号为202110957616.8,发明名称为“外挂检测方法、装置、电子设备及存储介质”的中国专利申请的优先权,其全部内容通过引用合并于本申请中。This application claims the priority of the Chinese patent application filed on August 19, 2021, with application number 202110957616.8, and the title of the invention is "plug-in detection method, device, electronic equipment and storage medium", the entire content of which is incorporated by reference in this application middle.

技术领域technical field

本发明涉及计算机领域,尤其涉及一种外挂检测方法、装置、电子设备及存储介质。The present invention relates to the field of computers, in particular to a plug-in detection method, device, electronic equipment and storage medium.

背景技术Background technique

随着计算机技术的发展以及操作系统的迭代升级,通过补丁实现反外挂的方式已不适用于现在普遍存在的64位Windows系统,对此,技术人员采用句柄降权的技术手段来实现在64位Windows系统中进行反外挂。以对游戏程序进行反外挂为例,所谓的句柄降权是指:高频率地遍历系统中访问游戏程序的句柄,一旦发现到作弊现象,则降低句柄权限,例如将句柄降级为最低级,如此,该句柄则无法对游戏程序进行数据读写操作了,从而实现反外挂。With the development of computer technology and the iterative upgrade of the operating system, the method of implementing anti-cheat through patches is no longer suitable for the 64-bit Windows system that is now common. Anti-cheat in Windows system. Taking anti-cheating of game programs as an example, the so-called handle downgrade refers to traversing the handles of accessing game programs in the system with high frequency. Once cheating is found, the handle authority is reduced, for example, the handle is downgraded to the lowest level, so , the handle cannot perform data read and write operations on the game program, thus realizing anti-cheat.

然而,句柄降权存在较大的技术硬伤,具体为句柄降权的实现依赖于白名单,而白名单一旦被外挂线程利用,将失去外挂线程检测的效用;并且,在驱动层(即内核层)中并不存在句柄的概念,因此上述句柄降权的技术手段并不适用于反制驱动层(即内核层)的外挂线程。However, there is a big technical flaw in the handle power reduction, specifically, the implementation of the handle power reduction depends on the white list, and once the white list is used by the plug-in thread, it will lose the effectiveness of the plug-in thread detection; and, in the driver layer (that is, the kernel layer) does not have the concept of a handle, so the above-mentioned technical means of lowering the right of the handle is not suitable for countering the plug-in thread of the driver layer (that is, the kernel layer).

由此可见,亟需一种具有普适性、较好兼容性的外挂检测方法。It can be seen that there is an urgent need for a plug-in detection method with universal applicability and good compatibility.

发明内容Contents of the invention

有鉴于此,为解决相关技术中外挂检测方式极为受限,适用性不高的技术问题,本发明实施例提供一种外挂检测方法、装置、电子设备及存储介质。In view of this, in order to solve the technical problem of extremely limited cheating detection methods and low applicability in the related art, embodiments of the present invention provide a cheating detection method, device, electronic equipment, and storage medium.

第一方面,根据本发明实施例,提供了一种外挂检测方法,所述方法包括:确定多个待进行外挂检测的可疑线程;监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;在监测到所述可疑线程触发所述挂靠事件的条件下,在所述预设碰撞期间内确定所述 可疑线程触发所述挂靠事件的频率;基于所述频率确定所述可疑线程是否为外挂线程。In the first aspect, according to an embodiment of the present invention, a method for detecting cheating is provided, the method comprising: determining a plurality of suspicious threads to be detected for cheating; Instructing the suspicious thread to attach to the target program; under the condition that the suspicious thread triggers the attaching event, determining the frequency of the suspicious thread triggering the attaching event within the preset collision period; based on the The above-mentioned frequency determines whether the suspicious thread is a plug-in thread.

第二方面,根据本发明实施例,提供了一种外挂检测装置,所述装置包括:第一确定模块,用于确定多个待进行外挂检测的可疑线程;第二确定模块,用于监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;第三确定模块,用于在监测到所述可疑线程触发所述挂靠事件的条件下,在预设碰撞期间内确定所述可疑线程触发所述挂靠事件的频率;第四确定模块,用于基于所述频率确定所述可疑线程是否为外挂线程。In the second aspect, according to an embodiment of the present invention, a cheat detection device is provided, the device comprising: a first determination module, configured to determine a plurality of suspicious threads to be detected by cheats; a second determination module, configured to monitor each Whether the suspicious thread triggers an anchoring event, and the anchoring event is used to indicate that the suspicious thread is anchored to the target program; the third determining module is configured to, under the condition that the suspicious thread triggers the anchoring event, in the pre-determined It is assumed that the frequency at which the suspicious thread triggers the hanging event is determined during the collision period; a fourth determining module is configured to determine whether the suspicious thread is a hanging thread based on the frequency.

第三方面,根据本发明实施例,提供了一种电子设备,包括存储器、处理器及存储在存储器上的计算机程序,所述处理器执行所述计算机程序时实现上述第一方面所述方法的步骤。In a third aspect, according to an embodiment of the present invention, an electronic device is provided, including a memory, a processor, and a computer program stored on the memory, and when the processor executes the computer program, the method described in the first aspect above is implemented. step.

第四方面,根据本发明实施例,提供了一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述第一方面所述方法的步骤。In a fourth aspect, according to an embodiment of the present invention, there is provided a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method described in the first aspect above are implemented.

第四方面,根据本发明实施例,提供了一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现上述第一方面所述方法的步骤。In a fourth aspect, according to an embodiment of the present invention, a computer program product is provided, including a computer program, and when the computer program is executed by a processor, the steps of the method described in the first aspect above are implemented.

本发明的有益效果为:根据本发明实施例的技术方案,通过确定多个待进行外挂检测的可疑线程,监测各可疑线程是否触发挂靠事件,在监测到可疑线程触发挂靠事件的条件下,在预设碰撞期间内确定可疑线程触发挂靠事件的频率,基于频率确定可疑线程是否为外挂线程,实现了外挂线程的检测。上述技术方案中,通过先确定多个待进行外挂检测的可疑线程,后续仅针对可疑线程进行外挂检测,相较于对系统内的存活线程全面地进行外挂检测而言,可以提高外挂检测的效率,降低外挂检测对设备计算资源的消耗以及对设备性能的影响;由于对于外挂线程而言,触发挂靠事件是其必有操作,进而触发挂靠事件的频率也可看做是外挂线程的固有特征。因此,通过线程触发挂靠事件的频率来进行外挂检测能够适用于多种外挂、多种场景(其中包括对驱动层的外挂线程进行检测)。由此可见,上述技术方案相较于相关技术中的句柄降权而言,具有较高的适用性以及兼容性,且能够较为全面地实现多种外挂线程的检测。The beneficial effects of the present invention are: according to the technical solution of the embodiment of the present invention, by determining a plurality of suspicious threads to be detected for plug-ins, monitoring whether each suspicious thread triggers an anchoring event, under the condition that the suspicious thread triggers an anchoring event is detected, in The frequency at which the suspicious thread triggers the anchoring event is determined within the preset collision period, and whether the suspicious thread is a cheating thread is determined based on the frequency, thereby realizing the detection of the cheating thread. In the above technical solution, by first determining a plurality of suspicious threads to be detected for cheating, and then performing cheating detection only for suspicious threads, compared with comprehensively detecting cheating for surviving threads in the system, the efficiency of cheating detection can be improved , to reduce the consumption of computing resources of the device by plug-in detection and the impact on device performance; for plug-in threads, triggering hook events is a necessary operation, and the frequency of triggering hook events can also be regarded as the inherent characteristics of plug-in threads. Therefore, the detection of plug-ins based on the frequency of hooking events triggered by threads can be applied to various plug-ins and various scenarios (including detection of plug-in threads in the driver layer). It can be seen that the above technical solution has higher applicability and compatibility compared with the handle weight reduction in the related art, and can more comprehensively realize the detection of various plug-in threads.

