Internal Function Debugger

US 20100095281A1
Filed: 10/14/2008
Published: 04/15/2010
Est. Priority Date: 10/14/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

logically preserving an uninstrumented target function as a subroutine callable through a trampoline;

intercepting the target function; and

receiving an instruction from a user input device to add a breakpoint to a program containing a call to the target function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A stealthy internal function (IF) debugger that leverages control flow detours can escape detection by traditional anti-debugging methods. Software that attempts to impede reverse engineering via dynamic analysis, by using anti-debugging or packing measures can be thwarted by using a stealthy IF debugger. Data mining through an IF utility can aid reverse engineering by constructing a data and code flow analysis after an execution of a program.

43 Citations

View as Search Results

17 Claims

1. A method comprising:
- logically preserving an uninstrumented target function as a subroutine callable through a trampoline;
  
  intercepting the target function; and
  
  receiving an instruction from a user input device to add a breakpoint to a program containing a call to the target function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - attaching an interception library to the program; and
      
      executing the program at least up through the function call.
  - 3. The method of claim 2 wherein attaching an interception library to a program comprises attaching Detours to a program.
  - 4. The method of claim 2 further comprising:
    - loading a hook function into memory.
  - 5. The method of claim 4 wherein loading a hook function into memory comprises loading a DLL into a process space of the program.
  - 6. The method of claim 1 further comprising:
    - compiling a hook function comprising instructions for receiving the instruction from a user input device.
  - 7. The method of claim 6 further comprising:
    - declaring the hook function as naked;
      
      writing a prolog for the hook function; and
      
      writing an epilog for the hook function.
  - 8. The method of claim 1 further comprising:
    - after intercepting the target function and receiving an instruction from a user input device, executing the target function.
  - 9. The method of claim 1 wherein receiving an instruction from a user input device to add a breakpoint comprises receiving an instruction from a user input device to add an emulated breakpoint.
  - 10. The method of claim 1 further comprising:
    - performing at least one operation selected from the list consisting of;
      
      modifying contents of a register used by the program,reporting contents of memory accessed by the program,resuming execution of the program, andperforming instruction tracing of the program'"'"'s executed instructions.
  - 11. The method of claim 10 wherein modifying contents of a register comprises writing a value on a stack and copying the value from the stack to the register.
  - 12. The method of claim 10 wherein reporting memory contents comprises reporting register contents.

13. A method comprising:
- logically preserving an uninstrumented target function as a subroutine callable through a trampoline;
  
  executing a program at least up through a call to the target function;
  
  intercepting the target function; and
  
  receiving an instruction from a user input device to perform at least one operation selected from the list consisting of;
  
  adding a breakpoint to the program,modifying contents of a register used by the program,reporting contents of memory accessed by the program,resuming execution of the program, andperforming instruction tracing of the program'"'"'s executed instructions.

14. A computer program embodied on a computer readable medium and configured to be executed by a processor, the program comprising:
- code for copying instructions from a target function to a trampoline;
  
  code for replacing the copied instructions with a jump to a hook function;
  
  code for performing at least one debugging operation within the hook function; and
  
  code for inserting a jump to the target function within the trampoline.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program of claim 14 wherein the code for performing at least one debugging operation comprises code for inserting a breakpoint into a program.
  - 16. The computer program of claim 15 wherein the code for inserting a breakpoint into a program comprises code for inserting an emulated breakpoint into a program.
  - 17. The computer program of claim 14 wherein the code for copying instructions from a target function to a trampoline, the code for replacing the copied instructions with a jump to a hook function, and the code for inserting a jump to the target function within the trampoline together comprises a library for intercepting binary functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverside Research Institute
Original Assignee
Riverside Research Institute
Inventors
Raber, Jason Neal

Application Number

US12/250,538
Publication Number

US 20100095281A1
Time in Patent Office

Days
Field of Search
US Class Current

717/129
CPC Class Codes

G06F 11/362   Software debugging

G06F 2209/542   Intercept

G06F 9/4484   Executing subprograms

Internal Function Debugger

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Internal Function Debugger

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links