Subclassing system for computer that operates with portable-executable (PE) modules

US 6,253,258 B1
Filed: 04/27/1998
Issued: 06/26/2001
Est. Priority Date: 08/23/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method for globally subclassing one or more services of a dynamically-loadable module where said to-be subclassed module has a base address, a relatively-located import section and a relatively-located export section, said method comprising the steps of:

(a) detecting completion of loading into system memory of the to-be subclassed module;

(b) determining the base address of the to-be subclassed module;

(c) using the determined base address to locate within system memory, the export record of the to-be subclassed module;

(d) locating within said export record, a vector position storing an original vectoring value corresponding to one of the to-be subclassed services; and

(e) overwriting the located vector position with a substitute vectoring value.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The export record of an operating system kernel employing dynamically-linked loading modules (e.g., portable-executable modules) is thunked so as to globally and forcibly redirect service requests from afterwards loaded modules to subclassing routines instead of to original servicing routines of the kernel. The base location of the kernel is determined from an Image_Base entry of its disk-image. An offset storing position in the export record is overwritten with a value equal to the value of the address of the subclassing routine minus the kernel'"'"'s base address. Use of the thunked export record is forced even for ‘bound’ external references by altering the time stamp in the kernel'"'"'s export record to a nonmatching value.

Citations

10 Claims

1. A method for globally subclassing one or more services of a dynamically-loadable module where said to-be subclassed module has a base address, a relatively-located import section and a relatively-located export section, said method comprising the steps of:
- (a) detecting completion of loading into system memory of the to-be subclassed module;
  
  (b) determining the base address of the to-be subclassed module;
  
  (c) using the determined base address to locate within system memory, the export record of the to-be subclassed module;
  
  (d) locating within said export record, a vector position storing an original vectoring value corresponding to one of the to-be subclassed services; and
  
  (e) overwriting the located vector position with a substitute vectoring value.

2. A method for globally subclassing one or more services of a dynamically-loadable operating system kernel where said to-be subclassed kernel has a base address, a relatively-located import section and a relatively-located export section, said method comprising the steps of:
- (a) detecting completion of loading of the operating system kernel into system memory;
  
  (b) in response to said detected completion, locating within system memory, an export data section of the operating system kernel;
  
  (c) locating within said export data section, an offset position storing an original offset value corresponding to one of said to-be subclassed services; and
  
  (d) overwriting the located offset position with a substitute offset value corresponding to a subclassing function.

3. A machine-implemented virus-inhibiting method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, said virus-inhibiting method comprising the steps of:
- (a) globally redirecting by subclassing of one or more of the dynamically-linked-to services of said OS kernel, file launching requests made to the OS kernel for files that may be infected with a virus, said global redirecting being to a virus detecting routine that executes before the requested file launchings potentially execute; and
  
  (b) inhibiting servicing of said file launching requests if a signature of a potential virus is detected by the virus detecting routine;
  
  (a.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, at least one new vector value at a corresponding vector-storing location used for exporting a servicing of file launching requests made to the OS kernel.
- View Dependent Claims (4)
- - 4. A machine-implemented virus-inhibiting method according to claim 3 wherein said step (a.1) of writing into the export data section occurs in response to a system-wide broadcast indication that the OS kernel has been loaded into system memory.

5. A machine-implemented snooping method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, said snooping method comprising the step of:
- (a) globally redirecting by subclassing of a specific one of the dynamically-linked-to services of said OS kernel, requests made to the OS kernel for said specific one service by one or more service-using application programs, said redirecting being to a global snooping routine that records and thereby collects a history of the service-using application programs that call upon said specific one service;
  
  (a.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, a new vector value at a vector-storing location used for exporting said specific one service.
- View Dependent Claims (6)
- - 6. A machine-implemented snooping method according to claim 5 further comprising the step of:

7. A machine-implemented license-policy enforcing method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, said license-policy enforcing method comprising the step of:
- (a) globally redirecting by subclassing of a corresponding one or more dynamically-linked-to services of said OS kernel, application program launching requests made to the OS kernel for launching application programs, said redirecting being to a license policy enforcing program that determines whether or not a predefined license policy will be violated if the launch request is serviced;
  
  (a.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, a new vector value at a vector-storing location used for exporting a servicing of file launching requests made to the OS kernel.
- View Dependent Claims (8)
- - 8. A machine-implemented license-policy enforcing method according to claim 7 further comprising the step of:

9. A machine-implemented dispatching method for use with an operating system (OS) kernel that provides for dynamic-linking-to of kernel services from dynamically-linked loadable modules, where the OS kernel has an original dispatcher, said dispatching method comprising the steps of:
- (a) providing a substitute general dispatcher that can be used in place of the kernel'"'"'s original dispatcher; and
  
  (b) globally redirecting by subclassing of a corresponding one or more dynamically-linked-to services of said OS kernel, service requests made to the OS kernel for dispatcher services, said global redirecting being to the substitute general dispatcher;
  
  (b.1) wherein said step of globally redirecting by subclassing includes writing into an export data section of the OS kernel, a new vector value at a vector-storing location that is originally used for exporting an original dispatcher service of the OS kernel.

10. A method for replacing an original service of a dynamically-loadable module with an alternate service, where said module whose original service is to-be replaced has a base address, a relatively-located import section, a relatively-located export section, and a date stamp, said method comprising the steps of:
- (a) determining the base address of the module whose original service is to-be replaced;
  
  (b) using the determined base address to locate within system memory, the export record of the module whose original service is to-be replaced;
  
  (c) locating within said export record, a vector position storing an original vectoring value corresponding to the original service that is to-be replaced;
  
  (d) overwriting the located vector position with a substitute vectoring value that corresponds to the alternate service; and
  
  (e) altering the date stamp of the module whose original service is to-be replaced.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Cohen, Leo
Primary Examiner(s)
Courtenay, III, St. John

Application Number

US09/067,325
Time in Patent Office

1,156 Days
Field of Search

709/310-332
US Class Current

719/331
CPC Class Codes

G06F 8/54 Link editing before load time

Subclassing system for computer that operates with portable-executable (PE) modules

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Subclassing system for computer that operates with portable-executable (PE) modules

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links