Subclassing system for computer that operates with portable-executable (PE) modules
First Claim
1. A method for globally subclassing one or more services of a dynamically-loadable module where said to-be subclassed module has a base address, a relatively-located import section and a relatively-located export section, said method comprising the steps of:
- (a) detecting completion of loading into system memory of the to-be subclassed module;
(b) determining the base address of the to-be subclassed module;
(c) using the determined base address to locate within system memory, the export record of the to-be subclassed module;
(d) locating within said export record, a vector position storing an original vectoring value corresponding to one of the to-be subclassed services; and
(e) overwriting the located vector position with a substitute vectoring value.
0 Assignments
0 Petitions
Accused Products
Abstract
The export record of an operating system kernel employing dynamically-linked loading modules (e.g., portable-executable modules) is thunked so as to globally and forcibly redirect service requests from afterwards loaded modules to subclassing routines instead of to original servicing routines of the kernel. The base location of the kernel is determined from an Image_Base entry of its disk-image. An offset storing position in the export record is overwritten with a value equal to the value of the address of the subclassing routine minus the kernel'"'"'s base address. Use of the thunked export record is forced even for ‘bound’ external references by altering the time stamp in the kernel'"'"'s export record to a nonmatching value.
-
Citations
10 Claims
-
1. A method for globally subclassing one or more services of a dynamically-loadable module where said to-be subclassed module has a base address, a relatively-located import section and a relatively-located export section, said method comprising the steps of:
-
(a) detecting completion of loading into system memory of the to-be subclassed module;
(b) determining the base address of the to-be subclassed module;
(c) using the determined base address to locate within system memory, the export record of the to-be subclassed module;
(d) locating within said export record, a vector position storing an original vectoring value corresponding to one of the to-be subclassed services; and
(e) overwriting the located vector position with a substitute vectoring value.
-
-
2. A method for globally subclassing one or more services of a dynamically-loadable operating system kernel where said to-be subclassed kernel has a base address, a relatively-located import section and a relatively-located export section, said method comprising the steps of:
-
(a) detecting completion of loading of the operating system kernel into system memory;
(b) in response to said detected completion, locating within system memory, an export data section of the operating system kernel;
(c) locating within said export data section, an offset position storing an original offset value corresponding to one of said to-be subclassed services; and
(d) overwriting the located offset position with a substitute offset value corresponding to a subclassing function.
-
-
3. A machine-implemented virus-inhibiting method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, said virus-inhibiting method comprising the steps of:
-
(a) globally redirecting by subclassing of one or more of the dynamically-linked-to services of said OS kernel, file launching requests made to the OS kernel for files that may be infected with a virus, said global redirecting being to a virus detecting routine that executes before the requested file launchings potentially execute; and
(b) inhibiting servicing of said file launching requests if a signature of a potential virus is detected by the virus detecting routine;
(a.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, at least one new vector value at a corresponding vector-storing location used for exporting a servicing of file launching requests made to the OS kernel. - View Dependent Claims (4)
-
-
5. A machine-implemented snooping method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, said snooping method comprising the step of:
-
(a) globally redirecting by subclassing of a specific one of the dynamically-linked-to services of said OS kernel, requests made to the OS kernel for said specific one service by one or more service-using application programs, said redirecting being to a global snooping routine that records and thereby collects a history of the service-using application programs that call upon said specific one service;
(a.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, a new vector value at a vector-storing location used for exporting said specific one service. - View Dependent Claims (6)
(b) using the history information collected by said global snooping routine to tune one or more of the service-using application programs based on the service-using history of the one or more service-using application programs.
-
-
7. A machine-implemented license-policy enforcing method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, said license-policy enforcing method comprising the step of:
-
(a) globally redirecting by subclassing of a corresponding one or more dynamically-linked-to services of said OS kernel, application program launching requests made to the OS kernel for launching application programs, said redirecting being to a license policy enforcing program that determines whether or not a predefined license policy will be violated if the launch request is serviced;
(a.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, a new vector value at a vector-storing location used for exporting a servicing of file launching requests made to the OS kernel. - View Dependent Claims (8)
(b) automatically blocking the servicing of a launch requested by a user if the predefined license policy will be violated by such servicing of the requested launch; and
(c) if the requested launch is automatically blocked, sending a message indicative of the denied servicing to the user.
-
-
9. A machine-implemented dispatching method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, where the OS kernel has an original dispatcher, said dispatching method comprising the steps of:
-
(a) providing a substitute general dispatcher that can be used in place of the kernel'"'"'s original dispatcher; and
(b) globally redirecting by subclassing of a corresponding one or more dynamically-linked-to services of said OS kernel, service requests made to the OS kernel for dispatcher services, said global redirecting being to the substitute general dispatcher;
(b.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, a new vector value at a vector-storing location that is originally used for exporting an original dispatcher service of the OS kernel.
-
-
10. A method for replacing an original service of a dynamically-loadable module with an alternate service, where said module whose original service is to-be replaced has a base address, a relatively-located import section, a relatively-located export section, and a date stamp, said method comprising the steps of:
-
(a) determining the base address of the module whose original service is to-be replaced;
(b) using the determined base address to locate within system memory, the export record of the module whose original service is to-be replaced;
(c) locating within said export record, a vector position storing an original vectoring value corresponding to the original service that is to-be replaced;
(d) overwriting the located vector position with a substitute vectoring value that corresponds to the alternate service; and
(e) altering the date stamp of the module whose original service is to-be replaced.
-
Specification