CN114282217A - Game plug-in detection method and device, storage medium and electronic device - Google Patents
Game plug-in detection method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN114282217A CN114282217A CN202111582878.7A CN202111582878A CN114282217A CN 114282217 A CN114282217 A CN 114282217A CN 202111582878 A CN202111582878 A CN 202111582878A CN 114282217 A CN114282217 A CN 114282217A
- Authority
- CN
- China
- Prior art keywords
- thread
- data structure
- plug
- processor
- current running
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims description 11
- 238000000034 method Methods 0.000 claims abstract description 88
- 230000015654 memory Effects 0.000 claims abstract description 55
- 230000008569 process Effects 0.000 claims description 42
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 13
- 230000006870 function Effects 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 239000010410 layer Substances 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 239000012792 core layer Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008014 freezing Effects 0.000 description 1
- 238000007710 freezing Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method and a device for detecting a plug-in game, a storage medium and an electronic device. Wherein, the method comprises the following steps: acquiring a first data structure of a processor on a terminal, wherein the first data structure records a current running thread on the processor; acquiring thread information of a current running thread; and determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running plug-in codes on the memory, and the plug-in codes are codes which are loaded to the memory when the file is started to run and are used for executing plug-in tasks in the game. The application solves the technical problem that the accuracy of judging the plug-in game in the related technology is low.
Description
Technical Field
The application relates to the field of computer security, in particular to a method and a device for detecting a plug-in game, a storage medium and an electronic device.
Background
With the development of online games, the number of products and the scale of users are greatly improved. However, along with the development of network games, the cheating behaviors are also endless. Some users can earn benefits in games by using cheating programs, so that fairness is seriously damaged, and even the workload of a server for running the games is increased sharply, and adverse effects are brought to operators of online games. Therefore, how to fight the cheating users in the online games is a primary task for promoting the development of the online game industry.
The existing anti-cheating scheme is realized by analyzing the collected game data, and if the game data meet a specific rule, the cheating of the user is determined, so that the determined result of the cheating user in the online game is inaccurate, and the phenomenon of misjudgment is easy to occur, so that how to improve the accuracy of the judgment result of the cheating user is one of the technical problems to be solved urgently.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting a game plug-in, a storage medium and an electronic device, so as to at least solve the technical problem of low accuracy in judging the game plug-in the related art.
According to an aspect of an embodiment of the present application, there is provided a method for detecting a game plug-in, including: acquiring a first data structure of a processor on a terminal, wherein the first data structure records a current running thread on the processor; acquiring thread information of a current running thread; and determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running plug-in codes on the memory, and the plug-in codes are codes which are loaded to the memory when the file is started to run and are used for executing plug-in tasks in the game.
According to another aspect of the embodiments of the present application, there is also provided a device for detecting a game cheating, including: the terminal comprises a first acquisition unit, a second acquisition unit and a control unit, wherein the first acquisition unit is used for acquiring a first data structure of a processor on the terminal, and a current running thread on the processor is recorded in the first data structure; the second acquisition unit is used for acquiring the thread information of the current running thread; the determining unit is used for determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, the plug-in thread is used for running plug-in codes on the memory, and the plug-in codes are codes which are loaded to the memory when the file is started to run and are used for executing plug-in tasks in the game.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method through the computer program.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the steps of any of the embodiments of the method described above.
In the embodiment of the application, a first data structure of a processor on a terminal is obtained, and a current running thread on the processor is recorded in the first data structure; acquiring thread information of a current running thread; determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running plug-in codes on a memory, and the plug-in codes are codes which are loaded to the memory when a file is started to run and are used for executing plug-in tasks in the game, so that plug-in threads which cannot be detected in the related technology can be monitored, and the technical problem that the accuracy of judging game plug-ins in the related technology is low can be solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of a hardware environment of a method for detecting a plug-in game according to an embodiment of the present application;
FIG. 2 is a flow chart of an alternative gaming store detection method according to an embodiment of the present application;
FIG. 3 is a schematic view of an alternative gaming store detection arrangement according to an embodiment of the present application; and the number of the first and second groups,
fig. 4 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The inventor realizes that after analyzing the game cheating software (hereinafter collectively called game cheating), the development rule is as follows: the method comprises the steps of firstly, turning to application layer plug-ins, then turning to kernel layer plug-ins, and finally turning to plug-ins (commonly called BIOS plug-ins, and fully called Basic Input Output systems) using UEFI technology (UEFI generally refers to a Unified Extensible Firmware Interface (UNIFIED Extensible Firmware Interface), which is a specification of a personal computer System and is used for defining a software Interface between an operating System and System Firmware as a replacement scheme of BIOS). It can be seen that the technology used is increasingly based, with the aim of hiding the store itself as much as possible.
