Code injection and code interception in an operating system with multiple subsystem environments
First Claim
1. A method, comprising:
- creating, by a computing device, a virtual process that is an executable, but non-executing image of a target process, wherein the target process is incompatible with a software platform of the computing device and the target process is loaded into a memory using a non-operating system loader, wherein the virtual process is created by determining an executable file format of the target process using a common interface and a class that implements details of an executable file format of the target process and loading a portable executable file of the target process having the determined executable file format into a private data space by analyzing a memory image of a process that an instance of the target process has previously been loaded into and working backwards from the memory image using an inverse of a specification of the executable file format to determine what an original executable file of the target process contained in order to build a private memory image including the virtual process using the determined file format;
analyzing, by the computing device, the virtual process to find code compatible with the software platform; and
injecting, by the computing device, a first portion of code compatible with the software platform into the target process to allow the target process to run based at least on an outcome of the analyzing action.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and apparatuses are provided for code injection and code interception in an operating systems having multiple subsystem environments. Code injection into a target process can rely on generation of a virtual process that can permit analysis of information loaded in a memory image of the target process regardless of the host environment in which the target process is executed. Based at least on information collected via the analysis, code can be injected into the target process while preserving integrity of the target process. Code interception also can exploit the analysis for suitable hooking that preserves integrity of target process. Code interception can utilize relocatable tokenized code that can be parameterized through token replacement.
32 Citations
14 Claims
-
1. A method, comprising:
-
creating, by a computing device, a virtual process that is an executable, but non-executing image of a target process, wherein the target process is incompatible with a software platform of the computing device and the target process is loaded into a memory using a non-operating system loader, wherein the virtual process is created by determining an executable file format of the target process using a common interface and a class that implements details of an executable file format of the target process and loading a portable executable file of the target process having the determined executable file format into a private data space by analyzing a memory image of a process that an instance of the target process has previously been loaded into and working backwards from the memory image using an inverse of a specification of the executable file format to determine what an original executable file of the target process contained in order to build a private memory image including the virtual process using the determined file format; analyzing, by the computing device, the virtual process to find code compatible with the software platform; and injecting, by the computing device, a first portion of code compatible with the software platform into the target process to allow the target process to run based at least on an outcome of the analyzing action. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
a memory having computer-executable instructions encoded thereon; and a processor functionally coupled to the memory and configured by the computer-executable instructions, to create a virtual process that is an executable, but non-executing image of a target process, wherein the target process is incompatible with a software platform of in the computing device and the target process is loaded into a memory using a non-operating system loader, wherein the virtual process is created by determining an executable file format of the target process using a common interface and a class that implements details of an executable file format of the target process and loading a portable executable file of the target process having the determined executable file format into a private data space by analyzing a memory image of a process that an instance of the target process has previously been loaded into and working backwards from the memory image using an inverse of a specification of the executable file format to determine what an original executable file of the target process contained in order to build a private memory image including the virtual process using the determined file format; analyzing, by the computing device, the virtual process to find code compatible with the software platform; and injecting, by the computing device, a first portion of code compatible with the software platform into the target process to allow the target process to run based at least on an outcome of the analyzing action. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification