CPC G06F 21/53 (2013.01) [G06F 2221/034 (2013.01)] | 18 Claims |
1. A program code execution behavior monitoring method, comprising:
executing, by a computer device in a virtual execution environment, first code corresponding to first program code, the virtual execution environment is a running environment provided based on a virtualization technology, the first code is an external code, other than internal code, invoked in the first program code, the external code comprises system code provided by an operating system of the computer device, and the internal code is code of a process generated by the first program code;
in a process in which the computer device executes the first code, determining if second code belongs to the internal code;
when the second code belongs to the internal code, before execution of the second code is completed, switching, by the computer device, an execution environment of the first program code to a simulated execution environment, wherein the simulated execution environment is a running environment provided based on a simulator;
executing, by the computer device, the second code m the simulated execution environment; and
determining, by the computer device based on a page exception and a nested page table, that the second code belongs to the internal code, wherein the nested page table records access permissions corresponding to a first memory space, the second code is stored in the first memory space, and the page exception indicates conflict information between an access request for the first memory space and the access permissions corresponding to the first memory space.
|