此外,根据本发明实施例的技术方案,在监测可疑线程是否触发挂靠 事件时,基于军舰上应用的密集阵系统的启发,采用调用多个检测线程循环地对可疑线程进行外挂检测,这就相当于军舰上应用的密集阵系统的拦截原理,能够实现密集、高频地对可疑线程进行外挂检测。因此,即使外挂线程的挂靠操作和解挂靠操作是瞬间完成的,也能够大概率地捕捉到外挂线程触发了挂靠事件,为外挂线程的检测提供坚实基础。In addition, according to the technical solution of the embodiment of the present invention, when monitoring whether a suspicious thread triggers an anchoring event, based on the inspiration of the Phalanx system applied on the warship, multiple detection threads are used to cyclically detect the suspicious thread for plug-in detection, which is quite The interception principle of the Phalanx system applied on warships can realize intensive and high-frequency plug-in detection of suspicious threads. Therefore, even if the attaching and unattaching operations of the cheating thread are completed instantaneously, the hooking event triggered by the hacking thread can be captured with a high probability, which provides a solid foundation for the detection of the cheating thread.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述,本发明的上述及各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。在附图中:These and various other advantages and benefits of the present invention will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. In the attached picture:

图1示意性地示出了根据本发明实施例的一种外挂检测方法的实施例流程图;Fig. 1 schematically shows a flow chart of an embodiment of a cheating detection method according to an embodiment of the present invention;

图2示意性地示出了根据本发明实施例的另一种外挂检测方法的实施例流程图;Fig. 2 schematically shows an embodiment flowchart of another cheat detection method according to an embodiment of the present invention;

图3示意性地示出了根据本发明实施例的一种外挂检测装置的实施例框图;Fig. 3 schematically shows a block diagram of an embodiment of a cheating detection device according to an embodiment of the present invention;

图4示意性地示出了根据本发明实施例的一种的电子设备的结构示意图;FIG. 4 schematically shows a schematic structural diagram of an electronic device according to an embodiment of the present invention;

图5示意性地示出了用于实现根据本发明的方法的计算机设备的框图;以及Fig. 5 schematically shows a block diagram for implementing a computer device according to the method of the present invention; and

图6示意性地示出了实现根据本发明的方法的计算机程序产品的框图。Fig. 6 schematically shows a block diagram of a computer program product implementing the method according to the invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

下面结合附图以具体实施例对本发明的外挂检测方法作进一步的描述,以下描述仅为说明本发明的基本原理而并非对其进行限制。The cheat detection method of the present invention will be further described below with specific embodiments in conjunction with the accompanying drawings. The following description is only to illustrate the basic principles of the present invention and not to limit it.

参见图1,图1示意性地示出了根据本发明实施例的一种外挂检测方法的实施例流程图。如图1所示,该流程可包括以下步骤101、步骤102、步骤103和步骤104:Referring to FIG. 1 , FIG. 1 schematically shows a flow chart of an embodiment of a cheat detection method according to an embodiment of the present invention. As shown in Figure 1, the process may include the following steps 101, 102, 103 and 104:

在步骤101中,确定多个待进行外挂检测的可疑线程。In step 101, a plurality of suspicious threads to be detected for cheating are determined.

在实践中,系统内的存活线程数以千计(通常有3000个以上),面对数以千计的存活线程,若针对每一存活线程都进行外挂检测,无疑将消耗大量的计算资源,影响设备性能。对此,本发明实施例提出:在进行外挂检测时,首先从系统内的多个存活线程中确定出一些有外挂嫌疑的线程(以下称可疑线程),后续仅针对可疑线程进行外挂检测。本领域技术人员能够理解的是,仅针对可疑线程进行外挂检测,相较于针对系统内数以千计的存活线程进行外挂检测而言,能够减少外挂检测对设备计算资源的消耗,以及降低外挂检测对设备性能的影响。下面以举例形式对如何从系统内的存活线程中确定可疑线程进行说明。In practice, there are thousands of surviving threads in the system (usually more than 3,000). Facing thousands of surviving threads, if a plug-in detection is performed for each surviving thread, it will undoubtedly consume a large amount of computing resources. affect device performance. In this regard, the embodiment of the present invention proposes: when performing cheating detection, first determine some threads suspected of cheating (hereinafter referred to as suspicious threads) from multiple surviving threads in the system, and then only perform cheating detection for suspicious threads. Those skilled in the art can understand that, compared to performing cheating detection on thousands of surviving threads in the system, only performing cheating detection on suspicious threads can reduce the consumption of device computing resources by cheating detection and reduce the risk of cheating. Detect impact on device performance. The following describes how to determine suspicious threads from the surviving threads in the system by way of example.

在实践中,外挂线程通常基于ReadMemory和WriteMemory这两个系统API函数对目标程序(例如游戏程序)进行读写操作,从而实现作弊功能。在一些实施方式中,外挂线程具有非常高的实时性,其每秒触发的读/写操作至少可达3000~50000次。也就是说,从线程活跃度这一指标来看,外挂线程是属于异常活跃的线程,并且,随着时间的推移,外挂线程的活跃度呈增加或保持趋势。相反的,正常线程属于不活跃,或活跃度适中的线程,并且,随着时间的推移,正常线程的活跃度不具规律性。In practice, the cheat thread usually reads and writes the target program (such as a game program) based on two system API functions, ReadMemory and WriteMemory, so as to realize the cheating function. In some embodiments, the plug-in thread has very high real-time performance, and the read/write operations triggered by it can reach at least 3000-50000 times per second. That is to say, from the perspective of the index of thread activity, the plug-in thread is an extremely active thread, and, as time goes by, the activity of the plug-in thread shows a trend of increasing or maintaining. On the contrary, normal threads belong to inactive or moderately active threads, and, as time goes by, the activity of normal threads is not regular.

基于此,在一些实施方式中,可基于活跃度这一指标对系统内的存活线程进行初步筛选过滤,得到可疑线程。在一些实施方式中,确定系统内每一存活线程的活跃度,将活跃度满足设定条件的存活线程确定为待进行外挂检测的可疑线程。Based on this, in some implementations, the surviving threads in the system can be preliminarily screened based on the index of activity to obtain suspicious threads. In some implementations, the activity of each surviving thread in the system is determined, and the surviving thread whose activity meets a set condition is determined as a suspicious thread to be detected for cheating.

在一些实施方式中,确定系统内每一存活线程的活跃度可包括:按照设定周期,调用相应的系统API函数,获取存活线程的swapcontext值,直至获取到设定数量的swapcontext值;与此同时,针对每一个存活线程,从第二个周期开始,将前后两个周期内所获取的swapcontext值作差,得到swapcontext差值。swapcontext差值与线程的活跃度正相关,也即swapcontext差值越大,表示线程的活跃度越高;反之,swapcontext差值越小,表示线程的活跃度越低。因此,可采用存活线程的swapcontext差值来表征该存活线程的活跃度。In some implementations, determining the activity of each surviving thread in the system may include: calling the corresponding system API function according to a set period to obtain the swapcontext value of the surviving thread until a set number of swapcontext values are obtained; and At the same time, for each surviving thread, starting from the second cycle, the swapcontext value obtained in the two cycles before and after is made a difference to obtain the swapcontext difference. The swapcontext difference is positively correlated with the thread activity, that is, the larger the swapcontext difference, the higher the thread activity; conversely, the smaller the swapcontext difference, the lower the thread activity. Therefore, the swapcontext difference of the surviving thread can be used to represent the activity of the surviving thread.

在此基础上,在一些实施方式中,将活跃度满足设定条件的线程确定为待进行外挂检测的可疑线程可包括:针对系统内每一存活线程,按照获取时间的先后顺序,对获取到的存活线程的swapcontext差值进行排序,得到存活线程的swapcontext差值序列。若swapcontext差值序列为增序列,则意味着该线程的活跃度随着时间的推移呈增加趋势,按照上述描述,则可将该存 活线程确定为待进行外挂检测的可疑线程。On this basis, in some implementations, determining a thread whose activity satisfies the set condition as a suspicious thread to be detected by cheating may include: for each surviving thread in the system, according to the order of acquisition time, the acquired The swapcontext difference values of the surviving threads are sorted to obtain the swapcontext difference sequence of the surviving threads. If the swapcontext difference sequence is an increasing sequence, it means that the activity of the thread is increasing over time. According to the above description, the surviving thread can be determined as a suspicious thread to be detected for cheating.

举例来说,每隔1秒钟(也即上述设定周期),调用相应的系统API函数,获取存活线程的swapcontext值,直至连续5个设定周期分别获取5次存活线程的swapcontext值。按照上述描述,针对每一存活线程,从第二个周期开始,依次将前后两个周期内所获取的swapcontext值作差,共得到4个swapcontext差值。之后,按照获取时间的先后顺序,对该4个swapcontext差值进行排序,得到存活线程的swapcontext差值序列。若swapcontext差值序列为增序列,则意味着该线程的活跃度随着时间的推移呈增加趋势,按照上述描述,则可将该存活线程确定为待进行外挂检测的可疑线程。For example, every 1 second (that is, the above-mentioned setting period), call the corresponding system API function to obtain the swapcontext value of the surviving thread, until the swapcontext value of the surviving thread is obtained 5 times in 5 consecutive setting periods. According to the above description, for each surviving thread, starting from the second cycle, the swapcontext values obtained in the two cycles before and after are sequentially made a difference, and a total of 4 swapcontext differences are obtained. Afterwards, the four swapcontext differences are sorted according to the order of acquisition time to obtain the swapcontext difference sequence of the surviving threads. If the swapcontext difference sequence is an increasing sequence, it means that the activity of the thread increases with time. According to the above description, the surviving thread can be determined as a suspicious thread to be detected by the plug-in.

