Apparatus, method, and computer readable medium thereof for generating and utilizing a feature code to monitor a program

US 8,127,276 B2
Filed: 04/03/2007
Issued: 02/28/2012
Est. Priority Date: 12/13/2006
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus, including a processor, for generating a feature code to monitor a program, comprising:

a call device for making the program call a function through a first application program interface (API) and a second API;

a record device being electrically connected to the call device and configured for recording a first return address after the first API calls the function and recording a second return address after the second API calls the function;

a generation device being electrically connected to the record device and configured for generating the feature code by using the first return address and the second return address, the generation device including a shift device being electrically connected to the record device and configured for shifting a plurality of bits of the second return address for a predetermined length; and

an operation device being electrically connected to the shift device and configured for applying an XOR operation to the shifting result and the first return address to derive the feature code;

wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, method, and computer readable medium for generating and utilizing a feature code to monitor a program are provided. The program is run in a secure environment at the beginning. The program calls a function through an application program interface. A return address of the application program interface is used to generate the feature code. When the application runs again at another time, the feature code is utilized to monitor the program. According to the aforementioned arrangement and steps, the application program interface can be monitored dynamically. Consequently, any program can be monitored by this approach, which results in a more secure environment. Further, fewer application program interfaces are required to be monitored, so the required computer resource is less.

25 Citations

View as Search Results

27 Claims

1. An apparatus, including a processor, for generating a feature code to monitor a program, comprising:
- a call device for making the program call a function through a first application program interface (API) and a second API;
  
  a record device being electrically connected to the call device and configured for recording a first return address after the first API calls the function and recording a second return address after the second API calls the function;
  
  a generation device being electrically connected to the record device and configured for generating the feature code by using the first return address and the second return address, the generation device including a shift device being electrically connected to the record device and configured for shifting a plurality of bits of the second return address for a predetermined length; and
  
  an operation device being electrically connected to the shift device and configured for applying an XOR operation to the shifting result and the first return address to derive the feature code;
  
  wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the record device comprises:
    - a finite state machine being electrically connected to the call device and the generation device and configured for recording the first return address and the second return address.
  - 3. The apparatus of claim 1, further comprising:
    - a storage device being electrically connected to the generation device and configured for storing the feature code.
  - 4. The apparatus of claim 1, wherein the call device makes the program call the function through the first API directly and makes the program call a library storing the function through the second API.
  - 5. The apparatus of claim 1, wherein the apparatus is adapted to a Microsoft Windows system, the first API is LoadLibraryA( ) and the second API is GetProcAddress( ).

6. An apparatus, including a processor, for monitoring a program by a feature code, comprising:
- a call device for making the program call a function through a first application program interface (API) and a second API;
  
  a record device being electrically connected to the call device and configured for recording a first return address after the first API calls the function and recording a second return address after the second API calls the function;
  
  a generation device being electrically connected to the record device and configured for generating a monitor code by using the first return address and the second return address, the generation device including a shift device being electrically connected to the record device and configured for shifting a plurality of bits of the second return address for a predetermined length and an operation device being electrically connected to the shift device and the determination device for applying an XOR operation to the shifting result and the first return address to derive the monitor code; and
  
  a determination device being electrically connected to the generation device and configured for determining whether the monitor code is equivalent to the feature code;
  
  wherein the feature code is generated at another time the program is executed and the generation device further generates a message showing the program being attacked when the monitor code is not equivalent to the feature code.
- View Dependent Claims (7, 8, 9)
- - 7. The apparatus of claim 6, wherein the record device comprises:
    - a finite state machine being electrically connected to the call device and the generation device for recording the first return address and the second return address.
  - 8. The apparatus of claim 6, wherein the call device makes the program call the function through the first API directly and makes the program call a library storing the function through the second API.
  - 9. The apparatus of claim 6, wherein the apparatus is adapted to a Microsoft Windows system, the first API is LoadLibraryA( ) and the second API is GetProcAddress( ).

