USH2202HExpiredUtilityPatentIndex 74
Method and apparatus to dynamically hook runtime processes without interrupting the flow of execution
Est. expiryApr 28, 2024(expired)· nominal 20-yr term from priority
G06F 9/461
74
PatentIndex Score
9
Cited by
1
References
18
Claims
Abstract
A method of dynamically hooking runtime processes without interrupting the flow of execution includes: suspending a thread; hooking a function comprising modifying code of the function; and determining whether the thread was executing the modified code when the thread was suspended. If the thread was not executing the modified code, the thread is resumed. If the thread was executing the modified code, the context of the thread is changed to redirect the thread to a saved copy of the original prologue. In this manner, unpredictable behavior of the thread is avoided.
Claims
exact text as granted — not AI-modified1. A method comprising:
suspending a thread;
hooking a function comprising modifying code of said function; and
determining whether said thread was executing said modified code when said thread was suspended.
2. The method of claim 1 further comprising getting a context of said thread.
3. The method of claim 2 wherein said context comprises a ThreadEIP of said thread.
4. The method of claim 3 wherein said determining comprises determining whethere said ThreadEIP is greater than or equal to a PrologueStart and less than a PrologueEnd.
5. The method of claim 4 further comprising resuming said thread if said ThreadEIP is less than said PrologueStart or greater than or equal to said PrologueEnd.
6. The method of clam 4 further comprising changing a context of said thread if said ThreadEIP is greater than or equal to said PrologueStart and less than said PrologueEnd.
7. The method of claim 6 wherein said changing a context of said thread comprises:
OffsetFromPrologueStart=ThreadContext->EIP−Node->HookedPrologueStart
ThreadContext->EIP=Node->SavedPrologueStart+OffsetFromPrologueStart.
8. The method of claim 1 wherein said hooking comprises overwriting a prologue with a jump or call instruction to a hooking code.
9. A method comprising:
suspending threads of a target process;
saving a copy of a prologue of said target process;
hooking said target process comprising overwriting said prologue; and
determining whether any of said threads was executing said prologue during said suspending.
10. The method of claim 9 wherein for any threads that were executing said prologue during said suspending, said method further comprising:
changing a context of said threads; and
resuming said threads.
11. The method of claim 10 wherein said changing a context of said threads comprising:
calculating an offset of the thread's instruction pointer into said prologue; and
redirecting the thread to said saved copy of said prologue.
12. The method of claim 9 wherein for any threads that were not executing said prologue during said suspending, said method further comprising resuming said threads.
13. The method of claim 9 wherein said prologue is overwritten with a jump or call instruction to hooking code during said hooking.
14. The method of claim 9 further comprising determining context of said threads using GetThreadContext.
15. The method of claim 9 wherein said determining whether any of said threads was executing said prologue during said suspending comprises determining whether EIP lies within the prologue.
16. The method of claim 9 wherein functions are hooked during said hooking, said method further comprising arranging said hooked functions into a binary search tree.
17. The method of claim 16 wherein each function that is hooked is arranged in said binary search tree with the following information:
HOOKED_FUNCTION
DWORD HookedPrologueStart
DWORD HookedPrologueEnd
DWORD SavedPrologueStart.
18. A method comprising:
(a) enumerating through a list of suspended threads in a process;
(b) getting an EIP field of the thread's context;
(c) search through a binary search tree for a node that has a PrologueStart<=ThreadEIP<PrologueEnd;
(d) if no matching nodes are found, resume the thread and repeat operation (a);
(e) if a matching node is found, change the thread's context structure as follows:
OffsetFromPrologueStart=ThreadContext->EIP−Node->HookedPrologueStart
ThreadContext->EIP=Node->SavedPrologueStart+OffsetFromPrologueStart; and
(f) Resume the thread and repeat at operation (a).Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.