此外,需要说明的是,若swapcontext差值为0,则意味着线程不活跃。因此,在对存活线程的swapcontext差值进行排序之前,可先基于swapcontext差值,过滤掉并不活跃的存活线程。In addition, it should be noted that if the swapcontext difference is 0, it means that the thread is not active. Therefore, before sorting the swapcontext difference values of the surviving threads, the inactive surviving threads can be filtered out based on the swapcontext difference values.

在步骤102中,监测各可疑线程是否触发挂靠事件,挂靠事件用于指示可疑线程挂靠到目标程序。In step 102, it is monitored whether each suspicious thread triggers a hooking event, and the hooking event is used to indicate that the suspicious thread is hooked to the target program.

目前,Windows规定,在线程进行跨进程读写(也即对所属进程以外的其他进程的数据进行读写)时,需先挂靠到该其他进程(以下称目标程序),待读写操作完成后,再从目标程序解挂靠。如上所述,外挂线程每秒触发的读/写操作至少可达3000~50000次,这也就意味着,外挂线程每秒触发挂靠事件的次数可达3000~50000次。由此可见,对于外挂线程而言,其触发挂靠事件的频率是比较高的。At present, Windows stipulates that when a thread reads and writes across processes (that is, reads and writes data of other processes other than the process it belongs to), it must first be attached to the other process (hereinafter referred to as the target program), and after the read and write operations are completed , and then unhook from the target program. As mentioned above, the plug-in thread can trigger at least 3,000-50,000 read/write operations per second, which means that the plug-in thread can trigger 3,000-50,000 times of hooking events per second. It can be seen that, for the plug-in thread, the frequency of triggering the hooking event is relatively high.

在一些实施方式中,当线程挂靠到目标程序时,该线程内核对象中的指定偏移地址处,例如偏移0xb8处,将保存目标程序的内核对象地址,在线程从目标程序解挂靠之后,上述指定偏移地址处的数据内容又将从目标程序的内核对象地址变化为该线程所属进程的内核对象地址。由此可见,线程每触发一次挂靠事件,其内核对象中指定偏移地址处的数据内容将发生一次变化。In some implementations, when a thread is attached to the target program, the specified offset address in the thread kernel object, such as offset 0xb8, will save the kernel object address of the target program. After the thread is unhooked from the target program, The data content at the specified offset address will change from the kernel object address of the target program to the kernel object address of the process to which the thread belongs. It can be seen that every time a thread triggers a hooking event, the data content at the specified offset address in its kernel object will change once.

基于上述描述,本发明实施例提出:通过获取线程内核对象中指定偏移地址处的数据内容来捕捉线程是否触发了挂靠事件。Based on the above description, the embodiment of the present invention proposes to capture whether the thread triggers the hooking event by acquiring the data content at the specified offset address in the thread kernel object.

然而,虽然外挂线程触发挂靠事件的频率是比较高的,也即,线程内核对象中指定偏移地址处的数据内容变动为目标程序的内核对象地址的频率是比较高的;但是,挂靠操作和解挂靠操作都是瞬间完成的,也即,线程内核对象中指定偏移地址处的数据内容为目标程序的内核对象地址是转瞬即逝 的。因此,如何捕捉到线程触发了挂靠事件成为一项技术痛点。However, although the frequency of hooking events triggered by the plug-in thread is relatively high, that is, the frequency of changing the data content at the specified offset address in the thread kernel object to the kernel object address of the target program is relatively high; The hooking operation is completed instantaneously, that is, the data content at the specified offset address in the thread kernel object is the kernel object address of the target program, which is fleeting. Therefore, how to capture the thread triggering the anchor event has become a technical pain point.

对此,本发明实施例基于军舰上应用的密集阵系统的启发:超音速导弹的发射速度很快,但是每秒发射2万发拦截导弹的密集阵仍然可以拦截超音速导弹,提出以下确定可疑线程是否触发了挂靠事件的实现方式,具体如图2所示流程。如图2所示,根据本发明的实施例,另一种外挂检测方法可包括以下步骤:In this regard, the embodiment of the present invention is based on the inspiration of the Phalanx system applied on warships: the launch speed of supersonic missiles is very fast, but the Phalanx that launches 20,000 rounds of intercepting missiles per second can still intercept supersonic missiles, and proposes the following to determine suspicious Whether the thread triggers the implementation of the anchor event, the specific process is shown in Figure 2. As shown in Figure 2, according to an embodiment of the present invention, another plug-in detection method may include the following steps:

步骤201、获取可疑线程内核对象中指定偏移地址处的数据内容。Step 201. Obtain the data content at the specified offset address in the suspicious thread kernel object.

步骤202、确定获取到的数据内容是否为目标程序的内核对象地址;若是,则执行步骤203,若否,则执行步骤204。Step 202. Determine whether the obtained data content is the kernel object address of the target program; if yes, execute step 203; if not, execute step 204.

步骤203、确定可疑线程触发挂靠事件。Step 203, determine that the suspicious thread triggers the hooking event.

步骤204、确定是否达到设定时长;若是,则执行步骤205,若否,则返回执行步骤201。Step 204 , determine whether the set duration is reached; if yes, execute step 205 , if not, return to execute step 201 .

步骤205、确定可疑线程未触发挂靠事件。Step 205, determine that the suspicious thread does not trigger a hooking event.

由步骤201~205可见,在本发明实施例中,针对每一可疑线程,在一段设定时长(例如1秒钟)内,无时延地循环获取该可疑线程内核对象中指定偏移地址处的数据内容,如此,则实现了高频地获取可疑线程内核对象中指定偏移地址处的数据内容。在每次获取到可疑线程内核对象中指定偏移地址处的数据内容之后,确定获取到的数据内容是否为目标程序的内核对象地址,若是,则可以确定该可疑线程触发了挂靠事件,退出循环;若否,则可继续无时延地循环执行以上步骤,直至达到设定时长。在达到设定时长时,若每一次获取到的数据内容均不是目标程序的内核对象地址,则可确定可疑线程未触发挂靠事件。这里,无时延是指每两次执行上述获取可疑线程内核对象中指定偏移地址处的数据内容之间无时间间隔。It can be seen from steps 201 to 205 that in the embodiment of the present invention, for each suspicious thread, within a set period of time (for example, 1 second), cyclically obtain the specified offset address in the suspicious thread kernel object without delay. In this way, the high-frequency acquisition of the data content at the specified offset address in the suspicious thread kernel object is realized. After obtaining the data content at the specified offset address in the suspicious thread kernel object each time, determine whether the obtained data content is the kernel object address of the target program. ; If not, the above steps can continue to be executed in a loop without delay until the set duration is reached. When the set duration is reached, if the content of the data obtained each time is not the kernel object address of the target program, it can be determined that the suspicious thread has not triggered the anchoring event. Here, no delay means that there is no time interval between two executions of the above-mentioned acquisition of the data content at the specified offset address in the kernel object of the suspicious thread.

在图2所示流程中,高频地对可疑线程进行外挂检测,则相当于军舰上应用的密集阵系统的拦截原理,实现密集、高频地对可疑线程进行外挂检测,因此,即使外挂线程的挂靠操作和解挂靠操作是瞬间完成的,也能够大概率地捕捉到外挂线程触发了挂靠事件。In the process shown in Figure 2, the high-frequency detection of suspicious threads is equivalent to the interception principle of the Phalanx system used on warships, which realizes intensive and high-frequency detection of suspicious threads. Therefore, even if the external threads The attaching and unattaching operations are completed instantly, and it is also possible to capture the attaching event triggered by the hooking thread with a high probability.

此外,需要说明的是,为了提高外挂检测的效率以及准确率,本发明实施例提出,针对步骤101确定出的多个可疑线程,批量地执行图2所示流程,也即,批量地对多个可疑线程进行外挂检测。In addition, it should be noted that, in order to improve the efficiency and accuracy of cheating detection, the embodiment of the present invention proposes to execute the process shown in FIG. Suspicious threads for cheating detection.

