CN115617496B - Method, device, electronic equipment and medium for communication between user mode and kernel mode - Google Patents

Method, device, electronic equipment and medium for communication between user mode and kernel mode Download PDF

Info

Publication number
CN115617496B
CN115617496B CN202211553428.XA CN202211553428A CN115617496B CN 115617496 B CN115617496 B CN 115617496B CN 202211553428 A CN202211553428 A CN 202211553428A CN 115617496 B CN115617496 B CN 115617496B
Authority
CN
China
Prior art keywords
interrupt
target
interrupt vector
driver
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211553428.XA
Other languages
Chinese (zh)
Other versions
CN115617496A (en
Inventor
请求不公布姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Moore Threads Technology Co Ltd
Original Assignee
Moore Threads Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Moore Threads Technology Co Ltd filed Critical Moore Threads Technology Co Ltd
Priority to CN202211553428.XA priority Critical patent/CN115617496B/en
Publication of CN115617496A publication Critical patent/CN115617496A/en
Application granted granted Critical
Publication of CN115617496B publication Critical patent/CN115617496B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4812Task transfer initiation or dispatching by interrupt, e.g. masked
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)

Abstract

The disclosure relates to a method, an apparatus, an electronic device, and a computer-readable medium for user mode and kernel mode communication. The method comprises the following steps: loading a driver including an interrupt handling function, wherein the driver is used for registering a target interrupt vector corresponding to the interrupt handling function; when a target process is established, injecting the target interrupt vector into the target process; and in response to receiving an interrupt including the target interrupt vector, executing the interrupt handling function. By the method, the problem that the communication between the existing user mode application and the kernel mode application is easy to intercept or utilize maliciously can be solved.

