Systems and methods for active operating system kernel protection
First Claim
1. A machine-implemented method for intercepting computing device system calls, the computing device including a kernel including a system call table, the method comprising:
- executing a hypervisor on the computing device, the hypervisor configured to control at least one computing device processor register, the at least one computing device processor register configured to be used by the kernel;
creating at least one modified kernel structure, the modified kernel structure including a modified system call table;
determining a memory address of an original system call handler, the original system call handler configured to receive and execute kernel operation commands;
determining a size of a loaded image of the original system call handler;
creating a copy of the original system call handler as a second system call handler; and
intercepting, by the second system call handler as directed by the hypervisor, a computing device system call.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for intercepting computing device system calls for a computing device including a kernel having a system call table. A hypervisor is executed on the computing device, the hypervisor configured to control at least one of the computing device processor registers. At least one modified kernel structure is created, the modified kernel structure including a modified system call table. A memory address of an original system call handler is determined, the original system call handler configured to receive kernel operation commands. A size of a loaded image of the original system call handler is determined. A copy of the original system call handler as a second system call handler is created, and the second system call handler intercepts a computing device system call.
34 Citations
20 Claims
-
1. A machine-implemented method for intercepting computing device system calls, the computing device including a kernel including a system call table, the method comprising:
-
executing a hypervisor on the computing device, the hypervisor configured to control at least one computing device processor register, the at least one computing device processor register configured to be used by the kernel; creating at least one modified kernel structure, the modified kernel structure including a modified system call table; determining a memory address of an original system call handler, the original system call handler configured to receive and execute kernel operation commands; determining a size of a loaded image of the original system call handler; creating a copy of the original system call handler as a second system call handler; and intercepting, by the second system call handler as directed by the hypervisor, a computing device system call. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for intercepting computing device system calls, the system comprising:
-
a computing platform including computing hardware of at least one processor, data storage, and input/output facilities, an operating system implemented on the computing hardware, a kernel including a system call table, and a system call handler configured to receive and execute kernel operation commands, a plurality of computing platform processor registers; and instructions that, when executed on the computing platform, cause the computing platform to implement; a hypervisor configured to control at least one of the computing platform processor registers, the at least one computing platform processor register configured to be used by the kernel, and an intercept engine configured to; create a copy of the system call table as a second system call table, create a copy of the system call handler as a second system call handler, and intercept, by the second system call handler as directed by the hypervisor, a computing platform system call. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for intercepting computing device system calls, the computing device including a kernel including a system call table, the system comprising:
-
means for executing a hypervisor configured to control at least one computing device processor register, the at least one computing device processor register configured to be used by the kernel; means for creating a modified system call table; means for determining a memory address of an original system call handler, the original system call handler configured to receive and execute kernel operation commands; means for determining a size of a loaded image of the original system call handler; means for creating a copy of the original system call handler as a second system call handler; and means for intercepting, by the second system call handler as directed by the hypervisor, a computing device system call.
-
Specification