在一些实施方式中,本发明实施例提出,按照活跃度对多个可疑线程进行分组,其中,同一分组中可疑线程的活跃度处于相同的设定活跃度范围, 不同分组对应的设定活跃度范围不重叠,然后针对每一分组,批量监测分组中的可疑线程是否触发挂靠事件。In some implementations, the embodiment of the present invention proposes to group multiple suspicious threads according to activity, wherein the activity of suspicious threads in the same group is within the same set activity range, and the set activity corresponding to different groups The ranges do not overlap, and then for each group, batch monitor whether the suspicious threads in the group trigger the anchor event.

举例来说,按照能够表征活跃度的swapcontext差值,将swapcontext差值大于1000的可疑线程分到一个分组中,将swapcontext差值大于200且小于1000的可疑线程分到另一个分组中,将swapcontext差值低于200的可疑线程分到再一个分组中,也即得到三个分组。之后,针对每一分组,分别批量地监测分组中的可疑线程是否触发挂靠事件。这里,在分组时所依据的swapcontext差值,为上述按照设定周期所获取到的最后一个swapcontext差值。For example, according to the swapcontext difference that can represent activity, the suspicious threads with the swapcontext difference greater than 1000 are divided into one group, the suspicious threads with the swapcontext difference greater than 200 and less than 1000 are divided into another group, and the swapcontext Suspicious threads whose difference is lower than 200 are divided into another group, that is, three groups are obtained. Afterwards, for each group, whether the suspicious thread in the group triggers the hooking event is monitored in batches. Here, the swapcontext difference based on the grouping is the last swapcontext difference obtained according to the set period.

在实践中,Windows系统中活跃度较高的线程数量相对活跃度较低的线程数量较少(通常来说,活跃度较高的线程占比不到10%),因此,在上述多个分组中,分组所对应的活跃度越高,也即swapcontext差值越大,则分组中的线程数量越少。在一些实施方式中,在相同的设定时长内,针对越少的线程进行批量监测,每一线程被监测到的次数也就越多,从而监测命中率越高。这则能够提高外挂检测的准确率。In practice, the number of threads with high activity in the Windows system is relatively small compared to the number of threads with low activity (generally speaking, threads with high activity account for less than 10%). Therefore, in the above multiple groups Among them, the higher the activity corresponding to the group, that is, the larger the swapcontext difference, the fewer threads in the group. In some implementations, within the same set time period, the fewer threads are monitored in batches, the more times each thread is monitored, so the monitoring hit rate is higher. This can improve the accuracy of plug-in detection.

此外,当通过批量监测捕捉到触发了挂靠事件的可疑线程时,可将批量监测过程中捕捉到的触发了挂靠事件的可疑线程确定为高危线程,之后,针对高危线程,再单独地监测其是否触发挂靠事件。也即,在本发明实施例中,在监测到上述分组中的任一可疑线程触发挂靠事件的条件下,再次针对该可疑线程,单独地监测该可疑线程是否触发挂靠事件。由此可见,本发明实施例中,通过将批量检测与单独检测结合使用,在提高外挂检测结果准确性的同时,还能够兼顾外挂检测效率。In addition, when a suspicious thread that triggers a hang-up event is captured through batch monitoring, the suspicious thread that triggers a hang-up event captured during the batch monitoring process can be determined as a high-risk thread, and then, for the high-risk thread, monitor whether it is Trigger the anchor event. That is to say, in the embodiment of the present invention, under the condition that any suspicious thread in the above group is detected to trigger the hooking event, for the suspicious thread again, whether the suspicious thread triggers the hanging event is individually monitored. It can be seen that, in the embodiment of the present invention, by combining batch detection and individual detection, while improving the accuracy of cheat detection results, the efficiency of cheat detection can also be taken into account.

在步骤103中,在监测到可疑线程触发挂靠事件的条件下,在预设碰撞期间内确定可疑线程触发挂靠事件的频率。In step 103, under the condition that the suspicious thread triggers the hanging event, the frequency of the suspicious thread triggering the hanging event is determined within a preset collision period.

可以理解的是,当监测到可疑线程触发挂靠事件时,意味着该可疑线程为外挂线程的可能性较大,为进一步确定该可疑线程是否为外挂线程,本发明实施例提出,在监测到可疑线程触发挂靠事件的条件下,在预设碰撞期间内确定可疑线程触发挂靠事件的频率。It can be understood that when a suspicious thread is detected to trigger an anchoring event, it means that the suspicious thread is more likely to be a plug-in thread. In order to further determine whether the suspicious thread is a Under the condition that the thread triggers the hang event, determine the frequency of the suspicious thread triggering the hang event within the preset collision period.

在一些实施方式中,可在预设碰撞期间内,例如0.1秒(这里,0.1秒的设定主要是考虑到减小本发明技术方案的实施对用户,例如游戏玩家的影响)内针对触发挂靠事件的可疑线程,也即上述高危线程分别执行以下步骤:获取高危线程内核对象中指定偏移地址处的数据内容,确定获取到的数据内容是否为目标程序的内核对象地址,若是,则将用于表征检测到可疑线程触 发挂靠事件次数的标记值加1,那么,在预设碰撞期间结束时,则可得到该预设碰撞期间内检测到可疑线程触发挂靠事件的次数,进而基于该次数,则可得到可疑线程触发挂靠事件的频率。In some embodiments, within the preset collision period, for example, within 0.1 second (here, the setting of 0.1 second is mainly to consider reducing the impact of the implementation of the technical solution of the present invention on the user, such as a game player), for triggering and hanging The suspicious thread of the event, that is, the above-mentioned high-risk thread respectively performs the following steps: Obtain the data content at the specified offset address in the kernel object of the high-risk thread, determine whether the obtained data content is the kernel object address of the target program, and if so, use Add 1 to the flag value representing the number of times that suspicious threads trigger hooking events, then, at the end of the preset collision period, the number of times that suspicious threads are detected to trigger hooking events within the preset collision period can be obtained, and then based on this number, Then the frequency of the hooking event triggered by the suspicious thread can be obtained.

需要说明的是,这里的预设碰撞期间与上述步骤102中描述的设定时长可以相同,也可以不同,本发明实施例对此不做限制。It should be noted that the preset collision period here may be the same as or different from the set duration described in step 102 above, which is not limited in this embodiment of the present invention.

在步骤104中,基于频率确定可疑线程是否为外挂线程。In step 104, it is determined based on the frequency whether the suspicious thread is a plug-in thread.

在一些实施方式中,将可疑线程触发挂靠事件的频率与设定阈值进行比较,若比较出该频率大于设定阈值,则意味着可疑线程触发挂靠事件的频率比较高,结合上述的描述“外挂线程触发挂靠事件的频率是比较高的”,这里可将该可疑线程确定为外挂线程。相反的,若比较出该频率小于等于设定阈值,则意味着可疑线程触发挂靠事件的频率适中,因此,可确定该可疑线程不为外挂线程。In some implementations, the frequency at which the suspicious thread triggers the hooking event is compared with the set threshold. If the frequency is greater than the set threshold, it means that the frequency of the suspicious thread triggering the hanging event is relatively high. Combined with the above description "plug-in The frequency of threads triggering hooking events is relatively high", here the suspicious thread can be identified as a hanging thread. On the contrary, if the comparison shows that the frequency is less than or equal to the set threshold, it means that the frequency of the suspicious thread triggering the hanging event is moderate, so it can be determined that the suspicious thread is not a hanging thread.

需要说明的是,在实践中,上述设定阈值并非是一成不变的,也即,可由用户根据实际业务需求或者先见经验,对设定阈值进行调整,还可通过人工智能算法根据历史外挂检测结果智能地对设定阈值进行调整,本发明实施例对此不做限制。It should be noted that in practice, the above-mentioned set thresholds are not static, that is, users can adjust the set thresholds according to actual business needs or foresight experience, and artificial intelligence algorithms can also be used according to historical plug-in detection results. The set threshold is adjusted intelligently, which is not limited in this embodiment of the present invention.

还需要说明的是,上述实施例所描述的基于频率确定可疑线程是否为外挂线程的方式仅仅是一种可选的实现方式,在实践中,还可通过其他方式来实现。例如,可以按照频率从高到低的顺序,对多个可疑线程进行排序,将排序结果中排在前N位的可疑线程确定为外挂线程。本发明实施例对基于频率确定可疑线程是否为外挂线程的具体实现方式不作限制。It should also be noted that the method of determining whether a suspicious thread is a plug-in thread based on the frequency described in the above embodiment is only an optional implementation method, and in practice, it can also be implemented in other ways. For example, multiple suspicious threads may be sorted in descending order of frequency, and the suspicious threads ranked in the top N places in the sorting result may be determined as cheating threads. The embodiment of the present invention does not limit the specific implementation manner of determining whether a suspicious thread is a plug-in thread based on frequency.

根据本发明实施例的技术方案,通过确定多个待进行外挂检测的可疑线程,监测各可疑线程是否触发挂靠事件,在监测到可疑线程触发挂靠事件的条件下,在预设碰撞期间内确定可疑线程触发挂靠事件的频率,基于频率确定可疑线程是否为外挂线程,实现了外挂线程的检测。在一些实施方式中,通过先确定多个待进行外挂检测的可疑线程,后续仅针对可疑线程进行外挂检测,相较于对系统内的存活线程全面地进行外挂检测而言,可以提高外挂检测的效率,降低外挂检测对设备计算资源的消耗以及对设备性能的影响;由于对于外挂线程而言,触发挂靠事件是其必有操作,进而触发挂靠事件的频率也可看做是外挂线程的固有特征,因此,通过线程触发挂靠事件的频率来进行外挂检测能够适用于多种外挂、多种场景(其中包括对驱动层的外挂线程进行检测),由此可见,上述技术方案相较于相关技术中的句柄降权而 言,具有较高的适用性以及兼容性,且能够较为全面地实现多种外挂线程的检测。According to the technical solution of the embodiment of the present invention, by determining a plurality of suspicious threads to be detected by plug-ins, monitoring whether each suspicious thread triggers an anchoring event, under the condition that a suspicious thread triggers an anchoring event is detected, the suspicious threads are determined within the preset collision period. The frequency at which the thread triggers the hooking event determines whether the suspicious thread is a cheating thread based on the frequency, and realizes the detection of the cheating thread. In some embodiments, by first determining a plurality of suspicious threads to be detected by cheating, and then only performing cheating detection on suspicious threads, compared with comprehensively performing cheating detection on surviving threads in the system, the accuracy of cheating detection can be improved. Efficiency, reducing the consumption of computing resources of the device by plug-in detection and the impact on device performance; for plug-in threads, triggering hook events is a necessary operation, and the frequency of triggering hook events can also be regarded as an inherent feature of plug-in threads , therefore, the plug-in detection can be applied to various plug-ins and various scenarios (including detecting the plug-in thread of the driver layer) by the frequency of the thread triggering the hooking event. It can be seen that the above technical solution is compared with the related art. In terms of lowering the right of the handle, it has high applicability and compatibility, and can more comprehensively realize the detection of various plug-in threads.

与前述外挂检测方法的实施例相对应,根据本发明的实施例,还提供了一种外挂检测装置。下面结合附图以具体实施例对本发明的外挂检测装置进行说明。Corresponding to the above embodiments of the cheating detection method, according to the embodiment of the present invention, a cheating detection device is also provided. The plug-in detection device of the present invention will be described below with specific embodiments in conjunction with the accompanying drawings.

参见图3,图3示意性地示出了根据本发明实施例的一种外挂检测装置的实施例框图。如图3所示,该装置可包括:Referring to FIG. 3 , FIG. 3 schematically shows a block diagram of an embodiment of a cheat detection device according to an embodiment of the present invention. As shown in Figure 3, the device may include:

第一确定模块31,用于确定多个待进行外挂检测的可疑线程;The first determination module 31 is configured to determine a plurality of suspicious threads to be detected by cheating;

第二确定模块32,用于监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;The second determining module 32 is configured to monitor whether each of the suspicious threads triggers a hooking event, and the hanging event is used to indicate that the suspicious thread is hooked to a target program;

第三确定模块33,用于在监测到所述可疑线程触发所述挂靠事件的条件下,在预设碰撞期间内确定所述可疑线程触发所述挂靠事件的频率;The third determination module 33 is configured to determine the frequency of the suspicious thread triggering the hanging event within a preset collision period under the condition that the suspicious thread triggers the hanging event;

第四确定模块34,用于基于所述频率确定所述可疑线程是否为外挂线程。The fourth determining module 34 is configured to determine whether the suspicious thread is a cheating thread based on the frequency.

在一些可能的实施方式中,所述第一确定模块31可包括(图中未示出):In some possible implementations, the first determination module 31 may include (not shown in the figure):

活跃度确定子模块,用于确定系统内每一存活线程的活跃度;The liveness determination submodule is used to determine the liveness of each surviving thread in the system;

可疑线程确定子模块,用于将所述活跃度满足设定条件的所述存活线程确定为待进行外挂检测的可疑线程。The suspicious thread determination sub-module is configured to determine the surviving thread whose activity meets a set condition as a suspicious thread to be detected by cheating.

在一些可能的实施方式中,所述活跃度确定子模块,可用于针对系统内每一存活线程,执行以下步骤:In some possible implementations, the activity determination submodule can be used to perform the following steps for each surviving thread in the system:

按照设定周期获取所述存活线程的swapcontext值,直至获取到设定数量的所述swapcontext值;以及,从第二个周期开始,将前后两个周期获取到的所述swapcontext值作差,得到swapcontext差值;所述swapcontext差值与所述存活线程的活跃度正相关。Acquire the swapcontext value of the surviving thread according to the set cycle until the swapcontext value of the set number is obtained; and, starting from the second cycle, the swapcontext value obtained in the two cycles before and after is made a difference to obtain swapcontext difference; the swapcontext difference is positively correlated with the activity of the surviving thread.

所述可疑线程确定子模块可用于:The suspicious thread determination submodule can be used for:

针对系统内每一存活线程,按照获取时间的先后顺序,对获取到的所述存活线程的swapcontext差值进行排序,得到所述存活线程的swapcontext差值序列;For each surviving thread in the system, sort the acquired swapcontext difference values of the surviving threads according to the order of acquisition time, to obtain the swapcontext difference sequence of the surviving threads;

若所述swapcontext差值序列为增序列,则将所述存活线程确定为待进行外挂检测的可疑线程。If the swapcontext difference sequence is an increasing sequence, then determine the surviving thread as a suspicious thread to be detected for cheating.

在一些可能的实施方式中,所述第二确定模块32,可用于针对每一所述可疑线程,在设定时长内循环执行以下步骤:In some possible implementation manners, the second determination module 32 may be configured to execute the following steps within a set period of time for each suspicious thread:

获取所述可疑线程内核对象中指定偏移地址处的数据内容;Obtain the data content at the specified offset address in the suspicious thread kernel object;

确定所述数据内容是否为所述目标程序的内核对象地址;determining whether the data content is the kernel object address of the target program;

若是,则停止循环,确定所述可疑线程触发挂靠事件;If so, then stop the loop, and determine that the suspicious thread triggers the hook event;

若否,则继续循环,直至到达所述设定时长时,确定所述可疑线程未触发挂靠事件。If not, the loop continues until the set duration is reached, and it is determined that the suspicious thread does not trigger a hooking event.

在一些可能的实施方式中,所述第二确定模块32可用于:In some possible implementation manners, the second determination module 32 may be used to:

按照所述活跃度对多个所述可疑线程进行分组,其中,同一分组中可疑线程的活跃度处于相同的设定活跃度范围,不同分组对应的所述设定活跃度范围不重叠;Grouping multiple suspicious threads according to the activity, wherein the activity of the suspicious threads in the same group is within the same set activity range, and the set activity ranges corresponding to different groups do not overlap;

针对每一所述分组,批量确定所述分组中的所述可疑线程是否触发挂靠事件;其中,不同的所述分组对应的所述设定时长不同,且所述分组对应的所述设定活跃度范围的上限值与所述设定时长正相关。For each of the groups, determine in batches whether the suspicious thread in the group triggers a hooking event; wherein, the set durations corresponding to different groups are different, and the settings corresponding to the groups are active The upper limit of the degree range is positively related to the set duration.

在一些可能的实施方式中,所述第二确定模块32还可用于:In some possible implementation manners, the second determination module 32 may also be used for:

在监测到所述分组中的任一所述可疑线程触发挂靠事件的条件下,再次监测任一所述可疑线程是否触发挂靠事件。Under the condition that any of the suspicious threads in the group is detected to trigger a hang event, it is monitored again whether any of the suspicious threads triggers a hang event.

在一些可能的实施方式中,所述第四确定模块34可用于:In some possible implementation manners, the fourth determining module 34 may be used to:

将所述频率与设定阈值进行比较;comparing said frequency with a set threshold;

若比较出所述频率大于所述设定阈值,则确定所述可疑线程为外挂线程;If it is compared that the frequency is greater than the set threshold, it is determined that the suspicious thread is a plug-in thread;

若比较出所述频率小于所述设定阈值,则确定所述可疑线程不为外挂线程。If it is compared that the frequency is less than the set threshold, it is determined that the suspicious thread is not a plug-in thread.

