Application program interface interception system and method

US 7,213,153 B2
Filed: 06/22/2004
Issued: 05/01/2007
Est. Priority Date: 11/14/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system running an operating system platform, a method comprising:

hooking at least one application program interface (API) routine; and

replacing hooked API routine code with different code;

wherein the replacing the hooked API routine code with different code, further comprises;

storing an API routine address associated with a re-direction of flow of execution;

wherein enhanced privileges relating to memory space associated with the API routine are enabled;

wherein the method is adapted for preventing intrusions.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of intercepting application program interface, including dynamic installation of associated software, within the user portion of an operating system. An API interception control server in conjunction with a system call interception module loads into all active process spaces an API interception module. An initializer module within the API interception module hooks and patches all API modules in the active process address space. When called by the application programs, the API routines'"'"' flow of execution, by virtue of their patched code, is re-directed into a user-supplied code in a pre-entry routine of the API interception module. The API routine might be completely by-passed or its input parameters might be filtered and changed by the user code. During the operation, the API routine is double-patched by the API interception module to ensure that all simultaneous calls to the API routine will re-direct its flow of control into the API interception module. A user-supplied code in a post-entry module of the API interception module might filter or change the return values of the API.

Citations

18 Claims

1. In a computer system running an operating system platform, a method comprising:
- hooking at least one application program interface (API) routine; and
  
  replacing hooked API routine code with different code;
  
  wherein the replacing the hooked API routine code with different code, further comprises;
  
  storing an API routine address associated with a re-direction of flow of execution;
  
  wherein enhanced privileges relating to memory space associated with the API routine are enabled;
  
  wherein the method is adapted for preventing intrusions.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, and further comprising initializing an API controlling routine.
  - 3. The method of claim 2, and wherein the API controlling routine manages operation of the API controlling routine and collecting and storing information corresponding to the API routine.
  - 4. The method of claim 1, wherein the hooking at least one API routine comprises identifying the API routine.
  - 5. The method of claim 4, wherein the hooking at least one API routine further comprises obtaining the API routine address.
  - 6. The method of claim 5, wherein the hooking at least one API routine further comprises determining an address of at least one different code module associated with the re-direction of flow of execution.

7. A computer program product embodied on a computer readable medium, comprising:
- computer code for hooking at least one application program interface (API) routine; and
  
  computer code for replacing hooked API routine code with different code;
  
  wherein the replacing the hooked API routine code with different code, further comprises;
  
  storing an API routine address associated with a re-direction of flow of execution;
  
  wherein enhanced privileges relating to memory space associated with the API routine are enabled;
  
  wherein the method is adapted for preventing intrusions.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, and further comprising computer code for initializing an API controlling routine.
  - 9. The computer program product of claim 8, wherein the API controlling routine manages operation of the API controlling routine and collecting and storing information corresponding to the API routine.
  - 10. The computer program product of claim 7, wherein the hooking at least one API routine comprises identifying the API routine.
  - 11. The computer program product of claim 10, wherein the hooking at least one API routine further comprises obtaining the API routine address.
  - 12. The computer program product of claim 11, wherein the hooking at least one API routine further comprises determining an address of at least one different code module associated with the re-direction of flow of execution.

13. A system, comprising:
- logic for hooking at least one application program interface (API) routine; and
  
  logic for replacing hooked API routine code with different code;
  
  wherein the replacing the hooked API routine code with different code, further comprises;
  
  storing an API routine address associated with a re-direction of flow of execution;
  
  wherein enhanced privileges relating to memory space associated with the API routine are enabled;
  
  wherein the method is adapted for preventing intrusions.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, and further comprising logic for initializing an API controlling routine.
  - 15. The system of claim 14, wherein the API controlling routine manages operation of the API controlling routine and collecting and storing information corresponding to the API routine.
  - 16. The system of claim 13, wherein the hooking at least one API routine comprises identifying the API routine.
  - 17. The system of claim 16, wherein the hooking at least one API routine further comprises obtaining the API routine address.
  - 18. The system of claim 17, wherein the hooking at least one API routine further comprises determining an address of at least one different code module associated with the re-direction of flow of execution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Horovitz, Oded, Rachman, Ophir, Hollander, Yona
Primary Examiner(s)
Arani; Taghi T.

Application Number

US10/874,433
Publication Number

US 20040237071A1
Time in Patent Office

1,043 Days
Field of Search

726/22, 713187-189, 710/1, 710/100, 710/200, 710/220, 710/240, 710/260
US Class Current

713/187
CPC Class Codes

G06F 12/1441   for a range

G06F 21/53   by executing in a restricte...

G06F 2209/542   Intercept

G06F 9/4484   Executing subprograms

Application program interface interception system and method

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Application program interface interception system and method

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links