Operating system loader modification

US 20060282827A1
Filed: 06/10/2005
Published: 12/14/2006
Est. Priority Date: 06/10/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

applying a hook to a kernel of an operating system;

monitoring system calls made to the kernel using the hook;

injecting a new entry into a list of files assembled by a loader to create a new process when the hook identifies a create process system call.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for computer security are provided. In one implementation, a computer-implemented method is provided. The method includes applying a hook to a kernel of an operating system, monitoring system calls made to the kernel using the hook, and injecting a new entry into a list of files assembled by a loader to create a new process when the hook identifies a create process system call. In another implementation, the method can further include initializing the injected new entry where the injected new entry is operable to examine process files prior to loading, examining the process files, and acting on the process according to a result of the examination

31 Citations

View as Search Results

25 Claims

1. A computer-implemented method, comprising:
- applying a hook to a kernel of an operating system;
  
  monitoring system calls made to the kernel using the hook;
  
  injecting a new entry into a list of files assembled by a loader to create a new process when the hook identifies a create process system call.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15)
- - 2. The method of claim 1, further comprising:
    - initializing the injected new entry, the injected new entry operable to examine process files prior to loading;
      
      examining the process files; and
      
      acting on the process according to a result of the examination.
  - 3. The method of claim 2, the examining of the process files further comprising:
    - analyzing the process files for security threats.
  - 4. The method of claim 2, further comprising:
    - terminating the process based on the examination of the process files.
  - 5. The method of claim 2, the acting on the process including generating an alert.
  - 6. The method of claim 2, the acting on the process including removing one or more files from the list of process files.
  - 7. The method of claim 2, the acting on the process further comprising:
    - inserting one or more API hooks to monitor calls made by process files.
  - 8. The method of claim 2, the examining of the process files further comprising:
    - determining which process files are loaded statically.
  - 9. The method of claim 2, the inserting the new entry further comprising:
    - copying a file into the list of process files.
  - 10. The method of claim 9, the file being a dynamic link library.
  - 11. The method of claim 10, further comprising:
    - copying the dynamic link library to a position on the list of process files such that the dynamic link library is initialized prior to any process specific code.
  - 12. The method of claim 1, where the inserted file is perceived by the loader as statically tied to the process.
  - 14. The apparatus of claim 12, the kernel hook monitoring the kernel for a create process system call.
  - 15. The apparatus of claim 12, the hook module being configured to inject code into the loader in response to a detected create process system call.

13. An apparatus for inserting code into a process, comprising:
- an operating system, including;
  
  a loader operable to create one or more processes;
  
  a kernel operable to receive a system call to create a new process; and
  
  a hook module operable to create a kernel hook operable to monitor the kernel for incoming system calls.

16. A computer program product, tangibly stored on a computer-readable medium, comprising instructions operable to cause a programmable processor to:
- apply a hook to a kernel of an operating system;
  
  monitor system calls made to the kernel using the hook;
  
  inject a new entry into a list of files assembled by a loader to create a new process when the hook identifies a create process system call.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The computer program product of claim 16, further comprising instructions to:
    - initialize the injected new entry, the injected new entry operable to examine process files prior to loading;
      
      examine the process files; and
      
      act on the process according to a result of the examination.
  - 18. The computer program product of claim 17, where the instructions to examine the process further comprise instructions to:
    - analyze the process files for security threats.
  - 19. The computer program product of claim 17, further comprising instructions to:
    - terminate the process based on the examination of the process files.
  - 20. The computer program product of claim 17, where the instructions to act on the process include instructions to generate an alert.
  - 21. The computer program product of claim 17, where the instructions to act on the process include instructions to remove one or more files from the list of process files.
  - 22. The computer program product of claim 17, where the instructions to act on the process further comprise instructions to:
    - insert one or more API hooks to monitor calls made by process files.
  - 23. The computer program product of claim 17, where the instructions to examine the process files further comprise instructions to:
    - determine which process files are loaded statically.
  - 24. The computer program product of claim 17, where the instructions to insert the new entry further comprise instructions to:
    - copy a file into the list of process files.

25. The computer program product of 24, further comprising instructions to:
- copy a dynamic link library to a position on the list of process files such that the dynamic link library is initialized prior to any process specific code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Yeap, Yuen-Pin, Lawrence, Paul Daniel

Granted Patent

US 7,707,558 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/130
CPC Class Codes

G06F 21/53 by executing in a restricte...

Operating system loader modification

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Operating system loader modification

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links