Systems and methods for active operating system kernel protection

US 9,189,630 B1
Filed: 01/21/2015
Issued: 11/17/2015
Est. Priority Date: 01/21/2015
Status: Active Grant

First Claim

Patent Images

1. A machine-implemented method for intercepting computing device system calls, the computing device including a kernel including a system call table, the method comprising:

executing a hypervisor on the computing device, the hypervisor configured to control at least one computing device processor register, the at least one computing device processor register configured to be used by the kernel;

creating at least one modified kernel structure, the modified kernel structure including a modified system call table;

determining a memory address of an original system call handler, the original system call handler configured to receive and execute kernel operation commands;

determining a size of a loaded image of the original system call handler;

creating a copy of the original system call handler as a second system call handler; and

intercepting, by the second system call handler as directed by the hypervisor, a computing device system call.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for intercepting computing device system calls for a computing device including a kernel having a system call table. A hypervisor is executed on the computing device, the hypervisor configured to control at least one of the computing device processor registers. At least one modified kernel structure is created, the modified kernel structure including a modified system call table. A memory address of an original system call handler is determined, the original system call handler configured to receive kernel operation commands. A size of a loaded image of the original system call handler is determined. A copy of the original system call handler as a second system call handler is created, and the second system call handler intercepts a computing device system call.

34 Citations

View as Search Results

20 Claims

1. A machine-implemented method for intercepting computing device system calls, the computing device including a kernel including a system call table, the method comprising:
- executing a hypervisor on the computing device, the hypervisor configured to control at least one computing device processor register, the at least one computing device processor register configured to be used by the kernel;
  
  creating at least one modified kernel structure, the modified kernel structure including a modified system call table;
  
  determining a memory address of an original system call handler, the original system call handler configured to receive and execute kernel operation commands;
  
  determining a size of a loaded image of the original system call handler;
  
  creating a copy of the original system call handler as a second system call handler; and
  
  intercepting, by the second system call handler as directed by the hypervisor, a computing device system call.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising evaluating the intercepted computing device system call for malicious behavior.
  - 3. The method of claim 1, further comprising initializing one or more exceptions tables, the one or more exception tables related to the execution of the code of second system call handler.
  - 4. The method of claim 3, wherein at least one of creating at least one modified kernel structure, determining a memory address of an original system call handler, determining a size of a loaded image of the original system call handler, creating a copy of the original system call handler as a second system call handler, or initializing one or more exceptions tables is performed with a disassembler.
  - 5. The method of claim 1, wherein the system call table comprises a System Service Dispatch Table (SSDT).
  - 6. The method of claim 1, wherein at least one of the computing device processor registers comprises a Machine Specific Register (MSR).
  - 7. The method of claim 1, wherein a Kernel Patch Protection (KPP) engine is unaware of the second system call handler.
  - 8. The method of claim 1, wherein the computing device further includes an operating system, and the hypervisor is executed during operation of the operating system.
  - 9. The method of claim 1, wherein creating a copy of the original system call handler as a second system call handler comprises at least one of address substitution, direct modification of the original system call handler, or modification of the computing device system call.

10. A system for intercepting computing device system calls, the system comprising:
- a computing platform including computing hardware of at least one processor, data storage, and input/output facilities, an operating system implemented on the computing hardware, a kernel including a system call table, and a system call handler configured to receive and execute kernel operation commands, a plurality of computing platform processor registers; and
  
  instructions that, when executed on the computing platform, cause the computing platform to implement;
  
  a hypervisor configured to control at least one of the computing platform processor registers, the at least one computing platform processor register configured to be used by the kernel, andan intercept engine configured to;
  
  create a copy of the system call table as a second system call table,create a copy of the system call handler as a second system call handler, andintercept, by the second system call handler as directed by the hypervisor, a computing platform system call.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the intercept engine is further configured to evaluate the intercepted computing platform system call for malicious behavior.
  - 12. The system of claim 10, wherein the intercept engine is further configured to determine a memory address of the system call handler, and determine a size of a loaded image of the system call handler.
  - 13. The system of claim 12, further comprising a loading engine configured to initialize one or more exceptions tables, the one or more exception tables related to the execution of the code of second system call handler.
  - 14. The system of claim 13, wherein at least one of determining a memory address of an system call handler, determining a size of a loaded image of the system call handler, creating a copy of the system call handler as a second system call handler, or initializing one or more exceptions tables is performed with a disassembler.
  - 15. The system of claim 10, wherein the system call table comprises a System Service Dispatch Table (SSDT).
  - 16. The system of claim 10, wherein at least one of the computing platform processor registers comprises a Machine Specific Register (MSR).
  - 17. The system of claim 10, wherein a Kernel Patch Protection (KPP) engine is unaware of the second system call handler.
  - 18. The system of claim 10, wherein the hypervisor is executed during operation of the operating system.
  - 19. The system of claim 10, wherein creating a copy of the system call handler as a second system call handler comprises at least one of address substitution, direct modification of the system call handler, or modification of the computing platform system call.

20. A system for intercepting computing device system calls, the computing device including a kernel including a system call table, the system comprising:
- means for executing a hypervisor configured to control at least one computing device processor register, the at least one computing device processor register configured to be used by the kernel;
  
  means for creating a modified system call table;
  
  means for determining a memory address of an original system call handler, the original system call handler configured to receive and execute kernel operation commands;
  
  means for determining a size of a loaded image of the original system call handler;
  
  means for creating a copy of the original system call handler as a second system call handler; and
  
  means for intercepting, by the second system call handler as directed by the hypervisor, a computing device system call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Kumagin, Igor Y., Levchenko, Vyacheslav I., Tarasenko, Alexander S., Yudin, Maxim V.
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/601,331
Time in Patent Office

300 Days
Field of Search

713/164, 726/22, 726/24
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

Systems and methods for active operating system kernel protection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for active operating system kernel protection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links