RU2014139202A - The way to call system functions in the conditions of use of the kernel system protection - Google Patents

The way to call system functions in the conditions of use of the kernel system protection Download PDF

Info

Publication number
RU2014139202A
RU2014139202A RU2014139202A RU2014139202A RU2014139202A RU 2014139202 A RU2014139202 A RU 2014139202A RU 2014139202 A RU2014139202 A RU 2014139202A RU 2014139202 A RU2014139202 A RU 2014139202A RU 2014139202 A RU2014139202 A RU 2014139202A
Authority
RU
Russia
Prior art keywords
call
address
function
handler
functions
Prior art date
Application number
RU2014139202A
Other languages
Russian (ru)
Other versions
RU2585978C2 (en
Inventor
Максим Витальевич Юдин
Александр Сергеевич Тарасенко
Вячеслав Иванович Левченко
Игорь Юрьевич Кумагин
Original Assignee
Закрытое акционерное общество "Лаборатория Касперского"
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Закрытое акционерное общество "Лаборатория Касперского" filed Critical Закрытое акционерное общество "Лаборатория Касперского"
Priority to RU2014139202/08A priority Critical patent/RU2585978C2/en
Publication of RU2014139202A publication Critical patent/RU2014139202A/en
Application granted granted Critical
Publication of RU2585978C2 publication Critical patent/RU2585978C2/en

Links

Landscapes

  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

Способ вызова системных функций, во время которых выполняют следующие этапы:- загружают гипервизор для перехвата обработчика системных вызовов;- модифицируют структуры ядра операционной системы, связанные с вызовами системных функций, при этом указанные структуры ядра операционной системы включают, по меньшей мере:а) обработчик системных вызовов;б) таблицу системных вызовов, в которой заменяют адрес вызова, по меньшей мере, одной системной функции на адрес вызова другой функции, сохраняя при этом оригинальный адрес вызова системной функции;- перехватывают вызов обработчика системных вызовов с помощью гипервизора;- вызывают другую функцию по замененному адресу в таблице системных вызовов;- вызывают системную функцию по сохраненному оригинальному адресу.A method of calling system functions, during which the following steps are performed: - load the hypervisor to intercept the system call handler; - modify the kernel structure of the operating system associated with calls to system functions, while the specified kernel structure of the operating system includes at least: a) a handler system calls; b) a system call table in which the call address of at least one system function is replaced by the call address of another function, while maintaining the original system call address tion; - intercepting a call the system call handler by using the hypervisor; - call another function of the replaced address in the system call table; - causes system function by preserving the original address.

Claims (1)

Способ вызова системных функций, во время которых выполняют следующие этапы:A method of calling system functions during which the following steps are performed: - загружают гипервизор для перехвата обработчика системных вызовов;- load the hypervisor to intercept the system call handler; - модифицируют структуры ядра операционной системы, связанные с вызовами системных функций, при этом указанные структуры ядра операционной системы включают, по меньшей мере:- modify the kernel structure of the operating system associated with calls to system functions, while these kernel structure of the operating system include at least: а) обработчик системных вызовов;a) system call handler; б) таблицу системных вызовов, в которой заменяют адрес вызова, по меньшей мере, одной системной функции на адрес вызова другой функции, сохраняя при этом оригинальный адрес вызова системной функции;b) a system call table in which the call address of at least one system function is replaced with the call address of another function, while maintaining the original call address of the system function; - перехватывают вызов обработчика системных вызовов с помощью гипервизора;- intercept the call of the system call handler using the hypervisor; - вызывают другую функцию по замененному адресу в таблице системных вызовов;- call another function at the replaced address in the system call table; - вызывают системную функцию по сохраненному оригинальному адресу. - call the system function at the stored original address.
RU2014139202/08A 2014-09-30 2014-09-30 Method of invoking system functions in conditions of use of agents for protecting operating system kernel RU2585978C2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
RU2014139202/08A RU2585978C2 (en) 2014-09-30 2014-09-30 Method of invoking system functions in conditions of use of agents for protecting operating system kernel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
RU2014139202/08A RU2585978C2 (en) 2014-09-30 2014-09-30 Method of invoking system functions in conditions of use of agents for protecting operating system kernel

Publications (2)

Publication Number Publication Date
RU2014139202A true RU2014139202A (en) 2016-04-20
RU2585978C2 RU2585978C2 (en) 2016-06-10

Family

ID=55789216

Family Applications (1)

Application Number Title Priority Date Filing Date
RU2014139202/08A RU2585978C2 (en) 2014-09-30 2014-09-30 Method of invoking system functions in conditions of use of agents for protecting operating system kernel

Country Status (1)

Country Link
RU (1) RU2585978C2 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2634176C1 (en) * 2016-07-29 2017-10-24 Акционерное общество "Лаборатория Касперского" System and method for detecting malware by intercepting access to information displayed to user
RU2634168C1 (en) * 2016-07-29 2017-10-24 Акционерное общество "Лаборатория Касперского" System and method for blocking access to protected applications

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7703081B1 (en) * 2005-09-22 2010-04-20 Symantec Corporation Fast system call hooking on x86-64 bit windows XP platforms
US8484734B1 (en) * 2006-08-22 2013-07-09 Trend Micro Incorporated Application programming interface for antivirus applications
US7996836B1 (en) * 2006-12-29 2011-08-09 Symantec Corporation Using a hypervisor to provide computer security
US8380987B2 (en) * 2007-01-25 2013-02-19 Microsoft Corporation Protection agents and privilege modes
US7765374B2 (en) * 2007-01-25 2010-07-27 Microsoft Corporation Protecting operating-system resources

Also Published As

Publication number Publication date
RU2585978C2 (en) 2016-06-10

Similar Documents

Publication Publication Date Title
CL2016002294A1 (en) Parallel decision tree processor architecture.
CL2022000448A1 (en) Autoinjector (divisional application no. 201903061)
CL2019002007A1 (en) Cross-platform enclave identity.
BR112017008614A2 (en) hardware accelerated virtual context switching
CL2016002023A1 (en) "Compounds derived from benzoate-4- (amidoamino) - substituted with an oxazole dicarboxylic group, enteropeptidase inhibitors; pharmaceutical composition comprising them; and its use in the treatment of obesity and diabetes mellitus ”. pct
EA201791460A1 (en) N4-HYDROXYCYTIDINE AND RELATED DERIVATIVES AND OPTIONS FOR ANTI-VIRUS APPLICATION
MX2022011695A (en) Compounds for optically active devices.
MX2018003711A (en) Mixing ring for dissolving a portion of solute in a portion of solvent, system and method for dissolve a portion of solute in a portion of solvent.
TWD178407S (en) Washing machine
IL288057A (en) Executing system calls in isolated address space in operating system kernel
BR112017002181A2 (en) stackable shaped articles, and related methods and assemblies
MX2019009606A (en) Bis-compounds for optically active devices.
EA202190708A1 (en) EXPRESSION MODULATORS PNPLA3
EA201892500A1 (en) APPLICATION OF THE LIGNIN FRACTION AS AN ANTIFYTOPATOGENIC AGENT AND CONTAINING ITS ANTIFYTOPATOGENIC COMPOSITIONS
MX2017006709A (en) Agent for preventing or improving symptoms caused by imbalance of sex hormones.
TR201819419T4 (en) New tetrahydropyridopyrimidine compound or salt.
MX2020010269A (en) Methods of treating ulcerative colitis.
MX360084B (en) Shampoo composition comprising gel matrix and histidine.
CL2015003286A1 (en) (cyano-dimethyl-methyl) - (isoxazoles and - [1, 3, 4] novel thiadiazoles
RU2014139202A (en) The way to call system functions in the conditions of use of the kernel system protection
WO2017112292A3 (en) Technologies for native code invocation using binary analysis
EA201792124A1 (en) BIOTIN FOR THE TREATMENT OF AMIOTROPHIC LATERAL SCLEROSIS
CL2017002305A1 (en) Declarative cascading reorganization for styles
CL2016002361A1 (en) Compounds derived from azabenzofuran; pharmaceutical composition, and its use as inhibitors of the function of the ns5b protein of hcv for the treatment of hepatitis c.
GB2559660A8 (en) Implementing service function chains