Apparatus, method, and computer readable medium thereof for generating and utilizing a feature code to monitor a program
First Claim
1. An apparatus, including a processor, for generating a feature code to monitor a program, comprising:
- a call device for making the program call a function through a first application program interface (API) and a second API;
a record device being electrically connected to the call device and configured for recording a first return address after the first API calls the function and recording a second return address after the second API calls the function;
a generation device being electrically connected to the record device and configured for generating the feature code by using the first return address and the second return address, the generation device including a shift device being electrically connected to the record device and configured for shifting a plurality of bits of the second return address for a predetermined length; and
an operation device being electrically connected to the shift device and configured for applying an XOR operation to the shifting result and the first return address to derive the feature code;
wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked.
1 Assignment
0 Petitions
Accused Products
Abstract
Apparatus, method, and computer readable medium for generating and utilizing a feature code to monitor a program are provided. The program is run in a secure environment at the beginning. The program calls a function through an application program interface. A return address of the application program interface is used to generate the feature code. When the application runs again at another time, the feature code is utilized to monitor the program. According to the aforementioned arrangement and steps, the application program interface can be monitored dynamically. Consequently, any program can be monitored by this approach, which results in a more secure environment. Further, fewer application program interfaces are required to be monitored, so the required computer resource is less.
25 Citations
27 Claims
-
1. An apparatus, including a processor, for generating a feature code to monitor a program, comprising:
-
a call device for making the program call a function through a first application program interface (API) and a second API; a record device being electrically connected to the call device and configured for recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; a generation device being electrically connected to the record device and configured for generating the feature code by using the first return address and the second return address, the generation device including a shift device being electrically connected to the record device and configured for shifting a plurality of bits of the second return address for a predetermined length; and
an operation device being electrically connected to the shift device and configured for applying an XOR operation to the shifting result and the first return address to derive the feature code;wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, including a processor, for monitoring a program by a feature code, comprising:
-
a call device for making the program call a function through a first application program interface (API) and a second API; a record device being electrically connected to the call device and configured for recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; a generation device being electrically connected to the record device and configured for generating a monitor code by using the first return address and the second return address, the generation device including a shift device being electrically connected to the record device and configured for shifting a plurality of bits of the second return address for a predetermined length and an operation device being electrically connected to the shift device and the determination device for applying an XOR operation to the shifting result and the first return address to derive the monitor code; and a determination device being electrically connected to the generation device and configured for determining whether the monitor code is equivalent to the feature code; wherein the feature code is generated at another time the program is executed and the generation device further generates a message showing the program being attacked when the monitor code is not equivalent to the feature code. - View Dependent Claims (7, 8, 9)
-
-
10. A method for generating a feature code to monitor a program using a processor, the processor configured to execute instructions to perform the steps of:
-
making the program call a function through a first application program interface (API) and a second API; recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; and generating the feature code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the feature code; wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method for monitoring a program by a feature code using a processor, the processor configured to execute instructions to perform the steps of:
-
making the program call a function through a first application program interface (API) and a second API; recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; generating a monitor code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the monitor code; determining whether the monitor code is equivalent to the feature code; and generating a message showing the program being attacked when the monitor code is not equivalent to the feature code; wherein the feature code is generated at another time the program is executed. - View Dependent Claims (16, 17, 18)
-
-
19. A computer-readable storage medium storing a computer program to execute, using a processor, a method for generating a feature code to monitor a program, the method comprising the steps of:
-
making the program call a function through a first application program interface (API) and a second API; recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; and generating the feature code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the feature code; wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A computer-readable storage medium storing a computer program to execute, using a processor, a method for monitoring a program by a feature code, the method comprising the steps of:
-
making the program call a function through a first application program interface (API) and a second API; recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; generating a monitor code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the monitor code; determining whether the monitor code is equivalent to the feature code; and generating a message showing the program being attacked when the monitor code is not equivalent to the feature code; wherein the feature code is generated at another time the program is executed. - View Dependent Claims (25, 26, 27)
-
Specification