Method and system for kernel routine callbacks
First Claim
1. A method comprising:
- hooking a pre-callback handler and a post-callback handler to an operating system of a computing device;
obtaining, by the pre-callback handler, a kernel routine request for a kernel routine to be performed in a kernel mode of the operating system;
determining, by the pre-callback handler, whether to allow the kernel routine to be performed based on one or more input parameters of the kernel routine request, wherein the determination by the pre-callback handler is based on whether a value of at least one of the input parameters exceeds a threshold and/or matches a standard input value;
upon determining that the kernel routine is allowed to be performed, causing the kernel routine to be performed in the kernel mode to generate kernel routine results;
determining, by the post-callback handler, whether to allow the kernel routine results of the kernel routine to be returned based on one or more output parameters of the kernel routine request, wherein the determination by the post-callback handler is based on whether a value of at least one of the output parameters exceeds a threshold and/or matches a standard output value;
upon determining that the kernel routine results of the kernel routine are allowed to be returned, causing the kernel routine results of the kernel routine to be returned to an application that is executed in a non-kernel mode of the operating system; and
upon determining that the kernel routine results are not allowed to be returned,modifying the kernel routine results, wherein the modifying the kernel routine results comprises filtering out a portion from the kernel routine results that is not accessible by a function call corresponding to the kernel routine, andcausing the modified kernel routine results and a first post-operation error indicating the portion of the kernel routine results has not been accessed to be returned to the application.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for kernel routine callbacks. Such methods may include hooking a pre-callback handler and a post-callback handler to a pre-existing operating system of a computing device. According to the pre-callback handler, a kernel routine request for a kernel routine to be performed in a kernel mode of the operating system is obtained, whether to allow the kernel routine to be performed is determined, and the kernel routine is caused to be performed in the kernel mode to generate kernel routine results. According to the post-callback handler, whether to allow the kernel routine results of the kernel routine to be returned is determined, and the kernel routine results of the kernel routine is caused to be returned to an application that is executed in a non-kernel mode of the operating system.
11 Citations
20 Claims
-
1. A method comprising:
-
hooking a pre-callback handler and a post-callback handler to an operating system of a computing device; obtaining, by the pre-callback handler, a kernel routine request for a kernel routine to be performed in a kernel mode of the operating system; determining, by the pre-callback handler, whether to allow the kernel routine to be performed based on one or more input parameters of the kernel routine request, wherein the determination by the pre-callback handler is based on whether a value of at least one of the input parameters exceeds a threshold and/or matches a standard input value; upon determining that the kernel routine is allowed to be performed, causing the kernel routine to be performed in the kernel mode to generate kernel routine results; determining, by the post-callback handler, whether to allow the kernel routine results of the kernel routine to be returned based on one or more output parameters of the kernel routine request, wherein the determination by the post-callback handler is based on whether a value of at least one of the output parameters exceeds a threshold and/or matches a standard output value; upon determining that the kernel routine results of the kernel routine are allowed to be returned, causing the kernel routine results of the kernel routine to be returned to an application that is executed in a non-kernel mode of the operating system; and upon determining that the kernel routine results are not allowed to be returned, modifying the kernel routine results, wherein the modifying the kernel routine results comprises filtering out a portion from the kernel routine results that is not accessible by a function call corresponding to the kernel routine, and causing the modified kernel routine results and a first post-operation error indicating the portion of the kernel routine results has not been accessed to be returned to the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing system comprising:
-
one or more processors; and a memory storing instructions that, when executed by the one or more processors, cause the computing system to; obtain, by a pre-callback handler hooked to an operating system of the computing system, a kernel routine request for a kernel routine to be performed in a kernel mode of an operating system of the computing system; determine, by the pre-callback handler, whether to allow the kernel routine to be performed based on one or more input parameters of the kernel routine request, wherein the determination is based on whether a value of at least one of the input parameters exceeds a threshold and/or matches a standard input value; upon determining that the kernel routine is allowed to be performed, cause the kernel routine to be performed in the kernel mode to generate kernel routine results; determine, by a post-callback handler that is also hooked to the operating system of the computing system, whether to allow the kernel routine results of the kernel routine to be returned based on one or more output parameters of the kernel routine request, wherein the determination is based on whether a value of at least one of the output parameters exceeds a threshold and/or matches a standard output value; upon determining that the kernel routine results of the kernel routine are allowed to be returned, cause the kernel routine results of the kernel routine to be returned to an application that is executed in a non-kernel mode of the operating system; and upon determining that the kernel routine results are not allowed to be returned, modify the kernel routine results, wherein the modifying the kernel routine results comprises filtering out a portion from the kernel routine results that is not accessible by a function call corresponding to the kernel routine, and cause the modified kernel routine results and a first post-operation error indicating the portion of the kernel routine results has not been accessed to be returned to the application. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause the one or more processors to perform a method comprising:
-
hooking a pre-callback handler and a post-callback handler to an operating system of a computing device; obtaining, by the pre-callback handler, a kernel routine request for a kernel routine to be performed in a kernel mode of the operating system; determining, by the pre-callback handler, whether to allow the kernel routine to be performed based on one or more input parameters of the kernel routine request, wherein the determination by the pre-callback handler is based on whether a value of at least one of the input parameters exceeds a threshold and/or matches a standard input value; upon determining that the kernel routine is allowed to be performed, causing the kernel routine to be performed in the kernel mode to generate kernel routine results; determining, by the post-callback handler, whether to allow the kernel routine results of the kernel routine to be returned based on one or more output parameters of the kernel routine request, wherein the determination by the post-callback handler is based on whether a value of at least one of the output parameters exceeds a threshold and/or matches a standard output value; upon determining that the kernel routine results of the kernel routine are allowed to be returned, causing the kernel routine results of the kernel routine to be returned to an application that is executed in a non-kernel mode of the operating system; and upon determining that the kernel routine results are not allowed to be returned, modifying the kernel routine results, wherein the modifying the kernel routine results comprises filtering out a portion from the kernel routine results that is not accessible by a function call corresponding to the kernel routine, and causing the modified kernel routine results and a first post-operation error indicating the portion of the kernel routine results has not been accessed to be returned to the application. - View Dependent Claims (20)
-
Specification