Code injection and code interception in an operating system with multiple subsystem environments

US 10,698,684 B2
Filed: 06/12/2017
Issued: 06/30/2020
Est. Priority Date: 02/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating, by a computing device, a virtual process that is an executable, but non-executing image of a target process, wherein the target process is incompatible with a software platform of the computing device and the target process is loaded into a memory using a non-operating system loader, wherein the virtual process is created by determining an executable file format of the target process using a common interface and a class that implements details of an executable file format of the target process and loading a portable executable file of the target process having the determined executable file format into a private data space by analyzing a memory image of a process that an instance of the target process has previously been loaded into and working backwards from the memory image using an inverse of a specification of the executable file format to determine what an original executable file of the target process contained in order to build a private memory image including the virtual process using the determined file format;

analyzing, by the computing device, the virtual process to find code compatible with the software platform; and

injecting, by the computing device, a first portion of code compatible with the software platform into the target process to allow the target process to run based at least on an outcome of the analyzing action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatuses are provided for code injection and code interception in an operating systems having multiple subsystem environments. Code injection into a target process can rely on generation of a virtual process that can permit analysis of information loaded in a memory image of the target process regardless of the host environment in which the target process is executed. Based at least on information collected via the analysis, code can be injected into the target process while preserving integrity of the target process. Code interception also can exploit the analysis for suitable hooking that preserves integrity of target process. Code interception can utilize relocatable tokenized code that can be parameterized through token replacement.

32 Citations

14 Claims

1. A method, comprising:
- creating, by a computing device, a virtual process that is an executable, but non-executing image of a target process, wherein the target process is incompatible with a software platform of the computing device and the target process is loaded into a memory using a non-operating system loader, wherein the virtual process is created by determining an executable file format of the target process using a common interface and a class that implements details of an executable file format of the target process and loading a portable executable file of the target process having the determined executable file format into a private data space by analyzing a memory image of a process that an instance of the target process has previously been loaded into and working backwards from the memory image using an inverse of a specification of the executable file format to determine what an original executable file of the target process contained in order to build a private memory image including the virtual process using the determined file format;
  
  analyzing, by the computing device, the virtual process to find code compatible with the software platform; and
  
  injecting, by the computing device, a first portion of code compatible with the software platform into the target process to allow the target process to run based at least on an outcome of the analyzing action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the loader creates the virtual process by:
    - processing a memory image of the target process; and
      
      producing a virtual image of the target process in a local process by copying headers and data structures from the target process to the virtual image.
  - 3. The method of claim 2, wherein the headers and data structures are copied as needed to get current values.
  - 4. The method of claim 2, wherein the building the private memory image comprises:
    - translating from file offsets to memory addresses; and
      
      translating addresses from process memory managed by the operating system to the private memory image of the virtual process.
  - 5. The method of claim 1, wherein the target process is incompatible with the software platform because the target process is one of and x32 or an x64 process and the software platform is the other of an x32 process or an x64 process.
  - 6. The method of claim 5, wherein the virtual process is managed by a dynamic linked library of relocatable and tokenized code buffers adapted to manage the virtual process regardless of executable file format or target platform.
  - 7. The method of claim 1, wherein the target process and the another process utilize different executable file formats.

8. An apparatus, comprising:
- a memory having computer-executable instructions encoded thereon; and
  
  a processor functionally coupled to the memory and configured by the computer-executable instructions,to create a virtual process that is an executable, but non-executing image of a target process, wherein the target process is incompatible with a software platform of in the computing device and the target process is loaded into a memory using a non-operating system loader, wherein the virtual process is created by determining an executable file format of the target process using a common interface and a class that implements details of an executable file format of the target process and loading a portable executable file of the target process having the determined executable file format into a private data space by analyzing a memory image of a process that an instance of the target process has previously been loaded into and working backwards from the memory image using an inverse of a specification of the executable file format to determine what an original executable file of the target process contained in order to build a private memory image including the virtual process using the determined file format;
  
  analyzing, by the computing device, the virtual process to find code compatible with the software platform; and
  
  injecting, by the computing device, a first portion of code compatible with the software platform into the target process to allow the target process to run based at least on an outcome of the analyzing action.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, the processor being further configured to cause the loader to create the virtual process by:
    - processing a memory image of the target process; and
      
      producing a virtual image of the target process in a local process by copying headers and data structures from the target process to the virtual image.
  - 10. The apparatus of claim 9, wherein the headers and data structures are copied as needed to get current values.
  - 11. The apparatus of claim 10, wherein the building the private memory image comprises:
    - translating from file offsets to memory addresses; and
      
      translating addresses from process memory managed by the operating system to the private memory image of the virtual process.
  - 12. The apparatus of claim 8, wherein the target process is incompatible with the software platform because the target process is one of and x32 or an x64 process and the software platform is the other of an x32 process or an x64 process.
  - 13. The apparatus of claim 12, wherein the virtual process is managed by a dynamic linked library of relocatable and tokenized code buffers adapted to manage the virtual process regardless of executable file format or target platform.
  - 14. The apparatus of claim 8, wherein the target process and the another process utilize different executable file formats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pegasystems Incorporated
Original Assignee
Pegasysytems Incorporated
Inventors
Beckett, Stephen M.
Primary Examiner(s)
Aquino, Wynuel S
Assistant Examiner(s)
Gooray, Mark A

Application Number

US15/620,314
Publication Number

US 20170329621A1
Time in Patent Office

1,114 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 8/443   Optimisation

G06F 8/447   Target code generation

G06F 8/53   Decompilation; Disassembly

G06F 8/76   Adapting program code to ru...

G06F 9/45516   Runtime code conversion or ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/547   Remote procedure calls [RPC...

Code injection and code interception in an operating system with multiple subsystem environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Code injection and code interception in an operating system with multiple subsystem environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others