RU2623883C1 - Method of implementating instructions in systemic memory - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: method for transmitting execution of instructions from one memory area to another, in which, at least, one storage area of interest is determined in the original memory area consisting of memory areas; a memory area is created by duplicating the memory area of the original memory area of interest; all memory locations are marked in the original memory area; the execution of instructions written in the original memory area is run in any of the available memory locations in the original memory area, except for the memory area of interest; the execution of instructions is performed in the memory areas of the original memory area of the processor before creating a notification. The notification is generated, when the control of the instruction is transferred from the memory area marked with a single label to the interesting location marked with a different label; the execution of instructions is transferred from the memory area of the original memory area to the memory location of interest, but in the duplicate memory area after the notification is generated.

EFFECT: organizing the execution of instructions loaded in the system memory by alternately transferring the execution of instructions from one memory area to another, the execution of instructions in which created the notification.

11 cl, 8 dwg

Description

Technical field

The invention relates to methods for controlling the execution of machine instructions, and in particular to methods for transferring control between memory areas.

State of the art

Currently, modern technologies designed to generate an API function call log during program execution require intervention in the contents of the process address space or files on the disk, for example, changing the code in the operating system system libraries in memory and on disk. The changes are in the "implementation of the code", which is responsible for the mechanism of logging calls to API functions. The main steps of this mechanism can be the following steps:

- interception of library management (for example, by intercepting API functions by changing the code of the target function);

- transition when calling the API to the memory region containing the code of the handler responsible for processing the API function and writing to the call log;

- execution of the code for the logging system handler;

- return to library management.

To intercept control of the journaling system, methods can also be used consisting in changing the addresses of calling API functions from libraries in the import table of the executable file and / or placing the “intermediate” library, which will be accessed before switching to the original called API function from the original libraries.

Another drawback of existing journaling systems is that well-known journaling systems, as a rule, have difficulties in their implementation on various operating systems and their versions. So updating the operating system can lead to the fact that the logging system stops working, as it will require revision (adaptation) for the changed version.

Another drawback of modern systems is that their presence can be detected by malware, regardless of their privileges, since almost any “intrusion” into the address space of a process can be detected.

Based on the analysis of the current level of technology, it becomes clear that it is necessary to create such a system that does not make changes to the analyzed program and, accordingly, cannot be detected.

Disclosure of invention

The present invention is intended to track the execution of program code by a processor in physical memory. An application of the present invention is the generation of a log of calls to API functions that are called during program execution.

The technical result of the present invention is to organize the execution of instructions loaded in the system memory by alternately transferring the execution of instructions from one memory area to another, different from the execution of the instructions in which it generated a notification.

A method for transmitting the execution of instructions from one memory area to another, in which: at least one memory area of interest is determined in the original memory area, consisting of memory sections; create a memory region by duplicating the memory region of interest of the original memory region; mark all the memory areas in the original memory area, while the labels for the memory area of interest in the original memory area are different from the marks of the remaining memory areas of the original memory area; start executing instructions recorded in the original memory area in any of the available memory areas in the original memory area, except for the memory area of interest; carry out the execution of instructions in the memory areas of the original memory area by the processor until a notification is generated, and a notification is generated when control is transferred from the memory area marked with one label to the memory area of interest marked with an excellent label; transmit execution of instructions from the memory area of the original memory area to the memory area of interest, but in the duplicated memory area, after creating the notification; carry out the execution of instructions in the memory area of interest of the duplicated memory area by the processor until a notification is generated, the notification being generated during any transfer of control from the area of interest of the duplicated memory area; return execution to the original memory location in the corresponding memory location.

In a particular case, a notification is an exception (exception) that is created by the processor and a Page Fault Exception is thrown when control is transferred from the memory section of interest.

In another particular case, duplication is carried out by copying tables and directories. A duplicated memory region may consist of one region of memory of interest, and in the particular case, the region of interest is equal to at least one page.

In a particular case, the execution of instructions of a memory area other than the execution of instructions in which a notification is transmitted is transmitted by rewriting the address of the page directory.

In another particular case, the memory areas in the memory area are marked by setting the attributes in the page table for pages on which the area is displayed and, for example, the pages of the area of interest have the attribute “non-executable”, and duplicate pages of the region of interest have the attribute “executable”.

Brief Description of the Drawings

The accompanying drawings are included to provide a further understanding of the invention and form part of this description, show embodiments of the invention, and together with the description serve to explain the principles of the invention.

The claimed invention is illustrated by the following drawings, in which:

FIG. 1 shows an example of a general purpose computer system;

FIG. 2 shows a method for describing virtual memory;

FIG. 3 shows the principle of duplication of memory;

FIG. 4 shows a method of duplicating virtual memory;

FIG. 5 shows an algorithm for preparing and transferring control mechanism for executing instructions from one virtual memory region to another;

FIG. Figure 6 shows an example of the memory of a process that the OS creates and examples of virtual address space;

FIG. 7 shows the basic steps for preparing the logging system for work;

FIG. Figure 8 shows the operation steps of the logging system.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood, however, that the purpose of the description is not to limit the invention to its specific embodiment. On the contrary, the purpose of the description is to cover all changes, modifications that are included in the scope of this invention, as defined by the attached formula.

Description of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The above description is intended to help a person skilled in the art for a comprehensive understanding of the invention, which is defined only in the scope of the attached claims.

FIG. 1 represents an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any prior art bus structure comprising, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26, contains basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating ROM systems 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer can be equipped with other peripheral output devices (not displayed), for example, speakers, a printer, etc. .

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 1. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes, may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, that is, in reality there are other ways to establish a connection using the technical means of communication of one computer with another.

Random access memory 25, part of the system memory 22, which in the framework of this application will be referred to as physical memory, all physical memory is divided into physical pages 100, an example of separation is shown in FIG. 2. A set of addresses for addressing physical memory form a physical address space. Since the size of physical memory is limited, virtual memory is created for program execution, a set of addresses for addressing virtual memory forms a virtual address space. Virtual memory in the framework of this application is understood as a set of logical pages in conjunction with the structures that these pages describe (pointer to a page directory, page directory, page table). These structures will be described below. In the framework of this application, the concepts of virtual address space and virtual memory are identical.

The virtual address space is divided into logical pages 100a. The logical page has its own virtual address, and can be mapped to any physical address, as shown in FIG. 2. Thus, logical pages correspond to physical pages or in other words, logical pages are displayed on physical pages. Logical pages, in a particular case, are mapped onto physical pages in random order, as shown in FIG. 2. In another particular case, logical pages are identically mapped onto physical pages. Multiple logical pages can be displayed on one physical page.

Logical pages 100a are virtual objects (that is, they do not really exist, unlike physical pages 100), and each such page in a particular case has two addresses:

- linear - the one along which it is located in the address space;

- physical - the one on which it is displayed in the physical memory of computer 25, in some cases it may not be.

Virtual memory is some way of using system memory 22 on a local computer, and in a particular case on a local computer and a remote computer. Thanks to the page organization of memory, it is possible to implement a virtual memory mechanism with control at the processor level. The logical page of memory can be unloaded, for example, to hard disk 24, while removing its contents from physical memory 25, the size of the actually used virtual memory increases significantly and is already limited by the size of available hard disks, while it is not necessary that the hard disks onto which the pages are unloaded must be located on the local computer.

The mechanism for describing virtual memory in conventional 32-bit paging is shown in FIG. 2. To describe the page, a data structure consisting of the physical address to which the page is mapped and flags (attributes) defining the properties of this page can be used. Information about the 32-bit address of the beginning of the page is in the upper 20 digits - they are stored in the page description. Page descriptions are grouped into page tables 101. Page descriptors are 4-byte entries. These elements are called Page Table Entries (PTEs) and are pointers to pages, in format, the data structures described in the Intel® 64 and IA-32 Architectures Software Developer's Manual (pp. 4-12 - 4-16) . Page tables are grouped into a page directory 102. A page directory 102 is a 4Kb array of 4-byte PDEs (Page Directory Entries). Each element points to a page table 101 and is almost the same as PTE in format. The PDE element determines the position of the page table, indicating the address of the physical memory page, as well as the attributes of the page table. The PDE format is described in Intel® 64 and IA-32 Architectures Software Developer's Manual (pp. 4-12 - 4-16). In order for the processor to be able to use page conversion, it needs to specify the address of the beginning of the page directory 103 (the English Page Directory Base - PDB). This address is stored in register CR3.

So, for addressing in a 32-bit address space, in order to indicate the page number in the page table, you need a 10-bit value (since 1024 page descriptions are stored in the table). To specify which table in the page directory will be used, a 10-bit value is also required. To indicate the offset within the page, a 12-bit value is required. If we add together the sizes of these values, it turns out that to access the memory you need to set a 32-bit data structure: 10 bits is the table number, another 10 is the page number in the table and 12 is the offset inside the page itself.

When the PAE (Physical Address Extension) mode is used, an additional hierarchy level is added - the page directory table 104, which contains the PDPTE (Page-Directory-Pointer-Table Entry) elements. In this case, the CR3 register contains the physical address 105 of the aligned page directory table 104. For more details on the specified mode and format of PDE, PTE, PDPTE elements for this mode, see the Intel® 64 and IA-32 Architectures Software Developer's Manual _ (page 4-17 - 4-25).

In the case where mode 1A-32e is used, an additional hierarchy level is added to the page table, page directory and directory table — the page addressing levels table 107, which contains PML4E (Page Map Level Entry) elements. In this case, CR3 register 106 contains a structure in which the physical address 108 of the aligned page address level table 107 is indicated. The specified mode and format of PDE, PTE, PDPTE, PML4E elements for this mode are described in more detail in Intel® 64 and IA-32 Architectures Software Developer's Manual ”(pp. 4-26 - 4-39).

When the program starts, the operating system creates a process in which its threads will be executed. The program file is loaded into some area of the computer's physical memory. In the case of using virtual memory, the file is loaded into some area of virtual memory onto which the system maps a pool of physical addresses. Then the program starts to run, that is, the processor executes the machine instructions in the order in which they are written in the program file. The process created by the operating system is, in fact, a container of resources needed to execute the program code. In the particular case of a multitasking operating system, each process has its own virtual address space. It follows from the description of the virtual address space addressing mechanism that access to the virtual address space of a process requires access to the CR3 106 control register. By controlling the structures and their elements that are accessed based on the information contained in the CR3 106 control register, the virtual address process space. In the particular case of implementation, with 32-bit addressing, each process has its own page directory, and, accordingly, when switching between processes, the CR3 register 106 is overwritten, which stores the physical address of the aligned page directory. The program does not have to define all the pages, tables and catalog items, it is enough to determine only those that will actually be used and dynamically add or remove new descriptions in the process.

In FIG. 3 shows part of the system memory 22 in a certain area 301 of which instructions for execution are recorded. The memory area in one particular case refers to the area of physical memory, in another particular case, the memory area refers to the area of system memory onto which logical pages are displayed, that is, the area of virtual memory. To carry out controlled execution of the program in the original memory area 301 determine the area of interest. The region of memory region of interest is any region of the memory region, when transferring control to the instructions of which it is necessary to create a notification. In a private interpretation, a site of interest is a site in a certain memory area that is distinguished from others on the basis of some features that determine the site’s content, location, and purpose. In the particular case, the sections of interest are the sections of the memory area containing program instructions, when transferring control to which it is necessary to check the status of the registers in order to evaluate the sequence of execution of program instructions. Also, the area of interest can combine a set of instructions designed to perform some action (accessing the hard drive, transferring information over the network, etc.).

Next, duplicate sections of the original memory region are carried out, where at least the region of interest 303 is duplicated. The memory is duplicated in different ways. In one particular case, direct copying of instructions and section data to another memory area 301a is carried out, as shown in FIG. 3. Thus, areas with identical contents appear in the physical memory. In another particular case, data is not copied; new directories 102 and page tables 101 are created that point to the same areas of physical memory (Fig. 4).

Next, the memory sections are marked in the original memory area 301, while the marks for the regions of interest 303 are different from the marks of the remaining sections 304 of the original region. As labels, a modification of the bytes of instructions in the memory section can be used. In another particular case, the instructions themselves and the data do not change at all, but the attributes in the structures describing these sections change. For example, the pages of the site of interest are set to the non-executable attribute, and the pages of the remaining sections are set to the executable attribute. You can also use read / write attributes and others. In the next step, the areas in the duplicated memory area 301a are marked, and the labels for the area of interest are different from the marks of the remaining parts of the duplicated memory area 301a. In one particular case, for the duplicated section 303a, the same marks apply as for the original 303, in another particular case other marks apply. For example, in the original memory area, the pages of the region 303 of interest are set to the attribute “non-executable”, and the pages of other sections 304 of the original region are set to the “executable” attribute, the sections which had the “non-executable” attribute will retain this attribute. For the duplicated area 301a, an inversion of attributes is performed, where the pages of the area of interest are set to the attribute “executable”, and the pages of the remaining sections are set to the attribute “not executable”. Next, a memory area is selected to execute the instructions that it contains by the processor.

After the above-described manipulations, instructions are executed in the selected memory area by the processor, until a notification appears, where a notification is created when control is transferred from the section marked with one mark to the section of the mark marked with an excellent mark. Such notifications may include at least exceptions and interruptions. Interrupts and exceptions are events that mean that somewhere in the system (equipment) or inside the currently running program or task, a condition has occurred that requires immediate attention from the processor. Interruptions and exceptions lead to a forced transfer of control from the current program or task to a special program procedure or task called an interrupt handler or exception handler. Action in response to an interrupt or exception - handling the interrupt or exception.

Exceptions occur when the processor determines the occurrence of an error during the execution of an instruction. Possible interruptions and exceptions are described in the Intel® 64 and IA-32 Architectures Software Developer's Manual (p. 6-1 - 6-68).

In the particular case, the processing of the received notification is the transfer of execution of instructions of the memory area different from the one in which the notification was created. For example, if execution was performed in the original memory region 301, execution was transferred to the duplicated memory region 301a, and if execution was performed in the duplicated memory region 301a, execution was transferred to the original memory region 301 or other duplicated memory region. The transfer of execution is carried out in different ways, depending on the method by which duplicate sections of the original memory area were carried out. In one particular case, the address of the next execution instruction is changed, and in another particular case, all addresses remain unchanged, only the value of control register CR3 106 changes, as shown in FIG. four.

In FIG. 5 shows an algorithm for transferring control of execution of instructions from one virtual memory area to another. At step 500, a region of memory of interest, which consists of at least one logical page, is determined in the original virtual memory region. In the next step 501, at least one more virtual memory region is created, which in a particular case is displayed on the same physical pages as the original virtual memory region. To do this, create a directory of pages and at least one page table. To create a virtual memory area, in the particular case, the PTE and PDE of the original virtual area are copied.

Next, at step 502, areas in the original virtual memory area are marked, while the labels for the area of interest are different from the labels of the remaining areas of the original area, in this particular case, the NX bit in the PTE structure is used: in the particular case, for pages of the area of interest, the bit can be set, for pages of other sections, this bit is reset, in another particular case, for pages of the section of interest, the bit is reset, for pages of other sections, this bit is set. After setting the marks in the original region, in step 503, the regions in at least one of the created duplicated memory regions are marked, and the marks for the region of interest are different from the marks of the remaining sections of the duplicated memory region. In the particular case, at this step, the same NX bit setting mechanism is used as for the original section. In the particular case, inversion is applied, that is, if in the original NX memory region the bit for the pages of the region of interest is cleared, then in the duplicate of the original region for the pages of the region of interest this bit is set. In other special cases, other bits of the PDE and PTE structures, for example, the R / W bit, are used for page page labels. In another particular case, the bits are combined, for example, for the original virtual area use the NX bit, for duplicates of the virtual area R / W bit.

At step 504, a memory region is selected to execute the instructions recorded therein. Depending on the purposes for which switching between areas is used (logging, debugging, anti-exploitation of vulnerabilities, etc.), the original memory area or one of the duplicated memory areas is selected.

At step 505, instructions are executed in the selected memory area by the processor until a notification appears, where a notification is generated when control is transferred from the area marked with one label to the area marked with another label. In a particular case, when using an NX bit as a label, such a notification will be a page violation exception (#PF - Page-Fault Exception). This notification is generated when control is transferred from the instructions of the section of the memory area for the pages of which the NX bit is cleared, the instructions of the section of the memory area for the pages of which the NX bit is set.

At the final step 506, execution of instructions of a memory area other than the execution of instructions in which a notification is generated is transmitted. In the particular case, the transfer of control is carried out by overwriting the contents of CR3, the type of rewritable content is determined by the addressing mode (paging mode).

The above-described execution transfer algorithm in a particular case is used in journaling systems designed to generate a log of calls to API functions that are called during program execution. The process has a virtual address space (VAP) into which the necessary sections of the program files are loaded, as well as the dynamic DLLs associated with it. During the execution of the program code, API function calls from various DLLs take place, which should be entered into the API function call log.

In FIG. 6a shows an example of the memory of a process that is created by the OS. For illustrative purposes, sections in the process memory are separately selected that contain program instructions for modules and libraries, for example, the ΕΧΕ module containing program instructions for the executable file, when the process was launched, various dynamic libraries (Unknown.dll, other known.dll, kernel32.dll and Ntdll.dll). There are also “other memory” and “process heap” sections, these sections can contain any auxiliary data.

It is worth noting that, since there are a huge number of libraries (Fig. 6a does not reflect the whole variety of libraries), for a journaling system all libraries are divided into only two groups of interest and uninteresting. Libraries of interest in the memory area form the memory regions of interest 303 and 303a, the uninteresting libraries, together with other modules, comprise all other memory regions 304 and 304a. Examples of libraries of interest are the kemel32.dll and Ntdll.dll libraries. Examples of uninteresting libraries are the Unknown.dll and Other known.dll libraries. A list of dynamic libraries of interest can be generated, which will contain the libraries necessary for journaling. As a rule, the list of the most popular and often used by all processes libraries can cover the work of everyone else. Accordingly, all other libraries will be uninteresting.

In FIG. 6b and FIG. 6c shows examples of VAPs, one VAP is original (Fig. 6b), the second is a duplicate of the original VAP (Fig. 6c). In a particular embodiment, to create a list of calls to API functions, the logging system creates two new VAPs instead of the original VAP during the launch of the executable file. In another special case of implementation, two new VAPs are created, but at the same time the original VAP is used in conjunction with them, which will be subsequently provided to the OS if it is accessed by the VAP.

Thus, the process memory is divided into two parts. In the first original VAP 301, sections of interest 303 are marked as unfulfilled, in the manner described above, calls to exported library functions whose program instructions are contained in the pages of the section of interest will be logged. In the remaining sections 304, for example, the EXE module or uninteresting DLLs are marked as executable. In the duplicate of the VAP 301a, an inversion is performed, the sections of interest 303a are marked as executable, the remaining sections 304a are marked as non-executable.

It is worth noting that, regardless of the VAP, the contents of the process memory always remain the same (that is, the integrity of the address space is not violated). Only the attributes of the corresponding tables / pages are changed. This statement is true only for the User Mode, in which the physical separation of memory occurs. The separation consists in the fact that for each copy of the VAP their own page directories and page tables will be created, and in a particular case, directory tables and page level table tables with their own CR3 control register value. The same physical page is displayed in two directories, but with different attributes for libraries whose calls must be logged. Thus, switching between the VAPs is done by overwriting (changing the contents) of the CR3 control register.

In order for the journaling system to be able to control the VAL (switch work between VAPs), the flags are set (NX-bit) in the attributes section of each page for the corresponding pages in each VAP. The NX-bit is a special flag, according to which the ability to execute program code located on this memory page, or an exception (Page Fault, hereinafter #PF) in case of attempt to execute the code, is determined. By “#PF” is meant the exception that occurs when trying to execute program code from a memory page for which such execution is prohibited. By setting these NX bits, it is possible to switch the created VAPs at the time of calling the API function. It is worth noting that calls will be logged when switching from the original VAP 301 to a duplicate of the VAP 301a, as well as when switching to the opposite direction, the return value and some output parameters of the functions will be logged. This principle allows only dynamic libraries of interest to be executed in a duplicate of VAP 301a, and the rest of the executable code in the original VAP 301.

Consider the program execution mechanism and the operation of the logging system. The journaling system contains a list of libraries of interest, and also forms a kind of “library map”, which contains information, at least, about the addresses of the library entry points.

In FIG. 7 shows the basic steps for preparing the logging system for operation. At the beginning of the launch of the executable file at step 700, the journaling system takes control at step 701 and generates two VAPs, the original VAP 301 and a duplicate VAP 301a. at step 702. Next, at step 703, the libraries of interest and their pages are determined. During the formation of two VAPs in each of them, in the attributes of the pages belonging to the libraries of interest and the pages belonging to the rest of the code, the NX bits are arranged, step 704. Next, the OS control returns, step 705.

In FIG. Figure 8 shows the steps of the logging system during the generation of the API function call log. Suppose that during the execution of an executable file some API function is called from the library of interest. For example, this is a call to the "CreateFile" function, which is located in the "kernel32.dll" dynamic library. Accordingly, during the transfer of control (transition) to the specified access address for the further execution of the function, a PageFault (#PF) exception occurs in accordance with the pre-set NX bits. This situation is related to the fact that execution takes place in the original VAP 301, and as described above, NX bits were set in the page attributes for the libraries of interest, which indicate that the code cannot be executed in these pages of the original VAP. Next, using the exception handler, the #PF exception context is analyzed to determine the cause of this exception and determine the address of the API function that was called. Thus, the analysis consists in searching for an API function that corresponds to the memory address where the call was addressed by the table of API functions (which was created in advance). After determining the API function, information about it is recorded in the API function call log, and switching from the original VAP 301 to a duplicate VAP 301a is performed, where the code of the library of interest is further executed, or rather, the execution of a specific API function.

After the API function has completed its task, it exits from it, that is, the transition back to the program code of the executable file (if you look at Fig. 6, then the transition from the "Logging.dll" module to the "Exe" module). But due to the fact that in the duplicate of VAP 301a this memory region is not executable, an exception #PF arises. This #PF is also analyzed to determine the cause. During the analysis, it is determined that there is a return from the API function, for example, using information about the transition address. In this case, the VAP switches from the duplicate 301a to the original 301, in which the further execution of the program code occurs. After the call to the API function is again detected, all steps to change the VAP are repeated. And so on until the program code is executed.

It is worth noting that one of the features of the technology is that the system does not change the contents of the memory, but intervenes only in the OS mechanisms for working with memory.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (19)

1. The method of transferring the execution of instructions from one memory area to another, in which: a) determine in the original region of memory, consisting of sections of memory, at least one region of memory of interest; b) create a memory region by duplicating a region of memory of interest in the original memory region defined in step a); c) mark all the memory areas in the original memory area, while the labels for the memory area of interest in the original memory area are different from the marks of the remaining memory areas of the original memory area; d) start the execution of instructions recorded in the original memory area, in any of the available memory areas in the original memory area, except for the memory area of interest; e) carry out the execution of instructions in the memory areas of the original memory area by the processor until a notification is generated, and a notification is generated when control is transferred from the memory area marked with one label to the memory area of interest marked with an excellent label; f) transmit the execution of instructions from the memory area of the original memory area to the memory area of interest, but in the duplicated memory area, after creating a notification in step e); g) carry out the execution of instructions in the memory area of interest of the duplicated memory area by the processor until a notification is generated, and a notification is generated during any transfer of control from the area of interest of the duplicated memory area; h) return execution to the original memory area in the corresponding memory area. 2. The method of claim 1, wherein the notification is an exception. 3. The method according to claim 2, in which when transferring control from a region of memory of interest, a Page Fault Exception is thrown. 4. The method according to p. 3, in which duplication is carried out by copying tables and directories. 5. The method of claim 1, wherein the duplicated memory region consists of one region of memory of interest. 6. The method according to claim 1, in which the execution of instructions of a memory area other than that of the execution of instructions in which a notification is transmitted is transmitted by overwriting the address of the page directory. 7. The method according to p. 1, in which the area of interest is equal to at least one page. 8. The method according to claim 1, in which the memory areas in the memory area are marked by setting the attributes in the page table for the pages on which the area is displayed. 9. The method according to claim 8, in which the pages of the site of interest have the attribute "non-executable". 10. The method according to claim 9, in which duplicate pages of the site of interest have the attribute "executable". 11. The method of claim 10, wherein the exception is thrown by the processor.

Images