The scheme mainly aims at researching the external hanging into the inner core layer. After the plug-in enters the kernel, the plug-in needs to be operated, and the operated carrier needs to be a thread, that is, the plug-in code needs to be executed based on the thread, so that the technical threshold of detection of the plug-in code can be well improved by hiding the thread.
In order to implement thread hiding, the following two techniques can be adopted, respectively:
1) for PspCidTable (PspCidTable is a handle table that is in the same format as the normal handle table, but is different from the handle table private to each process: the objects stored in the PspCidTable are all process thread objects in the system, and the indexes are PID and TID; the OBJECT bodies EPROCESS and ETHREAD are directly stored in the PspCidTable, and the OBJECT HEADER OBJECT _ HEADER is stored in the handle table private to each process; PspCidTable is a separate handle table, and handle tables private to each process are linked together in a duplex) against the pslookuthreadbythreadid function.
2) The UEFI technology is used for enumerating the threads, the kernel objects of the threads are obtained based on the thread IDs, the system function PsLookupThreadByThreadID is called finally, the function is mainly operated as a PspCidTable table, a chain for recording all threads and processes exists in the PspCidTable, as long as a chain node of the thread to be hidden is found, and then the chain is disconnected, and similarly, the hidden process principle is the same.
Although the threads are hidden, the threads are created in a normal manner, and need to be managed by the windows operating system, and the threads can be enumerated based on a threadListEntry chain of ETHREAD of any kernel thread.
UEFI is externally hung, the boot modes of the existing machine are MBR and UEFI, MBR is an old boot mode, and UEFI is a novel system boot mode.
The normal windows system boot flow is as follows: the computer is powered on, a CPU is initialized, the UEFI running environment is initialized after the CPU is initialized, a loader (winload. efi) of the windows operating system is loaded, then a kernel file (ntoskrnl. exe) is loaded by the loader (winload. efi), and the control right is handed to the windows operating system.
The boot process of the UEFI plug-in windows system is as follows: the BIOS is configured to start the USB flash disk, the computer is electrified to start initializing the CPU, the CPU starts initializing the UEFI running environment after the initialization is finished, a loader (window) of the windows operating system is loaded under an EFI \ BOOT \ bootx64.EFI, and the loader (window) loads a kernel file (ntoskrnl.exe) through the bootx64.EFI under the USB flash disk directory, and the control right is handed to the windows operating system.
Based on the details, it can be found that bootx64.efi needs to be focused on, because the UEFI operating environment is initialized after the CPU is initialized, which is different from the MBR boot method, and the operating environment has quite rich functions, including event service, memory management, drive management, image management, lightweight file system, mouse and keyboard operation, and screen rendering. Just because the UEFI runtime environment supports so many functions and boots earlier than the windows operating system, it has been the focus of some plug-ins attention.
And (3) externally hanging: and starting the bootloader bootx64.efi, loading the sys driver special for the booting to the memory by utilizing a file system and a memory management function supported by UEFI, creating a thread, loading winload.
The operation of ntoskrnl.exe is also more obscure, the external memory loaded by the external store and the thread created by the external store can be known during initialization, but the external thread is not created by the external store, so that the following processing is simply carried out: for example, for the memory loaded and used by the plug-in, ntoskrnl.exe has no detailed record, at least the normal windows function cannot be enumerated and located, and for the thread created by the plug-in, only an ETHREAD structure is allocated to the thread, but the information of the thread is not registered into a PspCidTable and a ThreadListentry chain. In essence, it is also understood that the system does so, after all, these resources exist before it is loaded by itself.