10. A method for generating a feature code to monitor a program using a processor, the processor configured to execute instructions to perform the steps of:
- making the program call a function through a first application program interface (API) and a second API;
  
  recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; and
  
  generating the feature code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the feature code;
  
  wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the recording steps record the first return address and the second return address by a finite state machine.
  - 12. The method of claim 10, further comprising the step of storing the feature code.
  - 13. The method of claim 10, wherein the step of making the program call the function through the first API calls the function directly and the step of making the program call the function through the second API calls a library storing the function.
  - 14. The method of claim 10, wherein the method is adapted to a Microsoft windows system, the first API is LoadLibraryA( ) and the second API is GetProcAddress( ).

15. A method for monitoring a program by a feature code using a processor, the processor configured to execute instructions to perform the steps of:
- making the program call a function through a first application program interface (API) and a second API;
  
  recording a first return address after the first API calls the function and recording a second return address after the second API calls the function;
  
  generating a monitor code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the monitor code;
  
  determining whether the monitor code is equivalent to the feature code; and
  
  generating a message showing the program being attacked when the monitor code is not equivalent to the feature code;
  
  wherein the feature code is generated at another time the program is executed.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein the recording steps record the first return address and the second return address by a finite state machine.
  - 17. The method of claim 15, wherein the step of making the program call the function through the first API calls the function directly and the step of making the program call the function through the second API calls a library storing the function.
  - 18. The method of claim 15, wherein the method is adapted to a Microsoft Windows system, the first API is LoadLibraryA( ) and the second API is GetProcAddress( ).

19. A computer-readable storage medium storing a computer program to execute, using a processor, a method for generating a feature code to monitor a program, the method comprising the steps of:
- making the program call a function through a first application program interface (API) and a second API;
  
  recording a first return address after the first API calls the function and recording a second return address after the second API calls the function; and
  
  generating the feature code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the feature code;
  
  wherein the feature code is used to be compared with a monitor code when the program is executed at another time to decide whether the program is attacked.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer-readable storage medium of claim 19, wherein the recording steps record the first return address and the second return address by a finite state machine.
  - 21. The computer-readable storage medium of claim 19, wherein the method further comprises the step of storing the feature code.
  - 22. The computer-readable storage medium of claim 19, wherein the step of making the program call the function through the first API calls the function directly and the step of making the program call the function through the second API calls a library storing the function.
  - 23. The computer-readable storage medium of claim 19, wherein the method is adapted to a Microsoft windows system, the first API is LoadLibraryA( ) and the second API is GetProcAddress( ).

24. A computer-readable storage medium storing a computer program to execute, using a processor, a method for monitoring a program by a feature code, the method comprising the steps of:
- making the program call a function through a first application program interface (API) and a second API;
  
  recording a first return address after the first API calls the function and recording a second return address after the second API calls the function;
  
  generating a monitor code by using the first return address and the second return address, including shifting a plurality of bits of the second return address for a predetermined length, and applying an XOR operation to the shifting result and the first return address to derive the monitor code;
  
  determining whether the monitor code is equivalent to the feature code; and
  
  generating a message showing the program being attacked when the monitor code is not equivalent to the feature code;
  
  wherein the feature code is generated at another time the program is executed.
- View Dependent Claims (25, 26, 27)
- - 25. The computer-readable storage medium of claim 24, wherein the recording steps record the first return address and the second return address by a finite state machine.
  - 26. The computer-readable storage medium of claim 24, wherein the step of making the program call the function through the first API calls the function directly and the step of making the program call the function through the second API calls a library storing the function.
  - 27. The computer-readable storage medium of claim 24, wherein the method is adapted to a Microsoft Windows system, the first API is LoadLibraryA( ) and the second API is GetProcAddress( ).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Institute For Information Industry
Original Assignee
Institute For Information Industry
Inventors
Lin, Kang-Chiao, Chen, Cheng-Kai, Sun, Hung Min, Chang, Shih-Ying, Chen, Shuai-Min
Primary Examiner(s)
Das, Chameli

Application Number

US11/695,959
Publication Number

US 20080148226A1
Time in Patent Office

1,792 Days
Field of Search

None
US Class Current

717/127
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 9/4486 Formation of subprogram jum...

Apparatus, method, and computer readable medium thereof for generating and utilizing a feature code to monitor a program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, method, and computer readable medium thereof for generating and utilizing a feature code to monitor a program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links