Description

Method, device, electronic equipment and medium for communication between user mode and kernel mode
Technical Field
The disclosure relates to a method, an apparatus, an electronic device, and a computer-readable medium for user mode and kernel mode communication.
Background
Conventional communication means of the user mode and the kernel mode include standard system call, deviceIoControl, escape, and the like. These conventional communication methods directly transmit control codes to a designated device driver, so that the corresponding device performs a corresponding operation. In the related art, it is highly desirable to improve the security of the user mode and kernel mode communication.
Disclosure of Invention
According to an aspect of the present disclosure, there is provided a method of user mode and kernel mode communication, comprising: loading a driver including an interrupt handling function, wherein the driver is used for registering a target interrupt vector corresponding to the interrupt handling function; when a target process is created, injecting the target interrupt vector into the target process; and in response to receiving an interrupt including the target interrupt vector, executing the interrupt handling function.
According to some example embodiments of the method, the interrupt handling function is a custom interrupt handling function.
According to some of this method, the driver registering a target interrupt vector corresponding to the interrupt handling function comprises: scanning an Interrupt Descriptor Table (IDT) and determining an interrupt vector which is not reserved by a system and is not occupied as the target interrupt vector; and decomposing the address of the interrupt processing function into the format of IDT table entries and filling the IDT table entries corresponding to the target interrupt vector.
According to some exemplary embodiments of the method scanning the interrupt descriptor table IDT and determining a non-system reserved and unoccupied interrupt vector as the target interrupt vector comprises: obtaining and analyzing IDT table entries corresponding to interrupt vectors, wherein the interrupt vectors are interrupt vectors of interrupt vectors which skip CPU reservation and operating system reservation; and when the IDT table entry is invalid, determining the interrupt vector as the target interrupt vector.
According to some exemplary embodiments of the method, the method further comprises: checking whether the driver exists before the target process communicates.
According to some exemplary embodiments of the method, the presence of the driver is checked by detecting whether the driver creates a device object.
According to some exemplary embodiments of the method, a communication environment is prepared before the target process communicates.
According to some exemplary embodiments of the method said preparing the communication environment comprises negotiating a communication protocol and performing data protection.
According to some exemplary embodiments of the method, the communication environment comprises parameters, means of delivery.
According to another aspect of the present disclosure, there is provided an apparatus for user mode and kernel mode communication, comprising: a loading module, configured to load a driver including an interrupt handling function, where the driver is configured to register a target interrupt vector corresponding to the interrupt handling function; the injection module is used for injecting the target interrupt vector into the target process when the target process is created; and an execution module to execute the interrupt handling function in response to receiving an interrupt including the target interrupt vector.
According to some example embodiments of the apparatus, the interrupt handling function is a custom interrupt handling function.
According to some exemplary embodiments of the apparatus, the loading module comprises: the scanning module is used for scanning the IDT and determining an unoccupied interrupt vector which is not reserved by a system as the target interrupt vector; and the decomposition module is used for decomposing the address of the interrupt processing function into the format of the IDT table entry and filling the IDT table entry corresponding to the target interrupt vector.
According to some exemplary embodiments of the apparatus, the scanning module comprises: the analysis module is used for acquiring and analyzing IDT table entries corresponding to interrupt vectors, wherein the interrupt vectors are interrupt vectors of interrupt vectors which skip CPU reservation and operating system reservation; and when the IDT table entry is invalid, determining the interrupt vector as the target interrupt vector.
According to some exemplary embodiments of the device, the device further comprises: a checking module for checking whether the driver exists before the target process communicates.
According to some exemplary embodiments of the apparatus, whether the driver exists is checked by detecting whether the driver creates a device object.
According to some exemplary embodiments of the device, the device further comprises: a preparation module to prepare a communication environment before the target process communicates.
According to some exemplary embodiments of the apparatus, the preparing the communication environment comprises negotiating a communication protocol and performing data protection.
According to some example embodiments of the apparatus, the communication environment comprises parameters, means of delivery.
According to another aspect of the present disclosure, there is provided an electronic device including: a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.
According to another aspect of the present disclosure, there is provided a computer-readable medium having instructions stored thereon, which when executed cause a computing device to perform the method according to any of the above embodiments.