In order to solve the problem that a plug-in is difficult to detect due to the fact that a thread is hidden after the plug-in enters a kernel layer, according to one aspect of the embodiment of the application, a method embodiment of a game plug-in detection method is provided.
Optionally, in this embodiment, the method for detecting a plug-in game may be executed by the terminal 101 running the game or by a game client installed thereon, if the game is a networked game, the hardware environment may further include a game server 103, as shown in fig. 1, the server 103 is connected to the terminal 101 through a network, and may be configured to provide a game service for the terminal or a client installed on the terminal, and may set the database 105 on the server or separately from the server, and is configured to provide a data storage service for the server 103, where the network includes, but is not limited to: the terminal 101 is not limited to a PC, a mobile phone, a tablet computer, and the like.
Fig. 2 is a flowchart of an alternative method for detecting a cheating game store according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
in step S21, the terminal obtains a first data structure of the upper processor, where the first data structure records a currently running thread on the processor.
Alternatively, this step may be implemented as follows:
step S211 is to create a kernel thread and obtain the core number N of the processor (N is a positive integer).
In step S212, the kernel threads are mounted to N cores of the processor one by one, for example, using a KeSetSystemGroupAffinityThread function to read a storage address of a second data structure (e.g., a storage address of a KPCR data structure) from a register of each core, so as to obtain N storage addresses of the second data structure, where each second data structure has an associated first data structure.
Step S213, reading the second data structure according to the storage address of the second data structure.
In step S214, an address of the first data structure (e.g., a storage address of the KPRCB data structure) recorded in the second data structure of the processor is obtained.
Step S215 reads the first data structure according to the address of the first data structure recorded in the second data structure.
In step S22, the terminal obtains the thread information (such as thread identifier and process identifier) of the currently running thread.
Each processor has at least one Core, on each Core can run a process, also can super-process, and can run more than 1 process, and each process has its own address space and resources, such as memory and I/O, CPU, which are the basic units for calculating resource allocation on the processor, the basic units for running scheduling and the units for concurrent execution in the system. Each process at least comprises one thread, the threads are in a resource space of a shared process, and the like, when the threads are changed, only the process executed by the CPU is changed, and the resources owned by the process are not changed.
And step S23, the terminal determines whether the current running thread is a plug-in thread according to the thread information of the current running thread, the plug-in thread is used for running plug-in codes on the memory, and the plug-in codes are codes which are loaded to the memory when the file is started to run and are used for executing plug-in tasks in the game.
Alternatively, this step may be implemented as follows:
step S231, obtains the thread identifier of the currently running thread and the process identifier of the process in which the currently running thread is located.
Step S232, determining that the currently running thread is a plug-in thread when the thread identifier of the currently running thread is the preset thread identifier and the process identifier of the process in which the currently running thread is located is the preset process identifier.
Step S233, determining that the currently running thread is not a plug-in thread when the thread identifier of the currently running thread is not the preset thread identifier and/or the process identifier of the process is not the preset process identifier.
Optionally, because the computer often runs several or even tens of threads instead of one thread, these threads are generally run on the processor in a time-sharing multiplexing manner, that is, the above steps S21-S23 are executed only once and cannot guarantee that the plug-in thread can be detected certainly, so the above steps S21-S23 are executed circularly and can be executed for many times in a short time to guarantee that the running plug-in thread can be captured.
Optionally, reporting may be performed when it is determined that the currently running thread is a plug-in thread, for example: reporting thread information of the plug-in thread to a game server; reporting the plug-in code to a game server; and reporting the game account number on the terminal to a game server.
Optionally, after reporting the thread information of the plug-in thread to the game server, the game server may perform the following operations: 1) freezing the game account number to ensure the fairness of the game; 2) issuing an instruction to a game client, and instructing a kernel thread to execute the following operations: the method is characterized by comprising the steps of running on a processor core all the time, monitoring a thread to be hung, stopping hanging the plug-in thread if the plug-in thread is found to be hung, and avoiding unfairness and other potential safety hazards of a game caused by running plug-in codes by the plug-in thread; if the plug-in thread is monitored to be in the running state, monitoring all operations of the plug-in thread, and shielding all operations of the plug-in thread, thereby achieving the purpose of shielding cheating in games.
Through the steps, a first data structure of a processor on the terminal is obtained, and a current running thread on the processor is recorded in the first data structure; acquiring thread information of a current running thread; determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running plug-in codes on a memory, and the plug-in codes are codes which are loaded to the memory when a file is started to run and are used for executing plug-in tasks in the game, so that plug-in threads which cannot be detected in the related technology can be monitored, and the technical problem that the accuracy of judging game plug-ins in the related technology is low can be solved.
As an alternative example, the following detailed description is provided to further describe the technical solution of the present application in conjunction with the following specific embodiments:
although the windows system does not register UEFI (unified extensible firmware interface) external thread information, the thread is definitely required to be executed, namely, the thread is definitely scheduled by the CPU. In the application, a breach is found based on a CPU, each CPU in the system has a data structure KPCR (processor Control region), an extended structure of the structure is called KPRCB, the KPRCB has a member name of currentThread, and the KPRCB records which thread runs on a current CPU core, namely if the CPU is 8 cores, 8 KPCRs and KPRCBs exist, and each KPCR records a thread ETHREAD currently running on the core.
The steps for reading KPCR and CurrentThread and ETHREAD therein are as follows:
step 1: creating a kernel thread of the self, and acquiring the number of CPU cores of the current machine;
step 2: the thread is attached to each CPU core in order (using the KeSetSystemGroupAffinityThread function), and if there are 8 cores, it is attached 8 times.
And step 3: after each attachment, the value of the gs register is obtained, which is the KPCR address of the current CPU core, and if the CPU is an 8-core, 8 KPCR addresses are saved.
And 4, step 4: the KPCR is a structural body that holds CPU runtime and some configuration information.
Because Windows needs to support multiple CPUs, a data structure with a Processor Control Region (KPCR) as a hub is defined in the Windows kernel, so that each CPU has a KPCR. The structure of KPCR has a domain KPRCB (kernel Processor Control Block) structure, which extends KPCR and is used to store the global information related to thread switching.
For example, there is information indicating which thread is running on the CPU, and the structure KPCR is a structure describing the CPU, and in the system, if there are 8 cores of CPUs, there are 8 structures, and in the KPCR, the KPRCB structure can be determined according to an offset value (e.g. 0x180 offset), and it can be seen that KPRCB is next to KPCR.
And 5: the present solution relates to a KPCRB structure, which is an extension of KPCR, and generally exists immediately after KPCR, and thus CurrentThread is based on the KPCR offset of 0x188 (KPRCB offset of 0x 8). And these structures based on CPU information are rarely changed, the fact also proves that the offset from XP to Win11 is constant. KPRCB exists as an extension of KPCR, generally speaking, the offset of 0x8 is CurrentThread, the high-frequency reading of the scheme is the place, each read thread is detected, and if PID is 4 and tid is 0, the read thread is considered as a UEFI external thread.
Because the windows thread scheduling is highly frequent, the value in CurrentThread is also transient, namely, vanishing, and changing, in order to capture the changed values, the scheme can read the values at the 8 positions at intervals within a certain time (0.2 second) (namely, reading in a dense array mode), and then the hidden thread can be captured.
From the analysis of data intercepted to the plug-in, the thread is special, and the process ID recorded in the ETHREAD structure is as follows: 4; the thread ID is: 0. and the memory position of the plug-in code can be obtained from the thread code starting address value recorded by the ETHREAD, when the plug-in thread ETHREAD address is read, the code starting address executed by the thread, namely the plug-in code address can be further obtained, as described above, the plug-in code address is also hidden, and the hidden code address can be obtained based on the mode.
The plug-in data is plug-in using BIOS (UEFI) technology, the execution thread of the plug-in data belongs to a kernel thread, but the plug-in data is different from a common kernel thread, the plug-in thread is characterized in that PID is 4, tid is 0, and the plug-in thread is not registered in windows, so the plug-in thread does not exist in PspCidTable, and the plug-in thread cannot be detected by a conventional method. However, this thread must be executed, and then directly acquiring on the basis of the CPU is the most scientific way, which is the core of the scheme.
