Changing code execution path using kernel mode redirection

US 7,500,245 B2
Filed: 07/08/2005
Issued: 03/03/2009
Est. Priority Date: 07/08/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of redirecting a code execution path in a running process, the code execution path including a plurality of instructions, the method comprising:

modifying a kernel handler to upon being called by a first function, returning to an instruction in a replacement function that is separate from the first function;

overwriting a single one byte instruction in said code execution path with a one byte interrupt instruction while simultaneously leaving a remainder of instructions in the code execution path unaltered, whereupon execution of the one byte interrupt instruction in the running process causes the kernel handler to be called;

executing the replacement function called by said kernel handler; and

returning to said code execution path,wherein said method is performed without requiring a reboot of a computing device on which said running process is executing.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.

20 Citations

View as Search Results

12 Claims

1. A computer-implemented method of redirecting a code execution path in a running process, the code execution path including a plurality of instructions, the method comprising:
- modifying a kernel handler to upon being called by a first function, returning to an instruction in a replacement function that is separate from the first function;
  
  overwriting a single one byte instruction in said code execution path with a one byte interrupt instruction while simultaneously leaving a remainder of instructions in the code execution path unaltered, whereupon execution of the one byte interrupt instruction in the running process causes the kernel handler to be called;
  
  executing the replacement function called by said kernel handler; and
  
  returning to said code execution path,wherein said method is performed without requiring a reboot of a computing device on which said running process is executing.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said one byte interrupt instruction is used as a trap to a debugger.
  - 3. The method of claim 2, wherein said one byte interrupt instruction is an INT 3 interrupt instruction.
  - 4. The method of claim 2, wherein modifying said kernel handler includes comprises providing a mechanism to cause a return from said one byte interrupt instruction to continue into said replacement function.
  - 5. The method of claim 2, wherein the trap to the debugger breaks out of execution in order for other code to be called.
  - 6. The method of claim 1, further comprising loading said replacement function into a memory space accessible by said kernel function.
  - 7. The method of claim 1, further comprising performing said method without requiring a reboot of a computing device on which said running process is executing.

8. A computer readable storage medium having computer executable instructions thereon for redirecting a code execution path in a running process, said computer executable instructions performing a method, comprising:
- modifying a kernel handler to upon being called by a first function, returning to an instruction in a replacement function that is separate from the first function;
  
  overwriting a single one byte instruction in said code execution path with a one byte interrupt instruction while simultaneously leaving a remainder of instructions in the code execution path unaltered, whereupon execution of the one byte interrupt instruction in the running process causes the kernel handler to be called;
  
  executing the replacement function called by said kernel handler; and
  
  returning to said code execution path,wherein said method is performed without requiring a reboot of a computing device on which said running process is executing.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer readable storage medium of claim 8, wherein said one byte interrupt instruction is an INT 3 interrupt instruction.
  - 10. The computer readable storage medium of claim 8, wherein said kernel handler includes a mechanism to cause a return from said one byte interrupt instruction to continue into said replacement function.
  - 11. The computer readable storage medium of claim 8, further comprising instructions for inserting said instruction such that no more than one byte in the original code in said code path is overwritten.
  - 12. The computer readable medium storage of claim 8, further comprising instructions for loading said replacement function into a memory space accessible by said kernel function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ben-Zvi, Nir
Primary Examiner(s)
Nguyen; Van H

Application Number

US11/177,079
Publication Number

US 20070011686A1
Time in Patent Office

1,334 Days
Field of Search

710/260, 710/269, 718/100, 717/130, 717/158, 717/106, 717/120, 717/121, 717/127, 712/240, 712/220, 712/226, 712/233, 712/244, 711/154, 719/310
US Class Current

719/310
CPC Class Codes

G06F 8/656 while running

Changing code execution path using kernel mode redirection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Changing code execution path using kernel mode redirection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links