System and method for virtual partition monitoring
First Claim
Patent Images
1. A method, comprising:
- identifying a module to be loaded;
determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address;
rebasing the module in a virtual partition to load at the fixed address, including;
determining file information for the module;
removing relocation data from the module; and
modifying a header in the module to specify the fixed address;
storing a hash of a page of memory associated with the fixed address after modifying the header;
receiving in an external handler a notification associated with an event affecting the page;
instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and
taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes rebasing a module in a virtual partition to load at a fixed address and storing a hash of a page of memory associated with the fixed address. An external handler may receive a notification associated with an event affecting the page. An internal agent within the virtual partition can execute a task and return results based on the task to the external handler, and a policy action may be taken based on the results returned by the internal agent. In some embodiments, a code portion and a data portion of the page can be identified and only a hash of the code portion is stored.
27 Citations
19 Claims
-
1. A method, comprising:
-
identifying a module to be loaded; determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address; rebasing the module in a virtual partition to load at the fixed address, including; determining file information for the module; removing relocation data from the module; and modifying a header in the module to specify the fixed address; storing a hash of a page of memory associated with the fixed address after modifying the header; receiving in an external handler a notification associated with an event affecting the page; instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 18)
-
-
11. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
identifying a module to be loaded; determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address; rebasing the module in a virtual partition to load at the fixed address, including; determining file information for the module; removing relocation data from the module; and modifying a header in the module to specify the fixed address; storing a hash of a page of memory associated with the fixed address after modifying the header; receiving in an external handler a notification associated with an event affecting the page; instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address. - View Dependent Claims (12, 13, 17)
-
-
14. An apparatus, comprising:
-
a virtual partition; an internal agent within the virtual partition; an external handler; and one or more processors operable to execute instructions associated with the virtual partition, the internal agent, and the external handler such that the apparatus is configured for; identifying a module to be loaded; determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address; rebasing the module in a virtual partition to load at the fixed address, including; determining file information for the module; removing relocation data from the module; and modifying a header in the module to specify the fixed address; storing a hash of a page of memory associated with the fixed address after modifying the header; receiving in the external handler a notification associated with an event affecting the page; instructing the internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address. - View Dependent Claims (15, 16)
-
-
19. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
identifying a module to be loaded; determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address; rebasing the module in a virtual partition to load at the fixed address, including; patching a loader in an operating system to load the module at the fixed address; and upon launching the module, causing the loader to select the fixed address to load the module; storing a hash of a page of memory associated with the fixed address after patching the loader; receiving in an external handler a notification associated with an event affecting the page; instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.
-
Specification