The plug-in system has the key points of hiding the plug-in system, including hiding a memory where a code is located and hiding a thread for executing the plug-in code, and the hidden thread can be detected through the scheme. The method can stably detect the hidden thread, and the thread is more different from a normal kernel thread or is more special, so that the characteristic is obvious, the report can be directly carried out based on the characteristic, and the fact is also true, and the reported data has no false report.
By adopting the technical scheme, the beneficial effects are as follows: the method is suitable for all UEFI plug-ins (commonly called BIOS plug-ins). The method is suitable for all windows games; the detection scheme is stable and efficient, and has little influence on the system performance; and false alarm is avoided, and operation and maintenance cost is not required.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
According to another aspect of the embodiment of the application, a game plug-in detection device for implementing the game plug-in detection method is further provided. Fig. 3 is a schematic diagram of an alternative gaming store detection apparatus according to an embodiment of the present application, and as shown in fig. 3, the apparatus may include:
a first obtaining unit 31, configured to obtain a first data structure of a processor on a terminal, where a current running thread on the processor is recorded in the first data structure;
a second obtaining unit 33, configured to obtain thread information of a currently running thread;
the determining unit 35 is configured to determine whether the current running thread is a plug-in thread according to the thread information of the current running thread, where the plug-in thread is used to run a plug-in code on the memory, and the plug-in code is a code loaded to the memory when the file is started to run and used to execute a plug-in task in the game.
It should be noted that the first obtaining unit 31 in this embodiment may be configured to execute step S21 in this embodiment, the second obtaining unit 33 in this embodiment may be configured to execute step S22 in this embodiment, and the determining unit 35 in this embodiment may be configured to execute step S23 in this embodiment.
Acquiring a first data structure of a processor on a terminal through the module, wherein the first data structure records a current running thread on the processor; acquiring thread information of a current running thread; determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running plug-in codes on a memory, and the plug-in codes are codes which are loaded to the memory when a file is started to run and are used for executing plug-in tasks in the game, so that plug-in threads which cannot be detected in the related technology can be monitored, and the technical problem that the accuracy of judging game plug-ins in the related technology is low can be solved.
Optionally, the first obtaining unit is further configured to: before acquiring a first data structure of a processor of the terminal, acquiring a second data structure of the processor, wherein the second data structure records an address of the first data structure; the first data structure is read according to the address of the first data structure recorded in the second data structure.
Optionally, the first obtaining unit is further configured to: reading a storage address of a second data structure from a register of the processor before acquiring the second data structure of the processor; and reading the second data structure according to the storage address of the second data structure.
Optionally, the first obtaining unit is further configured to: before reading a storage address of a second data structure from a register of a processor, creating a kernel thread, and acquiring the core number N of the processor, wherein N is a positive integer; and mounting the kernel threads on N cores of the processor one by one to read a storage address of a second data structure from a register of each core to obtain N storage addresses of the second data structures, wherein each second data structure has an associated first data structure.
Optionally, the first obtaining unit is further configured to: within a preset time length, executing the following steps for multiple times according to a preset frequency: and mounting the kernel threads on N cores of the processor one by one to read a storage address of a second data structure from a register of each core to obtain N storage addresses of the second data structure.
Optionally, in a case that the operating system started on the terminal is a Windows operating system, the second data structure is a KPCR data structure, the first data structure is a KPRCB data structure, and the register is a GS register.
Optionally, the determining unit is further configured to: acquiring a thread identifier of a currently running thread and a process identifier of a process in which the currently running thread is located; determining the current running thread as a plug-in thread under the condition that the thread identification of the current running thread is a preset thread identification and the process identification of the process is a preset process identification; and determining that the current running thread is not a plug-in thread under the condition that the thread identification of the current running thread is not the preset thread identification and/or the process identification of the process is not the preset process identification.
Optionally, the apparatus of the present application may further comprise: the reporting unit is used for executing at least one of the following after the current running thread is determined to be the plug-in thread: reporting thread information of the plug-in thread to a game server; reporting the plug-in code to a game server; and reporting the game account number on the terminal to a game server.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.
According to another aspect of the embodiment of the application, a server or a terminal for implementing the method for detecting the game plug-in is also provided.
Fig. 4 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 4, the terminal may include: one or more processors 401 (only one shown in fig. 4), a memory 403, and a transmission device 405. as shown in fig. 4, the terminal may further include an input-output device 407.
The memory 403 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for detecting a game plug-in the embodiment of the present application, and the processor 401 executes various functional applications and data processing by running the software programs and modules stored in the memory 403, so as to implement the method for detecting a game plug-in. The memory 403 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 403 may further include memory located remotely from processor 401, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmitting device 405 is used for receiving or sending data via a network, and may also be used for data transmission between the processor and the memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 405 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 405 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In particular, the memory 403 is used for storing application programs.
The processor 401 may call the application stored in the memory 403 via the transmission means 405 to perform the following steps:
acquiring a first data structure of a processor on a terminal, wherein a current running thread on the processor is recorded in the first data structure; acquiring the thread information of the current running thread; and determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running a plug-in code on a memory, and the plug-in code is a code which is loaded to the memory when a file is started to run and is used for executing a plug-in task in a game.
The processor 401 is further configured to perform the following steps:
creating a kernel thread and acquiring the core number N of a processor; mounting the kernel threads on N cores of the processor one by one, for example, using a KeSetSystemGroupAffinityThread function to read a storage address of a second data structure (for example, a storage address of a KPCR data structure) from a register of each core to obtain storage addresses of N second data structures, wherein each second data structure has an associated first data structure; reading the second data structure according to the storage address of the second data structure; acquiring an address of a first data structure recorded in a second data structure of a processor; the first data structure is read according to the address of the first data structure recorded in the second data structure.
By adopting the embodiment of the application, a first data structure of a processor on a terminal is obtained, and a current running thread on the processor is recorded in the first data structure; acquiring thread information of a current running thread; determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running plug-in codes on a memory, and the plug-in codes are codes which are loaded to the memory when a file is started to run and are used for executing plug-in tasks in the game, so that plug-in threads which cannot be detected in the related technology can be monitored, and the technical problem that the accuracy of judging game plug-ins in the related technology is low can be solved.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 4 is only an illustration, and the terminal may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and a Mobile Internet Device (MID), a PAD, etc. Fig. 4 is a diagram illustrating the structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 4, or have a different configuration than shown in FIG. 4.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be a program code for executing a method for detecting a plug-in game.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
acquiring a first data structure of a processor on a terminal, wherein a current running thread on the processor is recorded in the first data structure; acquiring the thread information of the current running thread; and determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running a plug-in code on a memory, and the plug-in code is a code which is loaded to the memory when a file is started to run and is used for executing a plug-in task in a game.
Optionally, the storage medium is further arranged to store program code for performing the steps of:
creating a kernel thread and acquiring the core number N of a processor; mounting the kernel threads on N cores of the processor one by one, for example, using a KeSetSystemGroupAffinityThread function to read a storage address of a second data structure (for example, a storage address of a KPCR data structure) from a register of each core to obtain storage addresses of N second data structures, wherein each second data structure has an associated first data structure; reading the second data structure according to the storage address of the second data structure; acquiring an address of a first data structure recorded in a second data structure of a processor; the first data structure is read according to the address of the first data structure recorded in the second data structure.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method described in the embodiments of the present application.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (11)
1. A method for detecting a store outside a game, comprising:
acquiring a first data structure of a processor on a terminal, wherein a current running thread on the processor is recorded in the first data structure;
acquiring the thread information of the current running thread;
and determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running a plug-in code on a memory, and the plug-in code is a code which is loaded to the memory when a file is started to run and is used for executing a plug-in task in a game.
2. The method of claim 1,
before obtaining the first data structure of the processor of the terminal, the method further comprises: acquiring a second data structure of the processor, wherein the second data structure records the address of the first data structure;
obtaining a first data structure of a processor of a terminal, comprising: and reading the first data structure according to the address of the first data structure recorded in the second data structure.
3. The method of claim 2,
prior to obtaining the second data structure of the processor, the method further comprises: reading a storage address of the second data structure from a register of the processor;
obtaining a second data structure for the processor, comprising: and reading the second data structure according to the storage address of the second data structure.
4. The method of claim 3,
prior to reading the memory address of the second data structure from the register of the processor, the method further comprises: creating a kernel thread and acquiring the core number N of the processor, wherein N is a positive integer;
reading a memory address of the second data structure from a register of the processor, comprising: and mounting the kernel threads to N cores of the processor one by one to read a storage address of the second data structure from a register of each core to obtain N storage addresses of the second data structure, wherein each second data structure has an associated first data structure.
5. The method of claim 4, further comprising: within a preset time length, executing the following steps for multiple times according to a preset frequency:
and mounting the kernel threads to N cores of the processor one by one to read a storage address of the second data structure from a register of each core to obtain N storage addresses of the second data structure.
6. The method according to claim 4, wherein in the case that the operating system started on the terminal is a Windows operating system, the second data structure is a KPCR data structure, the first data structure is a KPRCB data structure, and the register is a GS register.
7. The method according to any one of claims 1 to 6, wherein determining whether the currently running thread is an external thread according to the thread information of the currently running thread comprises:
acquiring a thread identifier of the current running thread and a process identifier of the process in which the current running thread is located;
determining the current running thread to be a plug-in thread under the condition that the thread identification of the current running thread is a preset thread identification and the process identification of the process is a preset process identification;
and determining that the current running thread is not a plug-in thread under the condition that the thread identification of the current running thread is not the preset thread identification and/or the process identification of the process is not the preset process identification.
8. The method of claim 7, wherein after determining that the currently running thread is a plug-in thread, the method further comprises at least one of:
reporting the thread information of the plug-in thread to a game server;
reporting the plug-in code to the game server;
and reporting the game account number on the terminal to the game server.
9. A detection device for gaming cheating, comprising:
the terminal comprises a first acquisition unit, a second acquisition unit and a processing unit, wherein the first acquisition unit is used for acquiring a first data structure of a processor on a terminal, and the current running thread on the processor is recorded in the first data structure;
the second obtaining unit is used for obtaining the thread information of the current running thread;
and the determining unit is used for determining whether the current running thread is a plug-in thread according to the thread information of the current running thread, wherein the plug-in thread is used for running a plug-in code on the memory, and the plug-in code is a code which is loaded to the memory when a file is started to run and is used for executing a plug-in task in a game.
10. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 8.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 8 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111582878.7A CN114282217A (en) | 2021-12-22 | 2021-12-22 | Game plug-in detection method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111582878.7A CN114282217A (en) | 2021-12-22 | 2021-12-22 | Game plug-in detection method and device, storage medium and electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114282217A true CN114282217A (en) | 2022-04-05 |
Family
ID=80873950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111582878.7A Pending CN114282217A (en) | 2021-12-22 | 2021-12-22 | Game plug-in detection method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114282217A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101206692A (en) * | 2006-12-20 | 2008-06-25 | 联想(北京)有限公司 | Method and equipment for detecting course |
| KR20100085280A (en) * | 2009-01-20 | 2010-07-29 | 한남대학교 산학협력단 | System for detection and prevent of recrudescence of mal-process |
| US9407648B1 (en) * | 2015-06-30 | 2016-08-02 | AO Kaspersky Lab | System and method for detecting malicious code in random access memory |
| US9411953B1 (en) * | 2013-05-24 | 2016-08-09 | Symantec Corporation | Tracking injected threads to remediate malware |
| US20180246723A1 (en) * | 2017-02-24 | 2018-08-30 | International Business Machines Corporation | Bypassing memory access for a load instruction using instruction address mapping |
| CN109663362A (en) * | 2018-11-29 | 2019-04-23 | 福建天晴在线互动科技有限公司 | The plug-in detection method of game, storage medium |
| US20190205123A1 (en) * | 2016-10-28 | 2019-07-04 | Tencent Technology (Shenzhen) Company Limited | Apparatus and method for thread data processing |
| CN110090445A (en) * | 2019-05-10 | 2019-08-06 | 深圳市腾讯网域计算机网络有限公司 | A kind of plug-in detection method, client and server |
