Code injection and code interception in an operating system with multiple subsystem environments

US 9,678,747 B2
Filed: 02/08/2012
Issued: 06/13/2017
Est. Priority Date: 02/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating, by a computing device, a virtual process that is a non-executing image of a target process, the non-executing virtual process image comprising computer program instructions and data, the non-executing virtual process image comprising a snapshot of the target process, including data of the target process, at least a portion of software modules of the target process, and a state of the target process, wherein the state of the target process is such that at least one data structure is not initialized;

analyzing, by the computing device, the non-executing virtual process image to determine a corresponding location in the associated target process that includes computer program instructions that will be executed before initialization of the target process is completed, to determine validity of the location, and to determine a collision likelihood at the location, using at least one of a disassembler, memory reading, writing, and allocation analysis, and Process Environment Block analysis, wherein the analyzing comprises determining compatibility of a first portion of code with the target process, the compatibility including at least one of determining that the first portion of code loads modules targeting incompatible platforms and determining that the first portion of code loads modules utilizing differing executable file formats;

injecting, by the computing device, the first portion of code into the target process, at the determined location in the target process if the determined location is valid and collision is not likely, the first portion of code adapted based at least on an outcome of the analyzing action, wherein the first portion of code comprises at least one hook to a code loader; and

loading by the code loader, the at least one module compatible with the target process even though the target process targets an incompatible platform.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatuses are provided for code injection and code interception in an operating systems having multiple subsystem environments. Code injection into a target process can rely on generation of a virtual process that can permit analysis of information loaded in a memory image of the target process regardless of the host environment in which the target process is executed. Based at least on information collected via the analysis, code can be injected into the target process while preserving integrity of the target process. Code interception also can exploit the analysis for suitable hooking that preserves integrity of target process. Code interception can utilize relocatable tokenized code that can be parameterized through token replacement.

40 Citations

View as Search Results

44 Claims

1. A method, comprising:
- creating, by a computing device, a virtual process that is a non-executing image of a target process, the non-executing virtual process image comprising computer program instructions and data, the non-executing virtual process image comprising a snapshot of the target process, including data of the target process, at least a portion of software modules of the target process, and a state of the target process, wherein the state of the target process is such that at least one data structure is not initialized;
  
  analyzing, by the computing device, the non-executing virtual process image to determine a corresponding location in the associated target process that includes computer program instructions that will be executed before initialization of the target process is completed, to determine validity of the location, and to determine a collision likelihood at the location, using at least one of a disassembler, memory reading, writing, and allocation analysis, and Process Environment Block analysis, wherein the analyzing comprises determining compatibility of a first portion of code with the target process, the compatibility including at least one of determining that the first portion of code loads modules targeting incompatible platforms and determining that the first portion of code loads modules utilizing differing executable file formats;
  
  injecting, by the computing device, the first portion of code into the target process, at the determined location in the target process if the determined location is valid and collision is not likely, the first portion of code adapted based at least on an outcome of the analyzing action, wherein the first portion of code comprises at least one hook to a code loader; and
  
  loading by the code loader, the at least one module compatible with the target process even though the target process targets an incompatible platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 43)
- - 2. The method of claim 1, further comprising intercepting, by the computing device, a second portion of code based at least on an outcome of the analyzing action.
  - 3. The method of claim 1, further comprising providing, by the computing device, an application programming interface (API) configured to interact with the non-executing virtual process image, the API comprising at least one instruction object.
  - 4. The method of claim 1, wherein the creating action comprises creating the non-executing virtual process image associated with the target process during initialization of the target process.
  - 5. The method of claim 1, further comprising loading a dynamic link library of relocatable parameterized code.
  - 6. The method of claim 1, wherein the creating action comprises loading a module into a memory space from a memory image of the target process.
  - 7. The method of claim 1, wherein the creating action comprises generating a memory map of at least one base allocation of the target process.
  - 8. The method of claim 1, wherein the creating action comprises loading a plurality of modules, at least two modules of the plurality of modules having disparate executable file formats.
  - 9. The method of claim 6, wherein the analyzing action comprises querying a module of the plurality of modules via an application programming interface (API) comprising at least one instruction object.
  - 10. The method of claim 1, wherein the analyzing action comprises identifying, by applying a disassembly function call to a first function call, a second functional call nested in the first function call.
  - 11. The method of claim 2, wherein the analyzing action comprises determining validity of a memory address intended for intercepting the second portion of code.
  - 12. The method of claim 1, wherein the analyzing action comprises:
    - identifying a base address for a module in the non-executing virtual process image; and
      