By the method and the device, the problems that the existing user mode application and kernel mode application are easy to intercept communication and are maliciously utilized by third-party software can be overcome. Since the whole process of the present disclosure only runs the code realized by itself, all the code related to the system is bypassed, and therefore, the program of the third party cannot be intercepted and called. The core of the present disclosure is to provide a new idea for user-mode applications to communicate with kernel-mode applications, which guarantees a high security of user-mode applications to communicate with kernel-mode applications.
The method can be applied to all operating systems, such as windows, linux, android, ios platforms and the like, is independent of an operating system framework, and has the highest degree of freedom and security.
Drawings
Specific exemplary embodiments of the present disclosure will now be described with reference to the accompanying drawings. This disclosure may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. The terminology used in the detailed description of the particular exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the disclosure. In the drawings, like numbers refer to like parts.
FIG. 1 shows a flow diagram of a method for user mode and kernel mode communication according to one embodiment of the present disclosure.
FIG. 2 shows a block diagram of an apparatus for user mode and kernel mode communication according to one embodiment of the present disclosure.
FIG. 3 illustrates a block diagram of a computing device, according to one embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more clearly understood, the technical solutions of the present disclosure are further described below by referring to the accompanying drawings and examples. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof.
Because the conventional communication mode uses the interrupt vector reserved by a CPU or an operating system, the mode is easy to intercept, has low safety and is easy to be maliciously utilized by third-party software. For example, if the firmware upgrading interface is used simply, the firmware is easily maliciously upgraded and becomes a backdoor for malicious utilization by a third party, including anti-debugging, anti-cheating and other scenes.
Therefore, there is a need for an improved way of user mode to communicate with kernel mode to address the above deficiencies.
FIG. 1 is a flow chart illustrating a method 100 for user mode and kernel mode communication according to an embodiment of the present disclosure.
As shown in FIG. 1, at step 102, a driver including an interrupt handling function is loaded, where the driver is to register a target interrupt vector corresponding to the interrupt handling function. In the example of the Windows operating system, loading of the NT type driver and loading of the WDM type driver are divided. Loading of NT driver: 1. loading NT type drive by using a DriverMonitor tool; 2. corresponding fields are filled in the registry, and the loading of the NT driver by Windows is loaded based on the service, which is similar to the loading of a Windows service program. The dynamic loading of the device driver is mainly performed based on a Service Control Manager (SCM) system component. The SCM component provides a number of services, e.g., start, stop, control, etc., to components running in Windows. The service is similar to the daemon in Linux. The load driver is written, primarily to operate the SCM component. Loading of WDM-style drivers: unlike NT which is a driver, WDM-style drivers cannot be loaded as a service and therefore cannot be loaded by simply modifying the registry. The loading of the WDM-type driver requires that the loading process of the driver be described by means of a text file with INF as a suffix name. The WDM driver adds plug and play functionality compared to the NT driver, so at installation time an INF file is needed to provide support to provide the necessary information. The system will first locate the INF file, and according to the indication on the INF file, the system will copy the file related to the driver (sys file) to the corresponding system directory, and modify the corresponding registry. And meanwhile, the PnP manager is informed, the I/O manager creates a new device and executes an entry function DriverEntry of the driver, and the INF file provides all information required by the WDM driver, including a registry which needs to be created and modified, a file which needs to be copied and the like. In the example of the Linux operating system, the drivers are loaded in two ways: 1. the ko kernel target file can be used for mounting nodes through an mknod instruction after success, and the module can be unloaded through an rmmod command when not needed; 2. static loading, which means that a driver is directly compiled into a kernel and can be directly called after a system is started without any loading and unloading command.
Usually, when an interrupt arrives, the processor finds a corresponding interrupt handling function (interrupt handling routine ISR) according to different interrupt vectors to process the signal. In one example, the driver is a driver implemented by the user himself and the interrupt handling function is a user-defined interrupt handling routine, so a free interrupt vector is found in the interrupt descriptor table IDT and assigned to the user-defined interrupt handling routine, so that the processor can execute the user-defined interrupt handling routine according to the interrupt vector.
After the driver load is complete, the driver first scans an Interrupt Descriptor Table (IDT). For example, the X86CPU uses an array of 256 elements to describe the interrupt/exception, with the index of the array being the interrupt vector; the content of the system comprises three gate descriptors (gate descriptors) for describing an interrupt/exception processing interface; the group is an IDT, and when the CPU receives an interrupt request, the CPU acquires the description of the corresponding interrupt processing interface by using an interrupt vector and executes the description.
The interrupt vector is an integer, for example, on an X86CPU, the interrupt vector is used to uniformly number an interrupt (interrupt generated by an external device) and an exception (exception generated by the CPU during program execution), and the interrupt/exception and the interrupt vector are in one-to-one correspondence inside each CPU core; but the same interrupt vector may correspond to different interrupts on different respective CPU cores (at least for the linux setting, the exception is again using the same interrupt vector). For example, the range of the interrupt vector is [0,255], where [0,31] is reserved for use by the system (mostly as an abnormal interrupt vector), and the rest is available for peripheral interrupts (a system device such as a local APIC also occupies a part of the range of [32,255] of the interrupt vector).
In one example, the CPU reserved interrupt vector and the operating system reserved interrupt vector are skipped when scanning the IDT. Then, an IDT table entry corresponding to the next interrupt vector is fetched and analyzed. And if the IDT table entry is analyzed to be a valid table entry, the interrupt vector is indicated to be occupied by other interrupt processing routines, and the interrupt vector is skipped. And if the IDT table entry is analyzed to be an invalid table entry, the interrupt vector is not occupied by other interrupt processing routines, and the interrupt vector is determined to be an unoccupied interrupt vector which is not reserved by the system and is used as a target interrupt vector.
Then, the address of the interrupt processing function is decomposed into the format of IDT table entry and filled into the IDT table entry corresponding to the target interrupt vector. For example, the address driving the provided interrupt handling function is decomposed into the format of IDT table entry and filled into the IDT table entry corresponding to the target interrupt vector. In this way, the driver realizes registration of the interrupt handling function. Thus, when the interrupt arrives, the processor finds the corresponding interrupt processing function according to the interrupt vector and executes the interrupt processing function.
At step 104, the target interrupt vector is injected into the target process at the time of target process creation. For example, a user first creates a process when operating a computing device, such as a computer or smart phone. The process creation means applying for an independent memory space in the memory, storing the complete code, and then executing the process task. In one example, a user logs in, and a user command requests a creation process. More specifically, in the Windows operating system, the user double-clicks on an icon to create a process. In the android or ios platform, a user clicks on an APP to create a process. Alternatively or additionally, the system may also create one or more processes at runtime by itself. In one example, the creation of a process may be monitored until a target process is awaited for creation, the target interrupt vector being injected into the target process. Illustratively, a target process creation notification may be registered, waiting until creation of the target process.
At step 106, in response to receiving an interrupt including the target interrupt vector, the interrupt handling function is executed. After the target process completes initialization and runs, after the target process triggers interrupt, because a target interrupt vector corresponding to the interrupt processing function is injected into the target process, the processor executes the interrupt processing function corresponding to the target interrupt vector. Illustratively, the processor may determine an address of an interrupt handling function based on the target interrupt vector and the IDT table entry, and execute the interrupt handling function based on the address of the interrupt handling function. In some optional embodiments, it may also be detected whether the target interrupt vector is valid, and if so, a corresponding interrupt processing function may be executed. If not, conventional user-mode applications may be executed to communicate with the kernel-mode application.
In some optional embodiments, the processor may execute the user-defined driver to register a target interrupt vector corresponding to the interrupt handling function, inject the target interrupt vector into a target process when the target process is created, and execute the interrupt handling function in response to receiving an interrupt including the target interrupt vector. In this way, the registration of the target interrupt vector, the injection of the target interrupt vector and the execution of the interrupt processing function are realized by executing the customized drive, the programs and the check related to the system can be avoided, and the interception and the calling of a third-party program can be effectively prevented.
Additionally or alternatively, checking whether a driver exists before the target process communicates. The driver is a user-defined driver which comprises a user-defined interrupt processing function. Specifically, it is checked whether a target driver (custom driver) exists by detecting whether the driver creates a device object. In one example, the device object is represented by a characteristic string, which is detected to indicate that the target driver already exists, and otherwise, the target driver still does not exist. And if the target driver exists, executing the communication of the target process, otherwise, continuously waiting until the target driver exists or executing a conventional communication mode.
Additionally or alternatively, a communication environment is prepared prior to the target process communicating. For example, the preparing a communication environment includes negotiating a communication protocol and performing data protection. Therefore, the problem of invalid memory caused by process switching in the using process can be prevented. In one example, the communication environment includes parameters, means of communication.
It should be noted that the loading of the driver is started along with the starting of the system, and when the system is started and is not halted, and the driver is successfully loaded and exists, the communication can be performed by the communication method of the embodiment of the present disclosure, and if the driver is not successfully loaded or the driver does not exist after the driver is successfully loaded, the communication between the conventional user mode application and the kernel mode application can be performed.
It is understood that the above-mentioned embodiments of the method of the present disclosure can be combined with each other to form a combined embodiment without departing from the principle logic, which is limited by the space, and the detailed description of the present disclosure is omitted.
Those skilled in the art will appreciate that in the above methods of the specific embodiments, the specific order of execution of the steps should be determined by their function and possibly their inherent logic.
In addition, the present disclosure also provides a device for communication between a user mode and a kernel mode, an electronic device, a computer-readable storage medium, and a computer program product, which can all be used to implement any one of the user mode and kernel mode communication methods provided by the present disclosure, and corresponding technical solutions and technical effects can be referred to in the corresponding descriptions of the method sections, and are not described again.
FIG. 2 shows a block diagram of an apparatus for user mode and kernel mode communication according to one embodiment of the present disclosure.
As shown in fig. 2, the apparatus 200 may include a load module 202, an inject module 206, and an execute module 212. In particular, the loading module 202 may be configured to load a driver including an interrupt handling function, where the driver is to register a target interrupt vector corresponding to the interrupt handling function. In one example, the driver is a target driver implemented by the user himself and the interrupt handling function is an interrupt handling routine defined by the user himself. The driver registering a target interrupt vector corresponding to the interrupt handling function requires the driver scanning the IDTs and determining non-system reserved and unoccupied interrupt vectors as target interrupt vectors and decomposing the address of the interrupt handling function into the format of an IDT table entry and filling it into the IDT table entry corresponding to the interrupt vector. In one example, the loading module 202 may include a scanning module 2022 and a decomposition module 2024. In particular, the scanning module 2022 may be configured to scan IDTs and determine a non-system-reserved and unoccupied interrupt vector as the target interrupt vector and the decomposing module 2024 module may be configured to decompose the address of the interrupt handling function into the format of an IDT entry and fill it into the IDT entry corresponding to the interrupt vector. For example, the scan module 2022 skips the CPU-reserved interrupt vector and the operating system-reserved interrupt vector when scanning the IDTs. In one example, the scanning module 2022 includes a parsing module 20222, and the parsing module 20222 may be configured to obtain and parse an IDT entry corresponding to an interrupt vector and determine the interrupt vector as the target interrupt vector when the IDT entry is invalid, wherein skipping is performed when the IDT entry is valid. In some embodiments, the apparatus may also include a monitoring module 204, which may be configured to monitor creation of the target process. For example, a user first creates a process when operating a computing device, such as a computer or smart phone. In one example, a user logs in, and a user command requests a creation process. More specifically, in the Windows operating system, the user double-clicks on an icon to create a process. In the android or ios platform, a user clicks on an APP to create a process. Alternatively or additionally, the system may also create one or more processes on its own at runtime. In one example, monitoring module 204 may monitor the process until waiting for creation of the target process, and injection module 206 may inject the target interrupt vector into the target process. After the target process triggers the interrupt, the execution module 212 may execute the interrupt handling function corresponding to the target interrupt vector in response to receiving the interrupt including the target interrupt vector, as a result of injecting the previously determined interrupt vector into the target process.
Additionally or alternatively, the apparatus 200 may further comprise a checking module 208, and the checking module 208 may be configured to check whether the target driver exists before the target process communicates. The target driver is a user-defined driver which comprises a user-defined interrupt processing function. Specifically, it is checked whether a target drive exists by detecting whether the drive creates a device object. In one example, the device object is represented by a characteristic string, which is detected to indicate that the target driver already exists, and otherwise, the target driver still does not exist. And if the target driver exists, executing the communication of the target process, otherwise, continuously waiting until the target driver exists or executing a conventional communication mode.
Additionally or alternatively, the apparatus 200 may further include a preparation module 210, and the preparation module 210 may be configured to prepare the communication environment prior to executing the target process. For example, the preparing a communication environment includes negotiating a communication protocol and performing data protection. In one example, the communication environment includes parameters, means of communication.
In various embodiments, device 200 may be used to perform the steps of any method as described above. Thus, any feature according to the method is applicable to the apparatus 200 and vice versa.
In some embodiments, functions or modules included in the apparatus provided in the embodiments of the present disclosure may be used to execute the method described in the above method embodiments, and specific implementations and technical effects thereof may refer to the description of the above method embodiments, which are not described herein again for brevity.
Embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the above-described method. The computer-readable storage medium may be a non-volatile computer-readable storage medium, or may be a volatile computer-readable storage medium.
Embodiments of the present disclosure also provide a computer program, which includes computer readable code, and when the computer readable code runs in an electronic device, a processor in the electronic device executes the above method.
The disclosed embodiments also provide a computer program product comprising computer readable code or a non-volatile computer readable storage medium carrying computer readable code, which when run in an electronic device, a processor in the electronic device performs the above method.
An embodiment of the present disclosure further provides an electronic device, including: one or more processors; a memory for storing executable instructions; wherein the one or more processors are configured to invoke the memory-stored executable instructions to perform the above-described method.
The electronic device may be provided as a terminal, server, or other form of device.
Additionally or alternatively, the above-described methods, universal docking modules, service platforms, or third party platforms of the present application may be implemented on one or more computers or servers or similar devices using computer processors, memory units, storage devices, computer software and other components. A high-level block diagram of such a computer or server is shown in fig. 3. Herein, a computer, server, or other device that includes a processor is collectively referred to as a computing device. The computing device 302 contains a processor 304, and the processor 304 controls the operation of the computer 302 by executing computer program instructions that define the overall operation. The computer program instructions may be stored in a storage device 312 (e.g., a magnetic disk) and loaded into memory 310 when execution of the computer program instructions is required. Thus, the steps of the method with reference to fig. 1 may be defined by computer program instructions stored in the memory 310 and/or storage 312 and controlled by the processor 304 executing the computer program instructions. The computing device 302 also includes one or more network interfaces 306 for communicating with other devices via a network. Computing device 302 also includes other input/output devices 308 (e.g., display, keyboard, mouse, speakers, buttons, etc.) that enable a user to interact with computer 302. Those skilled in the art will recognize that embodiments of an actual computer may contain other components as well, and that FIG. 3 is a high-level representation of some of the components of such a computer for illustrative purposes.
Storage device 312 and memory 310 each include tangible, non-transitory computer-readable storage media. Storage 312 and memory 310 may each include high speed random access memory, such as Dynamic Random Access Memory (DRAM), static Random Access Memory (SRAM), double data rate synchronous dynamic random access memory (DDR RAM), or other random access solid state memory devices, and may include non-volatile memory, such as one or more magnetic disk storage devices (such as an internal hard disk and a removable magnetic disk), magneto-optical disk storage, flash memory devices, semiconductor memory devices (such as Erasable Programmable Read Only Memory (EPROM), electrically Erasable Programmable Read Only Memory (EEPROM)), compact disk read only memory (CD-ROM), digital versatile disk read only memory (DVD-ROM) disks, or other non-volatile solid state memory devices.
In another embodiment, the method, the universal docking module, the service platform, or the third party platform described above may be implemented in a network-based cloud computing system. In such a network-based cloud computing system, a server communicates with one or more client computers via a network. The client computer may communicate with the server, for example, via a web browser application that resides on and runs on the client computer. A client computer may store data on a server and access the data via a network. The client computer may transmit a data request or an online service request to the server via the network. The server may implement the requested service and provide the data to the client computer(s). The server may also transmit data adapted to cause the client computer to perform specified functions (e.g., perform calculations, display specified data on a screen, etc.). Some of the steps of the above-described method may be performed by a server or by other computers/processors in a network-based cloud computing system. Certain steps of the above-described method may be implemented locally by a client computer in a network-based cloud computing system. The steps of the above-described method may be implemented by one or more devices in a network-based cloud computing system or by a local client computer in any combination.
It is appreciated that certain features of the application, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the application which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the application. Certain features described in the context of various embodiments should not be considered essential features of those embodiments unless the embodiment is ineffective without those elements.
While the present application has been described in conjunction with specific embodiments thereof, it is evident that many alternatives, modifications, and variations will be apparent to those skilled in the art. Accordingly, it is intended to embrace all such alternatives, modifications and variations that fall within the spirit and broad scope of the appended claims.
All publications, patents, and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent, or patent application was specifically and specifically indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present application. Where section headers are used, they should not be construed as necessarily limiting.

Claims (16)

1. A method of user mode and kernel mode communication, the method comprising:
loading a driver including an interrupt handling function, wherein the driver is used for registering a target interrupt vector corresponding to the interrupt handling function;
when the creation of a target process is monitored, injecting the target interrupt vector into the target process;
and
in response to receiving an interrupt including the target interrupt vector, executing the interrupt handling function;
wherein the driver registering a target interrupt vector corresponding to the interrupt handling function comprises:
scanning an Interrupt Descriptor Table (IDT) and determining a non-system reserved and unoccupied interrupt vector as the target interrupt vector, an
Decomposing the address of the interrupt processing function into an IDT table entry format and filling the IDT table entry corresponding to the target interrupt vector;
wherein scanning an Interrupt Descriptor Table (IDT) and determining a non-system reserved and unoccupied interrupt vector as the target interrupt vector comprises:
obtaining and analyzing IDT table entries corresponding to interrupt vectors, wherein the interrupt vectors are interrupt vectors of interrupt vectors which skip CPU reservation and operating system reservation, and
and when the IDT table entry is invalid, determining the interrupt vector as the target interrupt vector.
2. The method of claim 1, wherein the interrupt handling function is a custom interrupt handling function.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
checking whether the driver exists before the target process communicates.
4. A method according to claim 3, characterized by checking whether the actuation is present by detecting whether the actuation created a device object.
5. A method according to claim 1 or 2, wherein a communication context is prepared before the target process communicates.
6. The method of claim 5, wherein preparing the communication environment comprises negotiating a communication protocol and performing data protection.
7. The method of claim 6, wherein the communication environment comprises parameters, means of communication.
8. An apparatus for user mode and kernel mode communication, the apparatus comprising:
a loading module, configured to load a driver including an interrupt handling function, where the driver is configured to register a target interrupt vector corresponding to the interrupt handling function;
the injection module is used for injecting the target interrupt vector into the target process when the target process is created; and
an execution module to execute the interrupt handling function in response to receiving an interrupt including the target interrupt vector;
wherein the loading module comprises:
a scanning module for scanning the interrupt descriptor table IDT and determining a non-system-reserved and unoccupied interrupt vector as the target interrupt vector, and
the decomposition module is used for decomposing the address of the interrupt processing function into the format of an IDT table entry and filling the IDT table entry into the IDT table entry corresponding to the target interrupt vector;
wherein the scanning module comprises:
an analysis module, configured to obtain and analyze an IDT table entry corresponding to an interrupt vector, where the interrupt vector is an interrupt vector that skips over an interrupt vector reserved by a CPU and an interrupt vector reserved by an operating system, and
and when the IDT table entry is invalid, determining the interrupt vector as the target interrupt vector.
9. The apparatus of claim 8, wherein the interrupt handling function is a custom interrupt handling function.
10. The apparatus of claim 8 or 9, further comprising:
a checking module for checking whether the driver exists before the target process communicates.
11. The apparatus of claim 10, wherein the presence of the actuation is checked by detecting whether the actuation created a device object.
12. The apparatus of claim 8 or 9, further comprising:
a preparation module to prepare a communication environment before the target process communicates.
13. The apparatus of claim 12, wherein preparing the communication environment comprises negotiating a communication protocol and performing data protection.
14. The apparatus of claim 12, wherein the communication environment comprises parameters, means of communication.
15. An electronic device, comprising: a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to invoke the memory-stored instructions to perform the method of any one of claims 1 to 7.
16. A computer-readable medium having instructions stored thereon that, when executed, cause a computing device to perform the method of any of claims 1-7.
CN202211553428.XA 2022-12-06 2022-12-06 Method, device, electronic equipment and medium for communication between user mode and kernel mode Active CN115617496B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211553428.XA CN115617496B (en) 2022-12-06 2022-12-06 Method, device, electronic equipment and medium for communication between user mode and kernel mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211553428.XA CN115617496B (en) 2022-12-06 2022-12-06 Method, device, electronic equipment and medium for communication between user mode and kernel mode

Publications (2)

Publication Number Publication Date
CN115617496A CN115617496A (en) 2023-01-17
CN115617496B true CN115617496B (en) 2023-04-07

Family

ID=84880992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211553428.XA Active CN115617496B (en) 2022-12-06 2022-12-06 Method, device, electronic equipment and medium for communication between user mode and kernel mode

Country Status (1)

Country Link
CN (1) CN115617496B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112231198A (en) * 2019-07-15 2021-01-15 腾讯科技(深圳)有限公司 Malicious process debugging method and device, electronic equipment and medium
CN112346739A (en) * 2019-08-06 2021-02-09 珠海格力电器股份有限公司 Remapping method and device of interrupt vector table, microprocessor and electronic device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6754754B1 (en) * 1999-12-30 2004-06-22 Intel Corporation Apparatus and method for end of interrupt handling
JP4451884B2 (en) * 2004-02-05 2010-04-14 キングス インフォメーション アンド ネットワーク Computer security device, computer security method, and recording medium
CN103197971B (en) * 2013-04-22 2016-11-23 哈尔滨工业大学 The implementation method of the low CPU usage intervalometer of high accuracy under Windows operating system Pentium IV framework
CN104476409B (en) * 2014-11-25 2019-10-18 苏州谷夫道自动化科技有限公司 Glass grinding process equipment control method based on real-time Linux platform
CN115145699A (en) * 2021-03-30 2022-10-04 阿里云计算有限公司 Interface processing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112231198A (en) * 2019-07-15 2021-01-15 腾讯科技(深圳)有限公司 Malicious process debugging method and device, electronic equipment and medium
CN112346739A (en) * 2019-08-06 2021-02-09 珠海格力电器股份有限公司 Remapping method and device of interrupt vector table, microprocessor and electronic device

Also Published As

Publication number Publication date
CN115617496A (en) 2023-01-17

Similar Documents

Publication Publication Date Title
US10846101B2 (en) Method and system for starting up application
US8650578B1 (en) System and method for intercepting process creation events
US8438640B1 (en) Method and apparatus for reverse patching of application programming interface calls in a sandbox environment
CN100492300C (en) System and method for executing a process on a microprocessor-enabled device
KR20130069555A (en) Virtual application extension points
WO2016033966A1 (en) Protection method and device for application data
CN108334779B (en) Application processing method, device and computing storage medium
US10372908B2 (en) System and method for detecting malware in a stream of bytes
KR20140123521A (en) Dynamic injection of code into running process
AU2021206497A1 (en) Method and apparatus for authority control, computer device and storage medium
CN111078367A (en) Request processing method and device, electronic equipment and storage medium
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium
CN114047960A (en) Operating system running method and device, electronic equipment and storage medium
CN109684573B (en) Target picture display method and device, storage medium and electronic equipment
US8578368B2 (en) Injecting a file from the bios into an operating system
CN115617496B (en) Method, device, electronic equipment and medium for communication between user mode and kernel mode
CN113791824B (en) Peripheral driver loading method, system and medium of terminal equipment
US20190227815A1 (en) Preemptive loading of code dependencies for improved performance
CN106203087B (en) Injection protection method, system, terminal and storage medium
CN113282363A (en) Method and device for optimizing hybrid APP
CN113961366A (en) Kernel function calling method of operating system and computer equipment
CN111859403A (en) Method and device for determining dependency vulnerability, electronic equipment and storage medium
US11144431B2 (en) Configuration-based code construct for restriction checks in component of a web application
CN114266037B (en) Sample detection method and device, electronic equipment and storage medium
CN113569246B (en) Vulnerability detection method, vulnerability detection device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant