Data processing: software development – installation – and managem – Software program development tool – Linking
Reexamination Certificate
1999-04-08
2002-10-08
Morse, Gregory (Department: 2124)
Data processing: software development, installation, and managem
Software program development tool
Linking
C717S168000, C717S125000
Reexamination Certificate
active
06463583
ABSTRACT:
FIELD OF INVENTION
This invention relates to computer operating systems. More specifically, it relates to a method and system for dynamic injection of execution logic into a shared memory space of a windowed operating system.
BACKGROUND OF THE INVENTION
Software applications, such as 32-bit applications (e.g., Win32) for windowed operating systems, such as Windows 95/98/NT, by Microsoft Corporation of Redmond, Wash., execute as separate processes that execute within their own address space (WINDOWS and WIN32 are trademarks of Microsoft Corporation of Redmond, Wash.). The Windows 95/98/NT operation systems limit code that can execute within an address space to the code associated with a main executable module (e.g., “.EXE”) and Dynamic Link Library (“DLL”) modules loaded by a process associated with the main executable module. As is known in the art, a Dynamic Link Library provides a mechanism for linking applications to libraries of functions at run-time.
However, there are many situations where additional functionality needs to be added to a process by injecting execution logic into an address space. In particular, there are situations where it is desirable to inject execution logic into new address spaces that will execute before any application-related code executes. For example, applications to monitor or alter the execution of other applications need such additional functionality.
There are a number of techniques known in the art to inject execution logic into an existing windowed operating system's process. However, these techniques have a number of associated problems. Three of these injection techniques include Dynamic Link Library injection, code patching, and remote threads. The Dynamic Link Library injection technique involves loading a Windows 95/98/NT Dynamic Link Library into an address space and placing injection code within a “DllMain” function. A Dynamic Link Library's DllMain function is called by the Windows 95/98/NT operating system when a process loads or unloads a Dynamic Link Library as well as when a new operating system thread is started or stopped within a process. Thus, loading a Dynamic Link Library into an address space will result in the injected code's execution within an address space. However, the injected code will only be executed after the process begins executing.
As is known in the art, there are two ways to inject a Dynamic Link Library into a Windows address space including using an operating system registry key “Applnit_DLLs” or calling a “SetWindowsHookEx” API function. As is known in the art, an operating system registry stores hardware, software and user configuration settings for particular a computer.
The AppInit_DLLs registry key can be used with Windows NT but is not implemented by Windows 95/98. A data value for the AppInit DLLs registry key can contain a list of Dynamic Link Library module file names. When a User Dynamic Link Library (e.g., USER32.DLL) is loaded into an address space on the Windows NT operating system the user Dynamic Link Library will attempt to load the modules listed in this registry key into a process address space. Use of the AppInit_DLLs registry key will only inject a Dynamic Link Library in a process that executes code within a user's Dynamic Link Library (e.g., USER32.DLL).
Both Windows 95/98 and Windows NT implement a SetWindowsHookEx Application Programmer's Interface (“API”) function. This function is used to hook events within a primary operating system thread or for other operating system threads. When SetWindowsHookEx events occur, a callback function within a Dynamic Link Library is called by the Windows 95/98/NT operating system. If the hooked thread belongs to a different process than the calling thread, Windows 95/98/NT loads the required Dynamic Link Library into the hooked operating system thread's address space. This Dynamic Link Library injection will only be invoked after an application associated with a process has started executing.
Code patching techniques for Windows 95/98/NT known in the art require an injecting process to have access to a target process. First the injected code is copied to a memory area in the target process address space. Next the target process is altered so that the injected logic will be executed. Finally, code within an existing execution thread is altered to execute the injected code. This is typically accomplished by calling injected code within an existing process thread. Code patching is designed to work only on specific processes modified by a user and typically requires a high level of programming expertise.
The remote thread technique for Windows 95/98/NT also requires an injecting process having access to a target thread. The injected code is copied to a memory area in the target thread address space. Then a new thread is started for the target process. This new thread executes the injected code. The remote thread technique also works only on specific processes modified by a user.
These injection techniques do not provide the ability for injected code to be the first non-operating system code to execute in new address space for a new process created by a windowed operating system. In addition these injection techniques are designed to work on specific processes modified by a user and do not allow injection techniques that are generally applicable to any process created by a windowed operating system.
Thus, it is desirable to inject execution logic into new address spaces for new processes created by a windowed operating system that will execute before any application-related associated with the process executes. The injected execution logic should be generally applicable to any process created by a windowed operating system and not require a user's to modify specific processes.
SUMMARY OF THE INVENTION
In accordance with preferred embodiments of the present invention, some of the problems associated with injecting execution logic that executes prior to any application logic are overcome. Methods and system for dynamically injecting execution logic into a shared memory space of a windowed operating system is provided.
One aspect of the present invention includes a method for dynamically injecting execution logic into a shared memory space of a windowed operating system. This method includes starting an injection application with a kernel application used by a windowed operating system. An injection virtual device driver is loaded from the injection application into a first pre-determined memory location in an area of shared memory in the windowed operating system. The virtual injection device driver is used to alter protected areas of memory within the windowed operating system. An injection dynamic link library is loaded from the injection application into a second pre-determined memory location within an area of shared memory for the windowed operating system. A main dynamic link library function within an original kernel dynamic link library including kernel functions for the windowed operating system is located from the injection dynamic link library. A jump command is inserted from the injection dynamic link library within the main dynamic link library function in the kernel dynamic link library to create a modified kernel dynamic link library in memory. The jump command jumps to an injection hook function within the injection dynamic link library whenever a new windowed operating system process is created. The injection hook function within the injection dynamic link library includes multiple injection functions that are executed by the windowed operating system prior to executing any application related logic in a new process address space created by the windowed operating system. The original kernel dynamic link library is replaced in memory with the modified kernel dynamic link library on the windowed operating system. The modified kernel dynamic link library on the windowed operating system is used for kernel services anytime a new process is requested on the windowed operating system.
Another aspect of the
Ingberg Todd
Morrison & Foerster / LLP
Morse Gregory
Novadigm, Inc.
LandOfFree
Dynamic injection of execution logic into main dynamic link... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Dynamic injection of execution logic into main dynamic link..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Dynamic injection of execution logic into main dynamic link... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2996240