图4示意性地示出了根据本发明实施例的一种的电子设备的结构示意图。图4所示的电子设备400可包括:至少一个处理器401、存储器402、至少一个网络接口404和其他用户接口403。电子设备400中的各个组件通过总线系统405耦合在一起。可理解,总线系统405用于实现这些组件之间的连接通信。总线系统405除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图4中将各种总线都标为总线系统405。Fig. 4 schematically shows a schematic structural diagram of an electronic device according to an embodiment of the present invention. The electronic device 400 shown in FIG. 4 may include: at least one processor 401 , a memory 402 , at least one network interface 404 and other user interfaces 403 . Various components in the electronic device 400 are coupled together through the bus system 405 . It can be understood that the bus system 405 is used to realize connection and communication between these components. In addition to the data bus, the bus system 405 also includes a power bus, a control bus and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 405 in FIG. 4 .

在一些实施方式中,用户接口403可以包括显示器、键盘或者点击设备(例如,鼠标,轨迹球(trackball)、触感板或者触摸屏等。In some implementations, the user interface 403 may include a display, a keyboard, or a pointing device (eg, a mouse, a trackball, a touch pad, or a touch screen, etc.).

可以理解,本发明实施例中的存储器402可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。在一些实施方式中, 非易失性存储器可以是只读存储器(Read-OnlyMemory,ROM)、可编程只读存储器(ProgrammableROM,PROM)、可擦除可编程只读存储器(ErasablePROM,EPROM)、电可擦除可编程只读存储器(ElectricallyEPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(RandomAccessMemory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(StaticRAM,SRAM)、动态随机存取存储器(DynamicRAM,DRAM)、同步动态随机存取存储器(SynchronousDRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(DoubleDataRate SDRAM,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(SynchlinkDRAM,SLDRAM)和直接内存总线随机存取存储器(DirectRambusRAM,DRRAM)。本文描述的存储器402旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory 402 in the embodiment of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. In some implementations, the non-volatile memory can be a read-only memory (Read-OnlyMemory, ROM), a programmable read-only memory (ProgrammableROM, PROM), an erasable programmable read-only memory (ErasablePROM, EPROM), an electronic Erasable programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (Random Access Memory, RAM), which acts as an external cache. By way of illustration and not limitation, many forms of RAM are available such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DoubleDataRate SDRAM, DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced SDRAM, ESDRAM), Synchronous Connection Dynamic Random Access Memory (SynchlinkDRAM, SLDRAM) and Direct Memory Bus Random Access Memory Access memory (DirectRambusRAM, DRRAM). Memory 402 described herein is intended to include, but is not limited to, these and any other suitable types of memory.

在一些实施方式中,存储器402存储了如下的元素,可执行单元或者数据结构,或者他们的子集,或者他们的扩展集:操作系统4021和应用程序4022。In some implementations, the memory 402 stores the following elements, executable units or data structures, or their subsets, or their extended sets: an operating system 4021 and an application program 4022 .

在一些实施方式中,操作系统4021,可包含各种系统程序,例如框架层、核心库层、驱动层等,用于实现各种基础业务以及处理基于硬件的任务。应用程序4022,包含各种应用程序,例如媒体播放器(MediaPlayer)、浏览器(Browser)等,用于实现各种应用业务。实现本发明实施例方法的程序可以包含在应用程序4022中。In some implementations, the operating system 4021 may include various system programs, such as framework layer, core library layer, driver layer, etc., for implementing various basic services and processing hardware-based tasks. The application program 4022 includes various application programs, such as a media player (MediaPlayer), a browser (Browser), etc., and is used to implement various application services. The program for realizing the method of the embodiment of the present invention may be included in the application program 4022 .

在本发明实施例中,通过调用存储器402存储的程序或指令,可以是应用程序4022中存储的程序或指令,处理器401用于执行各方法实施例所提供的方法步骤,例如,可执行的步骤包括:In this embodiment of the present invention, by calling the program or instruction stored in the memory 402, which may be the program or instruction stored in the application program 4022, the processor 401 is used to execute the method steps provided by each method embodiment, for example, the executable Steps include:

确定多个待进行外挂检测的可疑线程;Determine multiple suspicious threads to be detected for cheating;

监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;Monitoring whether each of the suspicious threads triggers a hooking event, and the hooking event is used to indicate that the suspicious thread is hooked to a target program;

在监测到所述可疑线程触发所述挂靠事件的条件下,在预设碰撞期间内确定所述可疑线程触发所述挂靠事件的频率;Under the condition that the suspicious thread triggers the hanging event, determine the frequency of the suspicious thread triggering the hanging event within a preset collision period;

基于所述频率确定所述可疑线程是否为外挂线程。Determine whether the suspicious thread is a plug-in thread based on the frequency.

上述本发明实施例揭示的方法可以应用于处理器401中,或者由处理器401实现。处理器401可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器401中的硬件的集成逻辑 电路或者软件形式的指令完成。上述的处理器401可以是通用处理器、数字信号处理器(DigitalSignalProcessor,DSP)、专用集成电路(ApplicationSpecific IntegratedCircuit,ASIC)、现成可编程门阵列(FieldProgrammableGateArray,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件单元组合执行完成。软件单元可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器402,处理器401读取存储器402中的信息,结合其硬件完成上述方法的步骤。The methods disclosed in the foregoing embodiments of the present invention may be applied to the processor 401 or implemented by the processor 401 . The processor 401 may be an integrated circuit chip and has signal processing capability. In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in the processor 401 or an instruction in the form of software. The above-mentioned processor 401 may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates Or transistor logic devices, discrete hardware components. Various methods, steps and logic block diagrams disclosed in the embodiments of the present invention may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the methods disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software units in the decoding processor. The software unit may be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 402, and the processor 401 reads the information in the memory 402, and completes the steps of the above method in combination with its hardware.

可以理解的是,本文描述的这些实施例可以用硬件、软件、固件、中间件、微码或其组合来实现。对于硬件实现,处理单元可以实现在一个或多个专用集成电路(ApplicationSpecificIntegratedCircuits,ASIC)、数字信号处理器(DigitalSignalProcessing,DSP)、数字信号处理设备(DSPDevice,DSPD)、可编程逻辑设备(ProgrammableLogicDevice,PLD)、现场可编程门阵列(Field-ProgrammableGateArray,FPGA)、通用处理器、控制器、微控制器、微处理器、用于执行本申请所述功能的其它电子单元或其组合中。It should be understood that the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode or a combination thereof. For hardware implementation, the processing unit can be implemented in one or more application-specific integrated circuits (Application Specific Integrated Circuits, ASIC), digital signal processor (Digital Signal Processing, DSP), digital signal processing device (DSPDevice, DSPD), programmable logic device (ProgrammableLogicDevice, PLD ), Field-Programmable Gate Array (Field-Programmable GateArray, FPGA), general-purpose processor, controller, microcontroller, microprocessor, other electronic units for performing the functions described in this application, or a combination thereof.

对于软件实现,可通过执行本文所述功能的单元来实现本文所述的技术。软件代码可存储在存储器中并通过处理器执行。存储器可以在处理器中或在处理器外部实现。For a software implementation, the techniques described herein are implemented by means of units that perform the functions described herein. Software codes can be stored in memory and executed by a processor. Memory can be implemented within the processor or external to the processor.

根据本发明实施例的电子设备可以是如图4中所示的电子设备,可执行如图1-图2中外挂检测方法的所有步骤,进而实现图1-图2所示外挂检测方法的技术效果,具体请参照图1-图2相关描述,为简洁描述,在此不作赘述。The electronic device according to the embodiment of the present invention may be an electronic device as shown in FIG. 4, which can perform all the steps of the cheat detection method shown in FIG. 1-FIG. 2, and then realize the technology of the cheat detection method shown in FIG. For the effect, please refer to the relevant descriptions in Fig. 1-Fig. 2 for details.

本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的外挂检测装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置的程序/指令(例如,计算机程序/指令和计算机程序产品)。这样的实现本发明的程序/指令可以存储在计算机可读介质上,或者可以一个或者多个 信号的形式存在,这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the cheat detection device according to the embodiment of the present invention. The present invention can also be implemented as programs/instructions (eg, computer programs/instructions and computer program products) of devices or means for performing part or all of the methods described herein. Such programs/instructions for implementing the present invention may be stored on a computer-readable medium, or may exist in the form of one or more signals, such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any form Available in other formats.

根据本发明的实施例,还提供了一种存储介质,可以为计算机可读介质。当存储介质中一个或者多个程序可被一个或者多个处理器执行,以实现上述在电子设备侧执行的外挂检测方法。所述处理器用于执行存储器中存储的外挂检测程序,以实现以下在电子设备侧执行的外挂检测方法的步骤:According to an embodiment of the present invention, a storage medium is also provided, which may be a computer-readable medium. One or more programs in the storage medium can be executed by one or more processors, so as to realize the above-mentioned cheating detection method executed on the electronic device side. The processor is used to execute the cheat detection program stored in the memory, so as to realize the following steps of the cheat detection method performed on the electronic device side:

确定多个待进行外挂检测的可疑线程;Determine multiple suspicious threads to be detected for cheating;

监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;Monitoring whether each of the suspicious threads triggers a hooking event, and the hooking event is used to indicate that the suspicious thread is hooked to a target program;

在监测到所述可疑线程触发所述挂靠事件时,在预设碰撞期间内确定所述可疑线程触发所述挂靠事件的频率;When it is detected that the suspicious thread triggers the hanging event, determine the frequency of the suspicious thread triggering the hanging event within a preset collision period;

基于所述频率确定所述可疑线程是否为外挂线程。Determine whether the suspicious thread is a plug-in thread based on the frequency.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带、磁盘存储、量子存储器、基于石墨烯的存储介质或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic cassettes, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by computing devices.

图5示意性地示出了可以实现根据本发明的外挂检测方法的计算机设备,该计算机设备包括处理器510和以存储器520形式的计算机可读介质。存储器520是计算机可读介质的一个示例,其具有用于存储计算机程序531的存储空间530。当所述计算机程序531由处理器510执行时,可实现上文所描述的外挂检测方法中的各个步骤。FIG. 5 schematically shows a computer device capable of implementing the cheat detection method according to the present invention. The computer device includes a processor 510 and a computer-readable medium in the form of a memory 520 . The memory 520 is one example of a computer readable medium having a storage space 530 for storing a computer program 531 . When the computer program 531 is executed by the processor 510, various steps in the cheating detection method described above can be realized.

图6示意性地示出了实现根据本发明的方法的计算机程序产品的框图。所述计算机程序产品包括计算机程序610,当所述计算机程序610被诸如图5所示的处理器510之类的处理器执行时,可实现上文所描述的外挂检测方法中的各个步骤。Fig. 6 schematically shows a block diagram of a computer program product implementing the method according to the invention. The computer program product includes a computer program 610. When the computer program 610 is executed by a processor such as the processor 510 shown in FIG. 5, various steps in the cheat detection method described above can be realized.

上文对本说明书特定实施例进行了描述,其与其它实施例一并涵盖于所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步 骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定遵循示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可行的或者有利的。The foregoing describes certain embodiments of the specification which, together with other embodiments, are within the scope of the appended claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily follow the particular order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or advantageous in certain embodiments.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

应可理解,以上所述实施例仅为举例说明本发明之目的而并非对本发明进行限制。在不脱离本发明基本精神及特性的前提下,本领域技术人员还可以通过其他方式来实施本发明。本发明的范围当以后附的权利要求为准,凡在本说明书一个或多个实施例的精神和原则之内所做的任何修改、等同替换、改进等,皆应涵盖其中。It should be understood that the above-mentioned embodiments are only for the purpose of illustrating the present invention rather than limiting the present invention. Without departing from the basic spirit and characteristics of the present invention, those skilled in the art can implement the present invention in other ways. The scope of the present invention shall be based on the appended claims, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of one or more embodiments of the present specification shall be covered therein.

Claims (12)

一种外挂检测方法,所述方法包括:A plug-in detection method, the method comprising: 确定多个待进行外挂检测的可疑线程;Determine multiple suspicious threads to be detected for cheating; 监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;Monitoring whether each of the suspicious threads triggers a hooking event, and the hooking event is used to indicate that the suspicious thread is hooked to a target program; 在监测到所述可疑线程触发所述挂靠事件的条件下,在所述预设碰撞期间内确定所述可疑线程触发所述挂靠事件的频率;Under the condition that the suspicious thread triggers the hanging event, determine the frequency of the suspicious thread triggering the hanging event within the preset collision period; 基于所述频率确定所述可疑线程是否为外挂线程。Determine whether the suspicious thread is a plug-in thread based on the frequency. 根据权利要求1所述的方法,其中,所述确定多个待进行外挂检测的可疑线程,包括:The method according to claim 1, wherein said determining a plurality of suspicious threads to be detected by cheating comprises: 确定系统内每一存活线程的活跃度;Determine the activity of each surviving thread in the system; 将所述活跃度满足设定条件的所述存活线程确定为待进行外挂检测的可疑线程。Determining the surviving thread whose activity satisfies the set condition as a suspicious thread to be detected by cheating. 根据权利要求2所述的方法,其中,所述确定系统内每一存活线程的活跃度,包括:The method according to claim 2, wherein said determining the activity of each surviving thread in the system comprises: 针对系统内每一存活线程,执行以下步骤:For each surviving thread in the system, perform the following steps: 按照设定周期获取所述存活线程的swapcontext值,直至获取到设定数量的所述swapcontext值;以及,Obtaining the swapcontext value of the surviving thread according to a set period until a set number of the swapcontext values are obtained; and, 从第二个周期开始,将前后两个周期获取到的所述swapcontext值作差,得到swapcontext差值;所述swapcontext差值与所述存活线程的活跃度正相关;Starting from the second cycle, the swapcontext value obtained in the two cycles before and after is made a difference to obtain a swapcontext difference; the swapcontext difference is positively correlated with the activity of the surviving thread; 所述将所述活跃度满足设定条件的所述存活线程确定为待进行外挂检测的可疑线程,包括:The determining the surviving thread whose activity meets the set condition as a suspicious thread to be detected by plug-in includes: 针对系统内每一存活线程,按照获取时间的先后顺序,对获取到的所述存活线程的swapcontext差值进行排序,得到所述存活线程的swapcontext差值序列;For each surviving thread in the system, sort the acquired swapcontext difference values of the surviving threads according to the order of acquisition time, to obtain the swapcontext difference sequence of the surviving threads; 若所述swapcontext差值序列为增序列,则将所述存活线程确定为待进行外挂检测的可疑线程。If the swapcontext difference sequence is an increasing sequence, then determine the surviving thread as a suspicious thread to be detected for cheating. 根据权利要求1所述的方法,其中,所述监测各所述可疑线程是否触发挂靠事件,包括:The method according to claim 1, wherein said monitoring whether each said suspicious thread triggers a hooking event comprises: 针对每一所述可疑线程,在设定时长内循环执行以下步骤:For each suspicious thread, execute the following steps in a loop within a set duration: 获取所述可疑线程内核对象中指定偏移地址处的数据内容;Obtain the data content at the specified offset address in the suspicious thread kernel object; 确定所述数据内容是否为所述目标程序的内核对象地址;determining whether the data content is the kernel object address of the target program; 若是,则停止循环,确定所述可疑线程触发挂靠事件;If so, then stop the loop, and determine that the suspicious thread triggers the hook event; 若否,则继续循环,直至到达所述设定时长时,确定所述可疑线程未触发挂靠事件。If not, the loop continues until the set duration is reached, and it is determined that the suspicious thread does not trigger a hooking event. 根据权利要求4所述的方法,其中,所述监测各所述可疑线程是否触发挂靠事件,包括:The method according to claim 4, wherein said monitoring whether each said suspicious thread triggers a hooking event comprises: 按照所述活跃度对多个所述可疑线程进行分组,同一分组中可疑线程的活跃度处于相同的设定活跃度范围,不同分组对应的所述设定活跃度范围不重叠;Grouping multiple suspicious threads according to the activeness, the activeness of the suspicious threads in the same group is within the same set activeness range, and the set activeness ranges corresponding to different groups do not overlap; 针对每一所述分组,批量监测所述分组中的所述可疑线程是否触发挂靠事件。For each group, whether the suspicious thread in the group triggers a hang event is monitored in batches. 根据权利要求5所述的方法,其中,在所述批量监测所述分组中的所述可疑线程是否触发挂靠事件之后,还包括:The method according to claim 5, wherein, after the batch monitoring whether the suspicious thread in the group triggers a hanging event, further comprising: 在监测到所述分组中的任一所述可疑线程触发挂靠事件的条件下,再次监测任一所述可疑线程是否触发挂靠事件。Under the condition that any of the suspicious threads in the group is detected to trigger a hang event, it is monitored again whether any of the suspicious threads triggers a hang event. 根据权利要求1所述的方法,其中,所述基于所述频率确定所述可疑线程是否为外挂线程,包括:The method according to claim 1, wherein said determining whether said suspicious thread is a plug-in thread based on said frequency comprises: 将所述频率与设定阈值进行比较;comparing said frequency with a set threshold; 若比较出所述频率大于所述设定阈值,则确定所述可疑线程为外挂线程;If it is compared that the frequency is greater than the set threshold, it is determined that the suspicious thread is a plug-in thread; 若比较出所述频率小于所述设定阈值,则确定所述可疑线程不为外挂线程。If it is compared that the frequency is less than the set threshold, it is determined that the suspicious thread is not a plug-in thread. 一种外挂检测装置,所述装置包括:A plug-in detection device, said device comprising: 第一确定模块,用于确定多个待进行外挂检测的可疑线程;A first determination module, configured to determine a plurality of suspicious threads to be detected by plug-ins; 第二确定模块,用于监测各所述可疑线程是否触发挂靠事件,所述挂靠事件用于指示所述可疑线程挂靠到目标程序;The second determination module is configured to monitor whether each of the suspicious threads triggers a hooking event, and the hooking event is used to indicate that the suspicious thread is hooked to a target program; 第三确定模块,用于在监测到所述可疑线程触发所述挂靠事件的条件下,在所述预设碰撞期间内确定所述可疑线程触发所述挂靠事件的频率;The third determination module is configured to determine the frequency of the suspicious thread triggering the hanging event within the preset collision period under the condition that the suspicious thread triggers the hanging event; 第四确定模块,用于基于所述频率确定所述可疑线程是否为外挂线程。A fourth determining module, configured to determine whether the suspicious thread is a plug-in thread based on the frequency. 根据权利要求8所述的装置,其中,所述第二确定模块具体用于:The device according to claim 8, wherein the second determining module is specifically configured to: 针对每一所述可疑线程,在设定时长内循环执行以下步骤:For each suspicious thread, execute the following steps in a loop within a set duration: 获取所述可疑线程内核对象中指定偏移地址处的数据内容;Obtain the data content at the specified offset address in the suspicious thread kernel object; 确定所述数据内容是否为所述目标程序的内核对象地址;determining whether the data content is the kernel object address of the target program; 若是,则停止循环,确定所述可疑线程触发挂靠事件;If so, then stop the loop, and determine that the suspicious thread triggers the hook event; 若否,则继续循环,直至到达所述设定时长时,确定所述可疑线程未触发挂靠事件。If not, the loop continues until the set duration is reached, and it is determined that the suspicious thread does not trigger a hooking event. 一种电子设备,包括存储器、处理器及存储在存储器上的计算机程序,所述处理器执行所述计算机程序时实现根据权利要求1-7中任一项所述的外挂检测方法的步骤。An electronic device, comprising a memory, a processor, and a computer program stored on the memory, when the processor executes the computer program, the steps of the cheat detection method according to any one of claims 1-7 are realized. 一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现根据权利要求1-7中任一项所述的外挂检测方法的步骤。A storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the cheat detection method according to any one of claims 1-7 are realized. 一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现根据权利要求1-9中任一项所述的外挂检测方法的步骤。A computer program product, comprising a computer program, when the computer program is executed by a processor, the steps of the cheat detection method according to any one of claims 1-9 are realized.
PCT/CN2021/132566 2021-08-19 2021-11-23 Plug-in detection method and apparatus, electronic device, and storage medium Ceased WO2023019789A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110957616.8A CN113688388B (en) 2021-08-19 2021-08-19 Plug-in detection method and device, electronic equipment and storage medium
CN202110957616.8 2021-08-19

Publications (1)

Publication Number Publication Date
WO2023019789A1 true WO2023019789A1 (en) 2023-02-23

Family

ID=78580853

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/132566 Ceased WO2023019789A1 (en) 2021-08-19 2021-11-23 Plug-in detection method and apparatus, electronic device, and storage medium

Country Status (2)

Country Link
CN (1) CN113688388B (en)
WO (1) WO2023019789A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114282217B (en) * 2021-12-22 2024-12-27 完美世界征奇(上海)多媒体科技有限公司 Game cheat detection method and device, storage medium, and electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040242321A1 (en) * 2003-05-28 2004-12-02 Microsoft Corporation Cheater detection in a multi-player gaming environment
US20100162405A1 (en) * 2008-12-23 2010-06-24 Valve Corporation Protecting against polymorphic cheat codes in a video game
CN107096220A (en) * 2017-05-22 2017-08-29 珠海金山网络游戏科技有限公司 A kind of plug-in detection of client and the system and method sealed and stopped automatically
CN109464805A (en) * 2018-10-11 2019-03-15 北京奇虎科技有限公司 Malware program detection method, device, electronic device and storage medium
CN109464808A (en) * 2018-11-06 2019-03-15 网易(杭州)网络有限公司 Detect game plug-in method, apparatus and terminal

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103116724B (en) * 2013-03-14 2015-08-12 北京奇虎科技有限公司 The method of locator(-ter) sample hazardous act and device
CN110351222B (en) * 2018-04-02 2022-01-28 腾讯科技(深圳)有限公司 Data security processing method, device and system
CN111939556B (en) * 2019-05-15 2023-08-22 腾讯科技(深圳)有限公司 Method, device and system for detecting abnormal operation of game
CN111265883A (en) * 2019-12-24 2020-06-12 武汉勾勾互娱科技有限公司 Anti-plug-in system and method for PC game

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040242321A1 (en) * 2003-05-28 2004-12-02 Microsoft Corporation Cheater detection in a multi-player gaming environment
US20100162405A1 (en) * 2008-12-23 2010-06-24 Valve Corporation Protecting against polymorphic cheat codes in a video game
CN107096220A (en) * 2017-05-22 2017-08-29 珠海金山网络游戏科技有限公司 A kind of plug-in detection of client and the system and method sealed and stopped automatically
CN109464805A (en) * 2018-10-11 2019-03-15 北京奇虎科技有限公司 Malware program detection method, device, electronic device and storage medium
CN109464808A (en) * 2018-11-06 2019-03-15 网易(杭州)网络有限公司 Detect game plug-in method, apparatus and terminal

Also Published As

Publication number Publication date
CN113688388A (en) 2021-11-23
CN113688388B (en) 2025-08-12

Similar Documents

Publication Publication Date Title
ES2792912T3 (en) Computer security systems and methods that use asynchronous introspection exceptions
US20210294900A1 (en) Systems and Methods Involving Features of Hardware Virtualization Such as Separation Kernel Hypervisors, Hypervisors, Hypervisor Guest Context, Hypervisor Context, Rootkit Detection/Prevention, and/or Other Features
US9887833B2 (en) Systems and methods to counter side channel attacks
US9250958B2 (en) System, method, and apparatus for improving application-launch latencies
IL288122B2 (en) Systems and methods for executable code detection, automatic feature extraction and position independent code detection
US10185824B2 (en) System and method for uncovering covert timing channels
US20120079594A1 (en) Malware auto-analysis system and method using kernel callback mechanism
CN104715202B (en) Hidden process detection method and device in a kind of virtual machine
Wang et al. Hypervisor introspection: A technique for evading passive virtual machine monitoring
WO2013020400A1 (en) Method, system and relevant device for detecting malicious codes
TW201717086A (en) Detecting software attacks on processes in computing devices
US20150121531A1 (en) System and method for preserving and subsequently restoring emulator state
WO2023019789A1 (en) Plug-in detection method and apparatus, electronic device, and storage medium
CN103677900B (en) A kind of method and apparatus of computer equipment system Acceleration of starting
WO2019005406A1 (en) Accelerated code injection detection using operating system controlled memory attributes
CN104714831A (en) Method and device for detecting parasitic process in virtual machine
US11816217B2 (en) Decoy memory allocation
US7562391B1 (en) Reducing false positive indications of buffer overflow attacks
Chailytko et al. Defeating sandbox evasion: how to increase the successful emulation rate in your virtual environment
WO2016091086A1 (en) Virtualization security detection method and system
US10740234B2 (en) Virtual processor cache reuse
CN110875917B (en) Method, device and storage medium for detecting mine excavation virus
CN115344867B (en) Vulnerability exploitation detection processing methods and devices, storage media
US20140372693A1 (en) System, method and a non-transitory computer readable medium for read throtling
Malensek et al. Alleviation of disk I/O contention in virtualized settings for data-intensive computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21954024

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21954024

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28.11.2024)

122 Ep: pct application non-entry in european phase

Ref document number: 21954024

Country of ref document: EP

Kind code of ref document: A1