| WO2021169225A1 (en) * | 2020-02-26 | 2021-09-02 | 完美世界征奇(上海)多媒体科技有限公司 | Anti-plugin method, apparatus and system |
| CN113377566A (en) * | 2021-06-22 | 2021-09-10 | 新华三技术有限公司合肥分公司 | UEFI (unified extensible firmware interface) -based server starting method and device and storage medium |
| CN113688388A (en) * | 2021-08-19 | 2021-11-23 | 完美世界征奇(上海)多媒体科技有限公司 | Plug-in detection method and device, electronic equipment and storage medium |
-
2021
- 2021-12-22 CN CN202111582878.7A patent/CN114282217A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101206692A (en) * | 2006-12-20 | 2008-06-25 | 联想(北京)有限公司 | Method and equipment for detecting course |
| KR20100085280A (en) * | 2009-01-20 | 2010-07-29 | 한남대학교 산학협력단 | System for detection and prevent of recrudescence of mal-process |
| US9411953B1 (en) * | 2013-05-24 | 2016-08-09 | Symantec Corporation | Tracking injected threads to remediate malware |
| US9407648B1 (en) * | 2015-06-30 | 2016-08-02 | AO Kaspersky Lab | System and method for detecting malicious code in random access memory |
| US20190205123A1 (en) * | 2016-10-28 | 2019-07-04 | Tencent Technology (Shenzhen) Company Limited | Apparatus and method for thread data processing |
| US20180246723A1 (en) * | 2017-02-24 | 2018-08-30 | International Business Machines Corporation | Bypassing memory access for a load instruction using instruction address mapping |
| CN109663362A (en) * | 2018-11-29 | 2019-04-23 | 福建天晴在线互动科技有限公司 | The plug-in detection method of game, storage medium |
| CN110090445A (en) * | 2019-05-10 | 2019-08-06 | 深圳市腾讯网域计算机网络有限公司 | A kind of plug-in detection method, client and server |
| WO2021169225A1 (en) * | 2020-02-26 | 2021-09-02 | 完美世界征奇(上海)多媒体科技有限公司 | Anti-plugin method, apparatus and system |
| CN113377566A (en) * | 2021-06-22 | 2021-09-10 | 新华三技术有限公司合肥分公司 | UEFI (unified extensible firmware interface) -based server starting method and device and storage medium |
| CN113688388A (en) * | 2021-08-19 | 2021-11-23 | 完美世界征奇(上海)多媒体科技有限公司 | Plug-in detection method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 李骥;姜守达;邹昕光;: "Windows操作系统多核CPU内核线程管理方法", 自动化技术与应用, no. 01, 25 January 2010 (2010-01-25) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101976209B (en) | Adapting configuration for incompatible application programs | |
| TWI450103B (en) | Remote management systems and methods for servers, and computer program products thereof | |
| US8392547B2 (en) | Method, system and computer program for hardware inventory in virtualized environments | |
| CN109471697B (en) | Method, device and storage medium for monitoring system call in virtual machine | |
| US9921852B2 (en) | Out-of-band retrieval of network interface controller information | |
| US8560688B2 (en) | Monitoring sensors for systems management | |
| CN109542744A (en) | Detect method, apparatus, storage medium and the terminal of terminal booting abnormal problem | |
| CN103020522A (en) | System and method for correcting antivirus records to minimize false malware detection | |
| CN104798080A (en) | Dynamic selection and loading of anti-malware signatures | |
| US20210026967A1 (en) | Method to transfer firmware level security indicators to os level threat protection tools at runtime | |
| CN104063301A (en) | Monitoring method and device | |
| CN113051503A (en) | Browser page rendering method and device, electronic equipment and storage medium | |
| CN105678160A (en) | System and method for providing access to original routines of boot drivers | |
| US10318731B2 (en) | Detection system and detection method | |
| CN101950339B (en) | Security protection method and system of computer | |
| US8086834B2 (en) | System and method for populating a dedicated system service repository for an information handling system | |
| US11048557B2 (en) | Methods and modules relating to allocation of host machines | |
| US11941127B2 (en) | Firmware password management | |
| CN114282217A (en) | Game plug-in detection method and device, storage medium and electronic device | |
| US20200342109A1 (en) | Baseboard management controller to convey data | |
| CN109936528B (en) | Monitoring method, device, equipment and system | |
| CN113656378A (en) | Server management method, device and medium | |
| US9141419B1 (en) | Capturing and restoring an appliance image | |
| CN110888771A (en) | Method and device for monitoring and analyzing process, electronic equipment and storage medium | |
| CN108664293B (en) | Application control method and device in android system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |