A method and system for efficient foreign code detection is presented. In one aspect of the invention, an authentication module examines pages which are referenced by thread stacks in a process space, where the pages may contain foreign code. The module can walk up the thread stacks to examine return address that reference such pages. In another aspect, the module checks random pages referenced by the stack. In yet another aspect, the module checks any nearby suspicious pages to checked pages referenced by the stack. Additionally, the module checks the instruction pointer referenced page, the pages and calling code described by the page fault history, and any pages with event handling functions, dynamic link library functions, or other functions that are likely to run.