      determining if a code interception associated with the module and the base address is present.
  - 13. The method of claim 12, wherein the analyzing action further comprises loading a version of the module without the code interception in response to the determining action indicating that the code interception is present.
  - 14. The method of claim 13, wherein the analyzing further comprises identifying an inner function call of the module in the non-executing virtual process image and a relative virtual address (RVA) of the inner function call by applying at least one disassembly function call to the clean version of the module without the code interception, the at least one disassembly function call having a queryable function.
  - 15. The method of claim 1, wherein the injecting action comprises injecting code after a kernel library is loaded and before a module associated with the target process is loaded.
  - 16. The method of claim 2, wherein the analyzing action comprises probing validity of a memory address intended for intercepting the second portion of code.
  - 17. The method of claim 2, wherein the analyzing action comprises determining a collision likelihood for the second portion of code with a disparate portion of code.
  - 18. The method of claim 2, wherein the analyzing action comprises determining compatibility of the second portion of code with the target process.
  - 19. The method of claim 2, wherein the intercepting action comprises replacing a token.
  - 20. The method of claim 19, wherein the replacing the token comprises:
    - allocating memory, in the target process, for at least one or more of a code buffer associated with a first portion of the code or data associated with a second portion of the code;
      
      calculating data values via an allocated base address of the allocated memory; and
      
      replacing an operand associated with the token via a tokenizing API, the operand being further associated with a function address or a data address.
  - 21. The method of claim 20, wherein replacing the operand associated with the token comprises:
    - iterating through a portion of code by instruction;
      
      for an instruction having the operand, determining if the instruction matches the token; and
      
      replacing the operand with a predetermined value in response to the determining action indicating the instruction matches the token.
  - 43. The method of claim 1, wherein the first portion of code is adapted based at least on an outcome of the analyzing action by patching at least one module to be compatible with the target process.

22. An apparatus, comprising:
- a memory having computer-executable instructions encoded thereon; and
  
  a processor functionally coupled to the memory and configured by the computer-executable instructions,to create a virtual process that is a non-executing image of a target process, the non-executing virtual process image comprising computer program instructions and data, the non-executing virtual process image comprising a snapshot of the target process, including data of the target process, at least a portion of software modules of the target process, and a state of the target process, wherein the state of the target process is such that at least one data structure is not initialized;
  
  to analyze the non-executing virtual process image to determine a corresponding location in the associated target process that includes computer program instructions that will be executed before initialization of the target process is completed, to determine validity of the location, and to determine a collision likelihood at the location, using at least one of a disassembler, memory reading, writing, and allocation analysis, and Process Environment Block analysis, the processor being further configured to determine compatibility of a first portion of code with the target process, the compatibility including at least one of determining that the first portion of code loads modules targeting incompatible platforms and determining that the first portion of code loads modules utilizing differing executable file formats;
  
  to inject the first portion of code into the target process at the determined location in the target process if the determined location is valid and collision is not likely, the first portion of code adapted based at least on an outcome of the analyzing action, wherein the first portion of code comprises at least one hook to a code loader; and
  
  loading by the code loader, at least one module compatible with the target process even though the target process targets an incompatible platform.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 44)
- - 23. The apparatus of claim 22, the processor being further configured to intercept a second portion of code based at least on an outcome of the analyzing action.
  - 24. The apparatus of claim 22, the processor further being further configured to provide an application programming interface (API) configured to interact with the non-executing virtual process image, the API comprising at least one instruction object.
  - 25. The apparatus of claim 22, the processor being further configured to create the non-executing virtual process image associated with the target process during initialization of the target process.
  - 26. The apparatus of claim 25, the processor being further configured to load a dynamic link library of relocatable parameterized code.
  - 27. The apparatus of claim 22, the processor being further configured to load a module into a memory space from a memory image of the target process.
  - 28. The apparatus of claim 22, the processor being further configured to generate a memory map of at least one base allocation of the target process.
  - 29. The apparatus of claim 22, the processor being further configured to load a plurality of modules, at least two modules of the plurality of modules having disparate executable file formats.
  - 30. The apparatus of claim 27, the processor being further configured to query a module of the plurality of modules via an application programming interface (API) comprising at least one instruction object.
  - 31. The apparatus of claim 22, the processor being configured to identify, via application of a disassembly function call to a first function call, a second functional call nested in the first function call.
  - 32. The apparatus of claim 23, the processor being further configured to determine validity of a memory address intended for intercepting the second portion of code.
  - 33. The apparatus of claim 22, the processor being further configured to:
    - identify a base address for a module in the non-executing virtual process image; and
      
      determine if a code interception associated with the module and the base address is present.
  - 34. The apparatus of claim 33, the processor being further configured to load a version of the module without the code interception in response to the determining action indicating that the code interception is present.
  - 35. The apparatus of claim 34, the processor being further configured to identify an inner function call of the module in the non-executing virtual process image and a relative virtual address (RVA) of the inner function call through application of at least one disassembly function call to the version of the module without the code interception, the at least one disassembly function call having a queryable function.
  - 36. The apparatus of claim 22, the processor being further configured to inject code after a kernel library is loaded and before a module associated with the target process is loaded.
  - 37. The apparatus of claim 23, the processor being further configured to probe validity of a memory address intended for intercepting the second portion of code.
  - 38. The apparatus of claim 23, the processor being configured to determine a collision likelihood for the second portion of code with a disparate portion of code.
  - 39. The apparatus of claim 23, the processor being further configured to determine compatibility of the second portion of code with the target process.
  - 40. The apparatus of claim 22, the processor being further configured to replace a token.
  - 41. The apparatus of claim 40, the processor being further configured to:
    - allocate memory, in the target process, for at least one or more of a code buffer associated with a first portion of the code or data associated with a second portion of the code;
      
      calculate data values via an allocated base address of the allocated memory; and
      
      replace an operand associated with the token via a tokenizing API, the operand being further associated with a function address or a data address.
  - 42. The apparatus of claim 41, the processor being further configured to:
    - iterate through a portion of code by instruction;
      
      determine, for an instruction having the operand, if the instruction matches the token; and
      
      replace the operand with a predetermined value in response to the determining action indicating the instruction matches the token.
  - 44. The apparatus of claim 22, wherein the first portion of code is adapted based at least on an outcome of the analyzing action by patching at least one module to be compatible with the target process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pegasystems Incorporated
Original Assignee
OpenSpan, Inc. (Pegasystems Incorporated)
Inventors
Beckett, Stephen M.
Primary Examiner(s)
Bullock, Jr., Lewis A
Assistant Examiner(s)
Gooray, Mark

Application Number

US13/369,283
Publication Number

US 20120233612A1
Time in Patent Office

1,952 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 8/443   Optimisation

G06F 8/447   Target code generation

G06F 8/53   Decompilation; Disassembly

G06F 8/76   Adapting program code to ru...

G06F 9/45516   Runtime code conversion or ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/547   Remote procedure calls [RPC...

Code injection and code interception in an operating system with multiple subsystem environments

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

44 Claims

Specification

Use Cases

Quick Links

Others

Code injection and code interception in an operating system with multiple subsystem environments

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

44 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others