Changing code execution path using kernel mode redirection

US 20070011686A1
Filed: 07/08/2005
Published: 01/11/2007
Est. Priority Date: 07/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method of redirecting a code execution path in a running process, comprising:

injecting an instruction into said code execution path;

passing control to a kernel handler;

executing a replacement function called by said kernel handler; and

returning to said code execution path.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.

21 Citations

View as Search Results

20 Claims

1. A method of redirecting a code execution path in a running process, comprising:
- injecting an instruction into said code execution path;
  
  passing control to a kernel handler;
  
  executing a replacement function called by said kernel handler; and
  
  returning to said code execution path.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said instruction is an interrupt.
  - 3. The method of claim 2, wherein said interrupt is an INT 3 interrupt instruction and wherein said interrupt instruction is one-byte in length.
  - 4. The method of claim 2, wherein said kernel handler includes a mechanism to cause a return from said interrupt instruction to continue into said replacement function.
  - 5. The method of claim 1, further comprising inserting said instruction such that no more than one byte of the original code in said code path is overwritten.
  - 6. The method of claim 1, further comprising loading said replacement function into a memory space accessible by said kernel function.
  - 7. The method of claim 1, further comprising performing said method without requiring a reboot of a computing device on which said running process is executing.

8. A method of changing a code execution path by using an interrupt to replace an existing function, comprising:
- injecting said interrupt into said existing function;
  
  passing control to a kernel handler;
  
  executing a replacement function called by said kernel handler; and
  
  returning to said code execution path.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein said interrupt is an INT 3 interrupt instruction and wherein said interrupt instruction is one-byte in length.
  - 10. The method of claim 9, wherein said kernel handler includes a mechanism to cause a return from said interrupt instruction to continue into said replacement function.
  - 11. The method of claim 8, further comprising inserting said interrupt such that no more than one byte in the original code in said code path is overwritten.
  - 12. The method of claim 8, further comprising loading said replacement function into a memory space accessible by said kernel function.
  - 13. The method of claim 8, further comprising performing said method without requiring a reboot of a computing device on which a process executing said existing function said is running.

14. A computer readable medium having computer executable instructions thereon for redirecting a code execution path in a running process, said computer executable instructions performing a method, comprising:
- injecting an instruction into said code execution path passing control to a kernel handler;
  
  executing a replacement function called by said kernel handler; and
  
  returning to said code path.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer readable medium of claim 14, wherein said instruction is an interrupt.
  - 16. The computer readable medium of claim 15, wherein said interrupt is an INT 3 interrupt instruction and wherein said interrupt instruction is one-byte in length.
  - 17. The computer readable medium of claim 15, wherein said kernel handler includes a mechanism to cause a return from said interrupt instruction to continue into said replacement function.
  - 18. The computer readable medium of claim 14, further comprising instructions for inserting said instruction such that no more than one byte in the original code in said code path is overwritten.
  - 19. The computer readable medium of claim 14, further comprising instructions for loading said replacement function into a memory space accessible by said kernel function.
  - 20. The computer readable medium of claim 14, further comprising instructions for performing said method without requiring a reboot of a computing device on which said running process is executing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ben-Zvi, Nir

Granted Patent

US 7,500,245 B2
Time in Patent Office

Days
Field of Search
US Class Current

719/310
CPC Class Codes

G06F 8/656 while running

Changing code execution path using kernel mode redirection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Changing code execution path using kernel mode redirection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links