P
USH2202HExpiredUtilityPatentIndex 74

Method and apparatus to dynamically hook runtime processes without interrupting the flow of execution

Assignee: SYMANTEC CORPPriority: Apr 28, 2004Filed: Apr 28, 2004Granted: Sep 4, 2007
Est. expiryApr 28, 2024(expired)· nominal 20-yr term from priority
Inventors:CONOVER MATTHEWSATISH SOURABH
G06F 9/461
74
PatentIndex Score
9
Cited by
1
References
18
Claims

Abstract

A method of dynamically hooking runtime processes without interrupting the flow of execution includes: suspending a thread; hooking a function comprising modifying code of the function; and determining whether the thread was executing the modified code when the thread was suspended. If the thread was not executing the modified code, the thread is resumed. If the thread was executing the modified code, the context of the thread is changed to redirect the thread to a saved copy of the original prologue. In this manner, unpredictable behavior of the thread is avoided.

Claims

exact text as granted — not AI-modified
1. A method comprising:
 suspending a thread;  
 hooking a function comprising modifying code of said function; and  
 determining whether said thread was executing said modified code when said thread was suspended.  
 
   
   
     2. The method of  claim 1  further comprising getting a context of said thread. 
   
   
     3. The method of  claim 2  wherein said context comprises a ThreadEIP of said thread. 
   
   
     4. The method of  claim 3  wherein said determining comprises determining whethere said ThreadEIP is greater than or equal to a PrologueStart and less than a PrologueEnd. 
   
   
     5. The method of  claim 4  further comprising resuming said thread if said ThreadEIP is less than said PrologueStart or greater than or equal to said PrologueEnd. 
   
   
     6. The method of clam  4  further comprising changing a context of said thread if said ThreadEIP is greater than or equal to said PrologueStart and less than said PrologueEnd. 
   
   
     7. The method of  claim 6  wherein said changing a context of said thread comprises:
 OffsetFromPrologueStart=ThreadContext->EIP−Node->HookedPrologueStart 
 ThreadContext->EIP=Node->SavedPrologueStart+OffsetFromPrologueStart.  
 
 
   
   
     8. The method of  claim 1  wherein said hooking comprises overwriting a prologue with a jump or call instruction to a hooking code. 
   
   
     9. A method comprising:
 suspending threads of a target process;  
 saving a copy of a prologue of said target process;  
 hooking said target process comprising overwriting said prologue; and  
 determining whether any of said threads was executing said prologue during said suspending.  
 
   
   
     10. The method of  claim 9  wherein for any threads that were executing said prologue during said suspending, said method further comprising:
 changing a context of said threads; and  
 resuming said threads.  
 
   
   
     11. The method of  claim 10  wherein said changing a context of said threads comprising:
 calculating an offset of the thread's instruction pointer into said prologue; and  
 redirecting the thread to said saved copy of said prologue.  
 
   
   
     12. The method of  claim 9  wherein for any threads that were not executing said prologue during said suspending, said method further comprising resuming said threads. 
   
   
     13. The method of  claim 9  wherein said prologue is overwritten with a jump or call instruction to hooking code during said hooking. 
   
   
     14. The method of  claim 9  further comprising determining context of said threads using GetThreadContext. 
   
   
     15. The method of  claim 9  wherein said determining whether any of said threads was executing said prologue during said suspending comprises determining whether EIP lies within the prologue. 
   
   
     16. The method of  claim 9  wherein functions are hooked during said hooking, said method further comprising arranging said hooked functions into a binary search tree. 
   
   
     17. The method of  claim 16  wherein each function that is hooked is arranged in said binary search tree with the following information:
 HOOKED_FUNCTION 
 DWORD HookedPrologueStart  
 DWORD HookedPrologueEnd  
 DWORD SavedPrologueStart.  
 
 
   
   
     18. A method comprising:
 (a) enumerating through a list of suspended threads in a process;  
 (b) getting an EIP field of the thread's context;  
 (c) search through a binary search tree for a node that has a PrologueStart<=ThreadEIP<PrologueEnd;  
 (d) if no matching nodes are found, resume the thread and repeat operation (a);  
 (e) if a matching node is found, change the thread's context structure as follows:  
 OffsetFromPrologueStart=ThreadContext->EIP−Node->HookedPrologueStart 
 ThreadContext->EIP=Node->SavedPrologueStart+OffsetFromPrologueStart; and  
 
 (f) Resume the thread and repeat at operation (a).

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.