Abstract: A processing unit determines a first mapping relationship and a second mapping relationship, where the first mapping relationship indicates that an access rule of a first physical address is access forbidden, and the second mapping relationship indicates that an access rule of the first physical address is access allowed. The processing unit determines that a target mapping relationship is the first mapping relationship, sends a first access request to a memory control unit. The processing unit receives first exception information sent by the memory control unit, where the first exception information is sent when the memory control unit determines that the access rule of the first physical address in the target mapping relationship is access forbidden. The processing unit monitors a process based on the first exception information, switches the target mapping relationship; and re-sends the first access request to the memory control unit.

Abstract: This application provides a program code execution behavior monitoring method. A computer device executes, in a virtual execution environment, first code corresponding to first program code, where the first code belongs to external code, the external code is code, other than internal code, invoked in the first program code, the external code includes system code provided by an operating system of the computer device, and the internal code is code of a process generated by the first program code. In a process of executing the first code, if second code belongs to the internal code, before execution of the second code is completed, the computer device switches an execution environment of the first program code to a simulated execution environment, where the second code is to-be-executed code. The computer device executes the second code in the simulated execution environment.

Abstract: A method for monitoring memory access behavior of a sample process is provided. A processing unit of a computer device determines a page table of the sample process based on a page directory base address of the sample process, where each entry of the page table includes first information, the first information indicates whether the entry has been assigned a guest physical address, the entry that has been assigned the guest physical address includes second information that is used to indicate an access permission of the assigned guest physical address; determines a target entry from the page table, the target entry has been assigned a guest physical address, and an access permission is execution allowed; determines a target host physical address corresponding to the target guest physical address that is assigned to the target entry; and monitors behavior of accessing memory space indicated by the target host physical address.

Abstract: An information protection method includes receiving a request message sent by a virtual machine (VM), sending the request message to a VM instance corresponding to the VM or the shared service module, determining whether there is attack information included in the request message, and deleting the VM that sends the request message and the VM instance corresponding to the VM.

Abstract: A method for monitoring memory access behavior of a sample process is provided. A processing unit of a computer device determines a page table of the sample process based on a page directory base address of the sample process, where each entry of the page table includes first information, the first information indicates whether the entry has been assigned a guest physical address, the entry that has been assigned the guest physical address includes second information that is used to indicate an access permission of the assigned guest physical address; determines a target entry from the page table, the target entry has been assigned a guest physical address, and an access permission is execution allowed; determines a target host physical address corresponding to the target guest physical address that is assigned to the target entry; and monitors behavior of accessing memory space indicated by the target host physical address.

Abstract: A processing unit determines a first mapping relationship and a second mapping relationship, where the first mapping relationship indicates that an access rule of a first physical address is access forbidden, and the second mapping relationship indicates that an access rule of the first physical address is access allowed. The processing unit determines that a target mapping relationship is the first mapping relationship, sends a first access request to a memory control unit. The processing unit receives first exception information sent by the memory control unit, where the first exception information is sent when the memory control unit determines that the access rule of the first physical address in the target mapping relationship is access forbidden. The processing unit monitors a process based on the first exception information, switches the target mapping relationship; and re-sends the first access request to the memory control unit.

Abstract: An information protection method includes receiving a request message sent by a virtual machine (VM), sending the request message to a VM instance corresponding to the VM or the shared service module, determining whether there is attack information included in the request message, and deleting the VM that sends the request message and the VM instance corresponding to the VM.