WO2000062159A2 - Method and system for dynamic injection of dynamic link libraries into a windowed operating system - Google Patents

Method and system for dynamic injection of dynamic link libraries into a windowed operating system Download PDF

Info

Publication number
WO2000062159A2
WO2000062159A2 PCT/US2000/002926 US0002926W WO0062159A2 WO 2000062159 A2 WO2000062159 A2 WO 2000062159A2 US 0002926 W US0002926 W US 0002926W WO 0062159 A2 WO0062159 A2 WO 0062159A2
Authority
WO
WIPO (PCT)
Prior art keywords
injection
dynamic link
operating system
windowed operating
link library
Prior art date
Application number
PCT/US2000/002926
Other languages
French (fr)
Other versions
WO2000062159A3 (en
Inventor
Richard P. Hammond
Original Assignee
Chicago-Soft, Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chicago-Soft, Ltd. filed Critical Chicago-Soft, Ltd.
Priority to AU29813/00A priority Critical patent/AU2981300A/en
Publication of WO2000062159A2 publication Critical patent/WO2000062159A2/en
Publication of WO2000062159A3 publication Critical patent/WO2000062159A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading

Definitions

  • This invention relates to computer operating systems. More specifically, it relates to a method and system for dynamic injection of dynamic link libraries into processes in a windowed operating system.
  • a Dynamic Link Library provides a mechanism for linking applications to libraries of functions at run-time.
  • the Dynamic Link Library injection technique involves loading a Windows 95/98/NT Dynamic Link Library into an address space and placing injection code within a "DlIMain" function.
  • a Dynamic Link Library's DlIMain function is called by the Windows 95/98/NT operating system when a process loads or unloads a Dynamic Link Library as well as when a new operating system thread is started or stopped within a process.
  • loading a Dynamic Link Library into an address space will result in the injected code's execution within an address space.
  • the injected code will only be executed after the process begins executing.
  • the AppInit_DLLs registry value can be used with Windows NT but is not implemented by Windows 95/98.
  • a data value for the AppInit_DLLs registry value can contain a list of Dynamic Link Library module file names.
  • User Dynamic Link Library e.g., USER32.DLL
  • the user Dynamic Link Library will attempt to load the modules listed in this registry setting into a process address space.
  • Use of the AppInit_DLLs registry value will only inject a Dynamic Link Library in a process that executes code within a user's Dynamic Link Library (e.g., USER32.DLL).
  • both Windows 95/98 and Windows NT implement a
  • SetWindowsHookEx Application Programmer's Interface This function is used to hook events within a primary operating system thread or for other operating system threads.
  • API Application Programmer's Interface
  • This Dynamic Link Library is called by the Windows 95/98/NT operating system. If the hooked thread belongs to a different process than the calling thread, Windows 95/98/NT loads the required Dynamic Link Library into the hooked operating system thread's address space. This Dynamic Link Library injection will only be invoked after an application associated with a process has started executing.
  • Code patching techniques known in the art require an injecting process having access to a target process. First the injected code is copied to a memory area in the target process address space. Next the target process is altered so that the injected logic will be executed. Finally, code within an existing execution thread is altered to execute the injected code. This is typically accomplished by calling injected code within an existing process execution path. Code patching is designed to work only on specific processes modified by a user.
  • the remote thread technique also requires an injecting process having access to a target thread.
  • the injected code is copied to a memory area in the target thread address space. Then a new thread is started for the target process. This new thread executes the injected code.
  • the remote thread technique also works only on specific processes modified by a user.
  • injection techniques do not provide the ability for injected code to be the first non-operating system code to execute in new address space for a new process created by a windowed operating system.
  • these injection techniques are designed to work on specific processes modified by a user and do not allow injection techniques that are generally applicable to any process created by a windowed operating system.
  • One aspect of the present invention includes a method for dynamically injecting dynamic link libraries into a process on a windowed operating system.
  • the method includes executing injection logic from a process on the windowed operating system.
  • the injection logic was injected into the process with an injection dynamic link library.
  • An injection driver loaded by the injection application is queried from the injection logic.
  • a test is conducted to determine from the injection driver whether any dynamic link libraries should be injected into a memory space created by the windowed operating system for the process. If any dynamic link libraries should be injected into the memory space for the process, an injection dynamic link library is loaded to inject the dynamic link libraries into the memory space for the process on the windowed operating system.
  • Another aspect of the present invention includes a method for determining which dynamic link libraries should be injected into a process on a windowed operating system. Another aspect of the invention includes a method for dynamically selecting dynamic link libraries. Another aspect of the invention includes a dynamic link library injection system comprising an injection driver and an injection dynamic link library.
  • the methods and system of preferred embodiments of the present invention may allow specific dynamic link libraries to be loaded into specific address spaces for processes created in windowed operating systems.
  • the dynamic link libraries are loaded prior to the execution of any application related code in a process address space created by a windowed operating system.
  • FIG. 1 is a block diagram illustrating an exemplary computing system
  • FIG. 2 is a flow diagram illustrating a method for dynamically injecting injection logic into a windowed operating system
  • FIG. 3 is a flow diagram illustrating a method for dynamically injecting dynamic link libraries into a process on a windowed operating system
  • FIG. 4 is a flow diagram illustrating a method for determining which dynamic link libraries should be injected into a process on a windowed operating system
  • FIG. 5 is a flow diagram illustrating a method for dynamically selecting dynamic link libraries using injection criteria
  • FIG. 6 is a block diagram illustrating a system for dynamically injecting dynamic link libraries.
  • FIG. 1 is a block diagram illustrating an exemplary computing system 10 for a preferred embodiment of the present invention.
  • the computing system 10 includes a computer 12 with a generic windowed operating system 14.
  • the generic windowed operating system 14 generally includes a hardware layer 16, a device driver layer 18, a file system layer 20, a graphics system layer 22, a system services layer 24 and a user applications layer 26.
  • the hardware layer 16, device driver layer 18, file system layer 20, graphics system layer 22, and system services layer 24 comprise an operating system kernel 28.
  • the generic windowed operating system 14 provides a Graphical User Interface ("GUI") 30 with multiple windows.
  • GUI Graphical User Interface
  • more or fewer windowed operating system components could also be used and the present invention is not limited to the generic windowed operating system components illustrated in FIG. 1.
  • the hardware layer 16 is the actual hardware on the computer 12 such as monitor, keyboard, disk drive, etc.
  • the device driver layers 18 is used to interact with actual hardware in the hardware layer 16.
  • the file system layer 20 is used to create, save, retrieve and delete files.
  • the graphic system layer 22 is used to create the GUI 30 with the multiple windows.
  • the system services layer 24 is used to provide windowed operating system services.
  • the user application layer 26 is used to provide user applications that interact with the windowed operating system kernel 28.
  • An operating environment for the computing system 10 for preferred embodiments of the present invention include a processing system with at least one high speed Central Processing Unit (“CPU”) and a memory.
  • CPU Central Processing Unit
  • acts and symbolically represented operations or instructions include the manipulation of electrical signals by the CPU.
  • An electrical system represents data bits which cause a resulting transformation or reduction of the electrical signals, and the maintenance of data bits at memory locations in a memory system to thereby reconfigure or otherwise alter the CPU's operation, as well as other processing of signals.
  • the memory locations where data bits are maintained are physical locations that have particular electrical, magnetic, optical, or organic properties corresponding to the data bits.
  • the data bits may also be maintained on a computer readable medium including magnetic disks, optical disks, organic memory, and any other volatile (e.g., Random Access Memory (“RAM”)) or non-volatile (e.g., Read-Only Memory (“ROM”)) mass storage system readable by the CPU.
  • RAM Random Access Memory
  • ROM Read-Only Memory
  • the computer readable medium includes cooperating or interconnected computer readable medium, which exist exclusively on the processing system or be distributed among multiple interconnected processing systems that may be local or remote to the processing system. Injecting injection logic for using dynamic link libraries into a windowed operating system
  • a Dynamic Link Library provides a mechanism for linking applications to libraries of functions at run time. These libraries are “dynamically linked” because they are linked to an application when it is loaded and executed rather than when it is linked.
  • DLL Dynamic Link Library
  • the operating system loads the DLL into memory, resolves references to functions in the DLL so that they can be called by the application, and unloads the DLL when it is no longer needed. Loading a DLL into an address space results in execution of code within a DLL.
  • Dynamic linking can be performed explicitly by applications or implicitly by the operating system.
  • DLLs are designed to provide resources to applications. DLLs most often appear as files with a ".DLL” filename extension; however, they may also have an executable (".EXE') or other filename extension.
  • FIG. 2 is a flow diagram illustrating a Method 32 for dynamically injecting injection logic into a windowed operating system.
  • an injection application is loaded on a windowed operating system.
  • the injection application is used to inject injection logic into processes that run on a windowed operating system.
  • the injection logic is executed prior to any application related logic in a process address space created by the windowed operating system.
  • an injection driver is loaded from the injection application.
  • the injection driver includes logic to determine if any dynamic link libraries should be loaded for application related logic associated with a process on the windowed operating system.
  • injection logic is injected into new processes created on the windowed operating system.
  • the injection logic queries the injection driver to determine if any dynamic link libraries should be injected into the new process.
  • the windowed operating system is any of Windows 95, Windows 98, or Windows NT by Microsoft Corporation of Redmond, Washington.
  • the present invention is not limited to windowed operating systems by Microsoft, and other windowed operating systems could also be used.
  • the injection application is an application used on a windowed operating system that uses shared memory for processes (e.g., Windows 95/98).
  • the injection application at step 34 is an injection service used on a windowed operating system that does not use shared memory for processes (e.g., Windows NT).
  • injection logic is injected into new processes created on the windowed operating system.
  • injection logic is injected into new processes in a windowed operating system that uses shared memory for processes (e.g., Windows 95/98). Techniques for injecting injection logic for such an embodiment are disclosed in co- pending Application No. , incorporated herein by reference.
  • injection logic is injected into existing and new processes in a windowed operating system that does not use shared memory for processes (e.g., Windows NT). Techniques for injecting injection logic for such an embodiment are disclosed in co-pending Application No. , incorporated herein by reference.
  • FIG. 3 is a flow diagram illustrating a Method 40 for dynamically injecting dynamic link libraries into a process on a windowed operating system.
  • injection logic from a process on the windowed operating system is executed.
  • the injection logic was injected into the process with an injection application (e.g., at step 38 of Method 32).
  • an injection driver loaded by the injection application is queried from the injection logic.
  • a test is conducted to determine from the injection driver whether any dynamic link libraries should be injected into a memory space created by the windowed operating system for the process. If any dynamic link libraries should be injected into the memory space for the process, then at Step 48 an injection dynamic link library is loaded to inject the dynamic link libraries into the memory space for the process on the windowed operating system.
  • the injection dynamic link library includes multiple injection functions for executing injection logic for modifying a main kernel dynamic link library function (e.g., DlIMain or RtllmageDirectoryEntryToData) in an original kernel dynamic link library (e.g., KERNEL32.DLL or NTDLL.DLL) to jump to an injection hook function within the injection dynamic link library.
  • the injection functions from the injection dynamic link library are used to execute injection logic prior to executing any other applications related logic in a new process address space created by a windowed operating system.
  • the injection dynamic link library is also used for querying an injection driver from for a list of dynamic link libraries that should be injected into a process on a windowed operating system.
  • injection logic from a process on Windows 95/98/NT is executed.
  • the injection logic was injected into the process with Method 32 (FIG. 2).
  • an injection driver loaded by the injection application is queried from the injection logic.
  • the injection driver determines which DLLs to load for a process based on a process's executable module (".EXE") file name, version, Cyclic Redundancy Code (“CRC”) or other qualifiers.
  • the injection driver can be statically configured using data files and an operating system registry.
  • an operating system registry is a hierarchical database that stores hardware, software and user configuration settings for a computer.
  • the injection driver can also be dynamically configured by calling configuration functions within the injection driver.
  • Step 46 a test is conducted to determine from the injection driver whether any DLL should be injected into the memory space for the process on Windows 95/98/NT. If any DLLs should be injected into the memory space for the process, then at Step 48 an injection dynamic link library called INJECT.DLL is loaded by the injection driver to inject the DLLs into the memory space for the process on Windows 95/98/NT.
  • INJECT.DLL injection dynamic link library
  • FIG. 4 is a flow diagram illustrating a Method 50 for determining which dynamic link libraries should be injected into a process on a windowed operating system.
  • an injection driver is queried from an injection dynamic link library for a list of dynamic link libraries that should be injected into a process on a windowed operating system.
  • a loop is entered to repeat steps 56, 58, 60 and 62 from the injection dynamic link library using the list of dynamic link libraries obtained from the injection driver.
  • a test is conducted to determine if a dynamic link library from the list is appropriate to load into the memory space for the process created by the windowed operating system.
  • Step 58 the dynamic link library is loaded into the memory space for the process.
  • Step 60 a log entry is created in an injection log for the dynamic link library. If the dynamic link library is not appropriate to load into a memory space for the process, at Step 62, a log entry is created in the injection log indicating the dynamic link library was not appropriate to inject into the memory space for the process.
  • an injection driver is queried from the INJECT.DLL for a list of DLLs that should be injected into a process on Windows 95/98/NT.
  • a loop is entered using the list of DLLs obtained from the injection driver.
  • a test is conducted to determine if a DLL from the list is appropriate to load into a memory space for the process created by Windows 95/98/NT.
  • the INJECT.DLL examines a DLL's location, internal functions, size, and other characteristics to determine if the DLL is appropriate to load into a memory space for the process.
  • Step 58 the DLL is loaded into a memory space for the process.
  • the INJECT.DLL issues a
  • the LoadLibrary function call is used to load a DLL from the Windows operating system.
  • a log entry is created in an injection log for the DLL that was loaded into memory space for the process.
  • the log entry includes a name of a DLL loaded, a location, a timestamp, and other information about the DLL. If the DLL is not appropriate to load into a memory space for the process, at Step 62, a log entry is created in the injection log indicating the DLL was not appropriate to inject into the memory space for the process. This log entry includes a name of a DLL loaded, a location, a timestamp and a reason for not using the DLL. Dynamically injecting dynamic link libraries using injection criteria
  • Functions in the injection driver can be called to send injection criteria associated with an injecting a dynamic link library.
  • FIG. 5 is a flow diagram illustrating a Method 64 for dynamically selecting dynamic link libraries using injection criteria.
  • a set of injection criteria is selected for dynamic link libraries from an injection dynamic link library that will be injected into a process on a windowed operating system.
  • an injection driver is queried from the injection dynamic link library for a list of dynamic link libraries that meet the set of injection criteria.
  • dynamic link libraries from the list if any, are loaded into a memory space for the process by the injection dynamic link library.
  • a set of injection criteria is selected for DLLs from the INJECT.DLL that will be injected into a process on Windows 95/98/NT.
  • an injection driver is queried from the INJECT.DLL for a list of DLLs that meet the set of injection criteria.
  • DLLs from the list if any, are loaded into a memory space for the Windows 95/98/NT process by the INJECT.DLL.
  • the injection criteria can includes "cascade loading.”
  • cascade loading injecting the same dynamic link libraries into every new process as were injected into a process that creates a new process is called “cascade loading.”
  • FIG. 6 is a block diagram illustrating a system 72 for dynamically injecting dynamic link libraries.
  • the system 72 includes an injection driver 74 and an injection dynamic link library 76.
  • the injection driver 74 is used to determine if any dynamic link libraries 78 should be loaded for application related logic associated with a process on the windowed operating system, and to select dynamic link libraries 78 based on injection criteria.
  • the injection dynamic link library 76 includes multiple injection functions for executing injection logic for modifying a main kernel dynamic link library function in an original kernel dynamic link library to jump to an injection hook function within an injection dynamic link library.
  • the injection functions from the injection dynamic link library are used to execute injection logic prior to executing any other applications related logic in a new process address space created by a windowed operating system.
  • the injection dynamic link library 76 is also used for querying an injection driver from for a list of dynamic link libraries that should be injected into a process on a windowed operating system using injection criteria.
  • Exemplary embodiments of the present invention were described using any of Windows 95, Windows 98, or Windows NT by Microsoft Corporation of Redmond, Washington.
  • the present invention is not limited to windowed operating systems by Microsoft, and other windowed operating systems could also be used.

Abstract

Methods and system for dynamically injecting dynamic link libraries into a process in a windowed operating system. The methods includes determinig which dynamic link libraries should be injected into a process on a windowed operating system. The methods and system may allow specific dynamic link libraries to be loaded into specific address spaces for every process created in a windowed operating system such a Microsoft Windows 95/98/NT. The dynamic likn libraries are loaded prior to the execution of any application related code in a process address space created by a windowed operating system. The methods and system solve many of the problems associated with injecting dynamic link libraries into an address space created for a process by a windowed operating system.

Description

METHOD AND SYSTEM FOR DYNAMIC INJECTION OF DYNAMIC LINK LIBRARIES INTO A WINDOWED OPERATING SYSTEM
FIELD OF INVENTION
This invention relates to computer operating systems. More specifically, it relates to a method and system for dynamic injection of dynamic link libraries into processes in a windowed operating system.
BACKGROUND OF THE INVENTION
Software applications, such as 32-bit applications (e.g., Win32) for windowed operating systems, such as Windows 95/98, by Microsoft Corporation of Redmond, Washington, execute as separate processes that execute within their own address space. The Windows 95/98/NT operation systems limit code that can execute within an address space to the code associated with a main executable module (e.g., ".EXE") and Dynamic Link Library ("DLL") modules loaded by a process associated with the main executable module. As is known in the art, a Dynamic Link Library provides a mechanism for linking applications to libraries of functions at run-time.
However, there are many situations where additional functionality needs to be added to a process by injecting execution logic into an address space. In particular, there are situations where it is desirable to inject execution logic into new address spaces that will execute before any application-related code executes. For example, applications to monitor or alter the execution of other applications need such additional functionality.
There are a number of techniques known in the art to inject execution logic into an existing windowed operating system's process. However, these techniques have a number of associated problems. Three of these injection techniques include Dynamic Link Library injection, code patching, and remote threads. The Dynamic Link Library injection technique involves loading a Windows 95/98/NT Dynamic Link Library into an address space and placing injection code within a "DlIMain" function. A Dynamic Link Library's DlIMain function is called by the Windows 95/98/NT operating system when a process loads or unloads a Dynamic Link Library as well as when a new operating system thread is started or stopped within a process. Thus, loading a Dynamic Link Library into an address space will result in the injected code's execution within an address space. However, the injected code will only be executed after the process begins executing.
As is known in the art, there are two ways to inject a Dynamic Link Library into a Windows 95/98 address space including using an operating system registry key "AppInit_DLLs" or calling a "SetWindowsHookEx" API function. As is known in the art, an operating system registry stores hardware, software and user configuration settings for particular a computer.
The AppInit_DLLs registry value can be used with Windows NT but is not implemented by Windows 95/98. A data value for the AppInit_DLLs registry value can contain a list of Dynamic Link Library module file names. When the Windows NT operating system module User Dynamic Link Library (e.g., USER32.DLL) is loaded into an address space, the user Dynamic Link Library will attempt to load the modules listed in this registry setting into a process address space. Use of the AppInit_DLLs registry value will only inject a Dynamic Link Library in a process that executes code within a user's Dynamic Link Library (e.g., USER32.DLL). However, both Windows 95/98 and Windows NT implement a
SetWindowsHookEx Application Programmer's Interface ("API") function. This function is used to hook events within a primary operating system thread or for other operating system threads. When SetWindowsHookEx events occur, a callback function within a Dynamic Link Library is called by the Windows 95/98/NT operating system. If the hooked thread belongs to a different process than the calling thread, Windows 95/98/NT loads the required Dynamic Link Library into the hooked operating system thread's address space. This Dynamic Link Library injection will only be invoked after an application associated with a process has started executing.
Code patching techniques known in the art require an injecting process having access to a target process. First the injected code is copied to a memory area in the target process address space. Next the target process is altered so that the injected logic will be executed. Finally, code within an existing execution thread is altered to execute the injected code. This is typically accomplished by calling injected code within an existing process execution path. Code patching is designed to work only on specific processes modified by a user.
The remote thread technique also requires an injecting process having access to a target thread. The injected code is copied to a memory area in the target thread address space. Then a new thread is started for the target process. This new thread executes the injected code. The remote thread technique also works only on specific processes modified by a user.
These injection techniques do not provide the ability for injected code to be the first non-operating system code to execute in new address space for a new process created by a windowed operating system. In addition these injection techniques are designed to work on specific processes modified by a user and do not allow injection techniques that are generally applicable to any process created by a windowed operating system.
In addition, while the injection techniques described above will inject a dynamic link library into an address space there are still a number of problems associated with the injection techniques. One problem is that these techniques do not work under Windows 95/98 and Windows NT. Another problem is that these techniques do not work without debugging functions. A process can only be "debugged" by one other process. Using the debugging functions to inject a module prevents a debugging application from being able to work properly.
Another problem is that these techniques do not work with minimal overhead. Injection logic should not force unnecessary overhead such as processing unneeded hook or debugging events. Another problem is that these techniques are not the first non- operating system code to execute within an address space. These techniques allow some application specific code to execute before logic within the injected dynamic link library is invoked. Another problem is that these techniques cannot be used to load injection logic into every new address space created for a process or to load different dynamic link libraries into different address spaces.
Another problem is that these techniques do not have the ability not to load a dynamic link library into an address space if is not needed or prevent loading undesirable dynamic link libraries.
Another problem is that these techniques do not have the ability to log dynamic link libraries that were injected into an address space or to inject the same dynamic link libraries into every new process as were injected into a process that creates a new process. This is called "cascade loading."
SUMMARY OF THE INVENTION In accordance with preferred embodiments of the present invention, some of the problems associated with injecting dynamic link libraries in a windowed operating system are overcome. Methods and system for dynamically injecting dynamic link libraries into a process in a windowed operating system is provided.
One aspect of the present invention includes a method for dynamically injecting dynamic link libraries into a process on a windowed operating system. The method includes executing injection logic from a process on the windowed operating system. The injection logic was injected into the process with an injection dynamic link library. An injection driver loaded by the injection application is queried from the injection logic. A test is conducted to determine from the injection driver whether any dynamic link libraries should be injected into a memory space created by the windowed operating system for the process. If any dynamic link libraries should be injected into the memory space for the process, an injection dynamic link library is loaded to inject the dynamic link libraries into the memory space for the process on the windowed operating system.
Another aspect of the present invention includes a method for determining which dynamic link libraries should be injected into a process on a windowed operating system. Another aspect of the invention includes a method for dynamically selecting dynamic link libraries. Another aspect of the invention includes a dynamic link library injection system comprising an injection driver and an injection dynamic link library.
The methods and system of preferred embodiments of the present invention may allow specific dynamic link libraries to be loaded into specific address spaces for processes created in windowed operating systems. The dynamic link libraries are loaded prior to the execution of any application related code in a process address space created by a windowed operating system.
The foregoing and other features and advantages of an illustrative embodiment of the present invention will be more readily apparent from the following detailed description, which proceeds with references to the accompanying drawings. BRIEF DESCRIPTION OF THE DRAWINGS Preferred embodiments of the present invention are described with reference to the following drawings, wherein:
FIG. 1 is a block diagram illustrating an exemplary computing system; FIG. 2 is a flow diagram illustrating a method for dynamically injecting injection logic into a windowed operating system;
FIG. 3 is a flow diagram illustrating a method for dynamically injecting dynamic link libraries into a process on a windowed operating system;
FIG. 4 is a flow diagram illustrating a method for determining which dynamic link libraries should be injected into a process on a windowed operating system;
FIG. 5 is a flow diagram illustrating a method for dynamically selecting dynamic link libraries using injection criteria;
FIG. 6 is a block diagram illustrating a system for dynamically injecting dynamic link libraries.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS Exemplary computing system
FIG. 1 is a block diagram illustrating an exemplary computing system 10 for a preferred embodiment of the present invention. The computing system 10 includes a computer 12 with a generic windowed operating system 14. The generic windowed operating system 14 generally includes a hardware layer 16, a device driver layer 18, a file system layer 20, a graphics system layer 22, a system services layer 24 and a user applications layer 26. The hardware layer 16, device driver layer 18, file system layer 20, graphics system layer 22, and system services layer 24 comprise an operating system kernel 28. The generic windowed operating system 14 provides a Graphical User Interface ("GUI") 30 with multiple windows. However, more or fewer windowed operating system components could also be used and the present invention is not limited to the generic windowed operating system components illustrated in FIG. 1. The hardware layer 16 is the actual hardware on the computer 12 such as monitor, keyboard, disk drive, etc. The device driver layers 18 is used to interact with actual hardware in the hardware layer 16. The file system layer 20 is used to create, save, retrieve and delete files. The graphic system layer 22 is used to create the GUI 30 with the multiple windows. The system services layer 24 is used to provide windowed operating system services. The user application layer 26 is used to provide user applications that interact with the windowed operating system kernel 28.
An operating environment for the computing system 10 for preferred embodiments of the present invention include a processing system with at least one high speed Central Processing Unit ("CPU") and a memory. In accordance with the practices of persons skilled in the art of computer programming, the present invention is described below with reference to acts and symbolic representations of operations or instructions that are performed by the processing system, unless indicated otherwise. Such acts and operations or instructions are referred to as being "computer-executed" or "CPU executed."
It will be appreciated that acts and symbolically represented operations or instructions include the manipulation of electrical signals by the CPU. An electrical system represents data bits which cause a resulting transformation or reduction of the electrical signals, and the maintenance of data bits at memory locations in a memory system to thereby reconfigure or otherwise alter the CPU's operation, as well as other processing of signals. The memory locations where data bits are maintained are physical locations that have particular electrical, magnetic, optical, or organic properties corresponding to the data bits.
The data bits may also be maintained on a computer readable medium including magnetic disks, optical disks, organic memory, and any other volatile (e.g., Random Access Memory ("RAM")) or non-volatile (e.g., Read-Only Memory ("ROM")) mass storage system readable by the CPU. The computer readable medium includes cooperating or interconnected computer readable medium, which exist exclusively on the processing system or be distributed among multiple interconnected processing systems that may be local or remote to the processing system. Injecting injection logic for using dynamic link libraries into a windowed operating system
As is known in the art, a Dynamic Link Library ("DLL") provides a mechanism for linking applications to libraries of functions at run time. These libraries are "dynamically linked" because they are linked to an application when it is loaded and executed rather than when it is linked. When an application uses a DLL, the operating system loads the DLL into memory, resolves references to functions in the DLL so that they can be called by the application, and unloads the DLL when it is no longer needed. Loading a DLL into an address space results in execution of code within a DLL.
Dynamic linking can be performed explicitly by applications or implicitly by the operating system. DLLs are designed to provide resources to applications. DLLs most often appear as files with a ".DLL" filename extension; however, they may also have an executable (".EXE') or other filename extension.
FIG. 2 is a flow diagram illustrating a Method 32 for dynamically injecting injection logic into a windowed operating system. At Step 34, an injection application is loaded on a windowed operating system. The injection application is used to inject injection logic into processes that run on a windowed operating system. The injection logic is executed prior to any application related logic in a process address space created by the windowed operating system. At Step 36, an injection driver is loaded from the injection application. The injection driver includes logic to determine if any dynamic link libraries should be loaded for application related logic associated with a process on the windowed operating system. At Step 38, injection logic is injected into new processes created on the windowed operating system. The injection logic queries the injection driver to determine if any dynamic link libraries should be injected into the new process. In exemplary preferred embodiments of the present invention, the windowed operating system is any of Windows 95, Windows 98, or Windows NT by Microsoft Corporation of Redmond, Washington. However, the present invention is not limited to windowed operating systems by Microsoft, and other windowed operating systems could also be used.
In one exemplary preferred embodiment of the present invention, at step 34 the injection application is an application used on a windowed operating system that uses shared memory for processes (e.g., Windows 95/98). In another exemplary preferred embodiment of the present invention, the injection application at step 34 is an injection service used on a windowed operating system that does not use shared memory for processes (e.g., Windows NT).
In preferred embodiments of the present invention at Step 38, injection logic is injected into new processes created on the windowed operating system. In one preferred embodiment of the present invention, injection logic is injected into new processes in a windowed operating system that uses shared memory for processes (e.g., Windows 95/98). Techniques for injecting injection logic for such an embodiment are disclosed in co- pending Application No. , incorporated herein by reference. In another preferred embodiment of the present invention, injection logic is injected into existing and new processes in a windowed operating system that does not use shared memory for processes (e.g., Windows NT). Techniques for injecting injection logic for such an embodiment are disclosed in co-pending Application No. , incorporated herein by reference. However, other injection techniques could also be used, and the present invention is not limited to the injection techniques described in the co-pending applications. In addition, the present invention is not limited to windowed operating systems from Microsoft. Dynamically injecting dynamic link libraries into a windowed operating system FIG. 3 is a flow diagram illustrating a Method 40 for dynamically injecting dynamic link libraries into a process on a windowed operating system. At Step 42, injection logic from a process on the windowed operating system is executed. The injection logic was injected into the process with an injection application (e.g., at step 38 of Method 32). At Step 44, an injection driver loaded by the injection application is queried from the injection logic. At Step 46, a test is conducted to determine from the injection driver whether any dynamic link libraries should be injected into a memory space created by the windowed operating system for the process. If any dynamic link libraries should be injected into the memory space for the process, then at Step 48 an injection dynamic link library is loaded to inject the dynamic link libraries into the memory space for the process on the windowed operating system.
The injection dynamic link library includes multiple injection functions for executing injection logic for modifying a main kernel dynamic link library function (e.g., DlIMain or RtllmageDirectoryEntryToData) in an original kernel dynamic link library (e.g., KERNEL32.DLL or NTDLL.DLL) to jump to an injection hook function within the injection dynamic link library. The injection functions from the injection dynamic link library are used to execute injection logic prior to executing any other applications related logic in a new process address space created by a windowed operating system. The injection dynamic link library is also used for querying an injection driver from for a list of dynamic link libraries that should be injected into a process on a windowed operating system.
In one exemplary preferred embodiment of the present invention, at Step 42, injection logic from a process on Windows 95/98/NT is executed. The injection logic was injected into the process with Method 32 (FIG. 2). At Step 44, an injection driver loaded by the injection application is queried from the injection logic. The injection driver determines which DLLs to load for a process based on a process's executable module (".EXE") file name, version, Cyclic Redundancy Code ("CRC") or other qualifiers. The injection driver can be statically configured using data files and an operating system registry. As is known in the art, an operating system registry is a hierarchical database that stores hardware, software and user configuration settings for a computer. The injection driver can also be dynamically configured by calling configuration functions within the injection driver.
At Step 46, a test is conducted to determine from the injection driver whether any DLL should be injected into the memory space for the process on Windows 95/98/NT. If any DLLs should be injected into the memory space for the process, then at Step 48 an injection dynamic link library called INJECT.DLL is loaded by the injection driver to inject the DLLs into the memory space for the process on Windows 95/98/NT.
FIG. 4 is a flow diagram illustrating a Method 50 for determining which dynamic link libraries should be injected into a process on a windowed operating system. At Step 52, an injection driver is queried from an injection dynamic link library for a list of dynamic link libraries that should be injected into a process on a windowed operating system. At Step 54, a loop is entered to repeat steps 56, 58, 60 and 62 from the injection dynamic link library using the list of dynamic link libraries obtained from the injection driver. At Step 56, a test is conducted to determine if a dynamic link library from the list is appropriate to load into the memory space for the process created by the windowed operating system. If the dynamic link library is appropriate to load into the memory space for the process, at Step 58 the dynamic link library is loaded into the memory space for the process. At Step 60, a log entry is created in an injection log for the dynamic link library. If the dynamic link library is not appropriate to load into a memory space for the process, at Step 62, a log entry is created in the injection log indicating the dynamic link library was not appropriate to inject into the memory space for the process.
In one exemplary preferred embodiment of the present invention, at Step 52, an injection driver is queried from the INJECT.DLL for a list of DLLs that should be injected into a process on Windows 95/98/NT. At Step 54, a loop is entered using the list of DLLs obtained from the injection driver. At Step 56, a test is conducted to determine if a DLL from the list is appropriate to load into a memory space for the process created by Windows 95/98/NT. The INJECT.DLL examines a DLL's location, internal functions, size, and other characteristics to determine if the DLL is appropriate to load into a memory space for the process.
If the DLL is appropriate to load into a memory space for the process, at Step 58 the DLL is loaded into a memory space for the process. The INJECT.DLL issues a
Windows LoadLibrary function call. As is known in the art, the LoadLibrary function call is used to load a DLL from the Windows operating system.
At Step 60, a log entry is created in an injection log for the DLL that was loaded into memory space for the process. The log entry includes a name of a DLL loaded, a location, a timestamp, and other information about the DLL. If the DLL is not appropriate to load into a memory space for the process, at Step 62, a log entry is created in the injection log indicating the DLL was not appropriate to inject into the memory space for the process. This log entry includes a name of a DLL loaded, a location, a timestamp and a reason for not using the DLL. Dynamically injecting dynamic link libraries using injection criteria
Functions in the injection driver can be called to send injection criteria associated with an injecting a dynamic link library.
FIG. 5 is a flow diagram illustrating a Method 64 for dynamically selecting dynamic link libraries using injection criteria. At Step 66, a set of injection criteria is selected for dynamic link libraries from an injection dynamic link library that will be injected into a process on a windowed operating system. At Step 68, an injection driver is queried from the injection dynamic link library for a list of dynamic link libraries that meet the set of injection criteria. At Step 70, dynamic link libraries from the list, if any, are loaded into a memory space for the process by the injection dynamic link library. In one exemplary preferred embodiment of the present invention, at Step 66, a set of injection criteria is selected for DLLs from the INJECT.DLL that will be injected into a process on Windows 95/98/NT. At Step 68, an injection driver is queried from the INJECT.DLL for a list of DLLs that meet the set of injection criteria. At Step 70, DLLs from the list, if any, are loaded into a memory space for the Windows 95/98/NT process by the INJECT.DLL.
In one exemplary preferred embodiment of the present invention, the injection criteria can includes "cascade loading." As is known in the art, injecting the same dynamic link libraries into every new process as were injected into a process that creates a new process is called "cascade loading."
Exemplary system for dynamically injecting dynamic link libraries
FIG. 6 is a block diagram illustrating a system 72 for dynamically injecting dynamic link libraries. The system 72 includes an injection driver 74 and an injection dynamic link library 76. The injection driver 74 is used to determine if any dynamic link libraries 78 should be loaded for application related logic associated with a process on the windowed operating system, and to select dynamic link libraries 78 based on injection criteria.
The injection dynamic link library 76 includes multiple injection functions for executing injection logic for modifying a main kernel dynamic link library function in an original kernel dynamic link library to jump to an injection hook function within an injection dynamic link library. The injection functions from the injection dynamic link library are used to execute injection logic prior to executing any other applications related logic in a new process address space created by a windowed operating system. The injection dynamic link library 76 is also used for querying an injection driver from for a list of dynamic link libraries that should be injected into a process on a windowed operating system using injection criteria.
Exemplary embodiments of the present invention were described using any of Windows 95, Windows 98, or Windows NT by Microsoft Corporation of Redmond, Washington. However, the present invention is not limited to windowed operating systems by Microsoft, and other windowed operating systems could also be used.
The methods and system described herein result in specific dynamic link libraries being loaded into specific address spaces for specific processes in windowed operating systems. The dynamic link libraries are loaded prior to the execution of any application related code in a process address space created by a windowed operating system. It should be understood that the programs, processes, methods and systems described herein are not related or limited to any particular type of computer or network system (hardware or software), unless indicated otherwise. Various types of general purpose or specialized computer systems may be used with or perform operations in accordance with the teachings described herein.
In view of the wide variety of embodiments to which the principles of the present invention can be applied, it should be understood that the illustrated embodiments are exemplary only, and should not be taken as limiting the scope of the present invention. For example, the steps of the flow diagrams may be taken in sequences other than those described, and more or fewer elements may be used in the block diagrams. While various elements of the preferred embodiments have been described as being implemented in software, in other embodiments hardware or firmware implementations may alternatively be used, and vice- versa. The claims should not be read as limited to the described order or elements unless stated to that effect. Therefore, all embodiments that come within the scope and spirit of the following claims and equivalents thereto are claimed as the invention.

Claims

I CLAIM:
1. In a computer with a windowed operating system with a plurality of processes, a method for dynamically injecting injection logic into the windowed operating system, comprising the steps of: loading an injection application on a windowed operating system, wherein the injection application is used to inject injection logic into processes that run on a windowed operating system, and wherein the injection logic is executed prior to any application software associated with the processes; loading an injection driver from the injection application, wherein the injection driver includes logic to determine if any dynamic link libraries should be loaded for applications that run on the windowed operating system; injecting injection logic into new processes created on the windowed operating system, wherein the injection logic queries the injection driver to determine if any dynamic link libraries should be injected into the new process.
2. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of Claim 1.
3. The method of Claim 1 wherein the windowed operating system is any of Windows 95, Windows 98 or Windows NT.
4. The method of Claim 1 wherein the dynamic link libraries are any of Windows 95, Windows 98, or Windows NT dynamic link libraries.
5. In a computer with a windowed operating system with a plurality of processes, a method for dynamically injecting dynamic link libraries into the windowed operating system, comprising the steps of: executing injection logic from a process on the windowed operating system, wherein the injection logic was injected into the process with an injection application; querying an injection driver loaded by the injection application from the injection logic; determining from the injection driver whether any dynamic link libraries should be injected into a memory space for the process, and if so, loading an injection dynamic link library from the injection driver to inject the dynamic link libraries into the memory space for the process on the windowed operating system.
6. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of Claim 5.
7. The method of Claim 1 wherein the windowed operating system is any of Windows 95, Windows 98 or Windows NT.
8. In a computer with a windowed operating system with a plurality of processes, a method for dynamically injecting dynamic link libraries into the windowed operating system, comprising the steps of: querying an injection driver from an injection dynamic link library for a list of dynamic link libraries that should be injected into a process on a windowed operating system; repeating the following steps from the injection dynamic link library using the list of dynamic link libraries obtained from the injection driver: determining whether a dynamic link library from the list is appropriate to load into a memory space for the process, and if so, loading the dynamic link library into a memory space for the process; and creating a log entry in an injection log for the dynamic link library.
9. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of Claim 8.
10. The method of Claim 8 wherein the windowed operating system is any of Windows 95, Windows 98 or Windows NT.
11. The method of Claim 8 wherein the log entry includes any of includes a name of a dynamic link library loaded, a location for the dynamic link library, timestamp and a result returned from loading the dynamic link library.
12. The method of Claim 8 further comprising: determining whether a dynamic link library from the list is appropriate to load into a memory space for the process, and if not, creating a log entry in an injection log for the dynamic link library indicating the dynamic link library was not loaded into the memory space for the process.
13. The method of Claim 8 wherein the log entry includes a name of a dynamic link library loaded, a location, a timestamp and a reason for not using the dynamic link library.
14. The method of Claim 8 wherein the step of loading the dynamic link library into a memory space for the process includes using a dynamic link library loading function called LoadLibrary from an injection dynamic link library called INJECT.DLL on the windowed operating system.
15. In a computer with a windowed operating system with a plurality of processes, a method for dynamically injecting dynamic link libraries into the windowed operating system, comprising the steps of: selecting a set of injection criteria for one or more dynamic link libraries from an injection dynamic link library that will be injected into a process on a windowed operating system; querying an injection driver from the injection dynamic link library for a list of dynamic link libraries that meet the set of injection criteria; and loading dynamic link libraries from the list, if any, into a memory space for the process on the windowed operating system.
16. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of Claim 15.
17. The method of Claim 15 wherein the windowed operating system is any of Windows 95, Windows 98 or Windows NT.
18. A system for dynamically injecting dynamic link libraries into processes on a windowed operating system, comprising in combination: an injection driver for determining if any dynamic link libraries should be loaded for application related logic associated with a process on the windowed operating system, and for dynamically selecting dynamic link libraries using injection criteria; and an injection dynamic link library with a plurality of injection functions for executing injection logic and modifying main kernel dynamic link library function in an original kernel dynamic link library to jump to an injection hook function within an injection dynamic link library, wherein the injection functions from the injection dynamic link library are used to execute injection logic prior to executing any other applications related logic in a new process address space created by a windowed operating system, and for querying an injection driver from for a list of dynamic link libraries that should be injected into a process on a windowed operating system using injection criteria.
19. The system of Claim 18 wherein the windowed operating system is any of Windows 95, Windows 98, or Windows NT.
20. The system of Claim 18 wherein the injection dynamic link library is an injection dynamic link library called INJECT.DLL the windowed operating system.
PCT/US2000/002926 1999-04-08 2000-02-03 Method and system for dynamic injection of dynamic link libraries into a windowed operating system WO2000062159A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU29813/00A AU2981300A (en) 1999-04-08 2000-02-03 Method and system for dynamic injection of dynamic link libraries into a windowed operating system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/289,149 1999-04-08
US09/289,149 US6550060B1 (en) 1999-04-08 1999-04-08 Method and system for dynamic injection of dynamic link libraries into a windowed operating system

Publications (2)

Publication Number Publication Date
WO2000062159A2 true WO2000062159A2 (en) 2000-10-19
WO2000062159A3 WO2000062159A3 (en) 2001-01-04

Family

ID=23110259

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/002926 WO2000062159A2 (en) 1999-04-08 2000-02-03 Method and system for dynamic injection of dynamic link libraries into a windowed operating system

Country Status (3)

Country Link
US (2) US6550060B1 (en)
AU (1) AU2981300A (en)
WO (1) WO2000062159A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7320075B2 (en) 2001-11-20 2008-01-15 Safenet, Inc. Software protection method utilizing hidden application code in a protection dynamic link library object
CN111368299A (en) * 2020-03-02 2020-07-03 西安四叶草信息技术有限公司 Dynamic link library file hijacking detection method, device and storage medium
CN113296654A (en) * 2021-05-27 2021-08-24 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium

Families Citing this family (91)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7409694B2 (en) * 1998-09-09 2008-08-05 Microsoft Corporation Highly componentized system architecture with loadable virtual memory manager
US8434099B2 (en) * 1998-09-09 2013-04-30 Microsoft Corporation Efficient linking and loading for late binding and platform retargeting
US6658658B1 (en) * 2000-02-17 2003-12-02 International Business Machines Corporation Implicit forwarding and resolving of a reference made by an importing module to an exporting module for a specified export
US20020069271A1 (en) * 2000-12-06 2002-06-06 Glen Tindal Event manager for network operating system
US6978301B2 (en) 2000-12-06 2005-12-20 Intelliden System and method for configuring a network device
US8219662B2 (en) * 2000-12-06 2012-07-10 International Business Machines Corporation Redirecting data generated by network devices
US7054946B2 (en) * 2000-12-06 2006-05-30 Intelliden Dynamic configuration of network devices to enable data transfers
US7249170B2 (en) * 2000-12-06 2007-07-24 Intelliden System and method for configuration, management and monitoring of network resources
US20020069367A1 (en) * 2000-12-06 2002-06-06 Glen Tindal Network operating system data directory
US7150037B2 (en) * 2001-03-21 2006-12-12 Intelliden, Inc. Network configuration manager
US7530076B2 (en) * 2001-03-23 2009-05-05 S2 Technologies, Inc. Dynamic interception of calls by a target device
JP2002373077A (en) * 2001-06-14 2002-12-26 Nec Corp Method and device for retrieving execution time library, dynamic linker and program
US7313824B1 (en) * 2001-07-13 2007-12-25 Liquid Machines, Inc. Method for protecting digital content from unauthorized use by automatically and dynamically integrating a content-protection agent
US7200548B2 (en) * 2001-08-29 2007-04-03 Intelliden System and method for modeling a network device's configuration
US8296400B2 (en) * 2001-08-29 2012-10-23 International Business Machines Corporation System and method for generating a configuration schema
US6910158B2 (en) * 2001-10-01 2005-06-21 International Business Machines Corporation Test tool and methods for facilitating testing of duplexed computer functions
US20030079053A1 (en) * 2001-10-23 2003-04-24 Kevin Burns System and method for evaluating effectiveness of network configuration management tools
US7065562B2 (en) * 2001-11-26 2006-06-20 Intelliden, Inc. System and method for generating a representation of a configuration schema
US6978466B2 (en) * 2002-01-02 2005-12-20 Intel Corporation Method and system to reduce thrashing in a multi-threaded programming environment
US6901539B2 (en) * 2002-04-10 2005-05-31 Microsoft Corporation ACPI name space validation
US20040194085A1 (en) * 2002-05-09 2004-09-30 Globespanvirata Incorporated Method and system for providing capability management and prioritization in a computer system
US6959329B2 (en) * 2002-05-15 2005-10-25 Intelliden System and method for transforming configuration commands
US20040003067A1 (en) * 2002-06-27 2004-01-01 Daniel Ferrin System and method for enabling a user interface with GUI meta data
US7464145B2 (en) * 2002-07-11 2008-12-09 Intelliden, Inc. Repository-independent system and method for asset management and reconciliation
US20040028069A1 (en) * 2002-08-07 2004-02-12 Tindal Glen D. Event bus with passive queuing and active routing
US7366893B2 (en) * 2002-08-07 2008-04-29 Intelliden, Inc. Method and apparatus for protecting a network from attack
US20040030771A1 (en) * 2002-08-07 2004-02-12 John Strassner System and method for enabling directory-enabled networking
US7558847B2 (en) * 2002-09-13 2009-07-07 Intelliden, Inc. System and method for mapping between and controlling different device abstractions
US7353521B1 (en) 2002-10-19 2008-04-01 Borland Software Corporation Object oriented distributed software system with methodology for piggybacked reflective callbacks
US20040088676A1 (en) * 2002-10-30 2004-05-06 Gazdik Charles J. Document production
US20040088719A1 (en) * 2002-10-30 2004-05-06 Gazdik Charles J. Intercepting calls to document production functions
US7111279B2 (en) * 2002-10-30 2006-09-19 Hewlett-Packard Development Company, L.P. Intercepting calls to common dialog functions
US7353507B2 (en) * 2002-10-30 2008-04-01 Hewlett-Packard Development, L.P. Intercepting function cells
US20040117437A1 (en) * 2002-12-16 2004-06-17 Exanet, Co. Method for efficient storing of sparse files in a distributed cache
US20040123308A1 (en) * 2002-12-20 2004-06-24 Siemens Information And Communication Networks, Inc. Hybird of implicit and explicit linkage of windows dynamic link labraries
CA2465151A1 (en) 2003-04-16 2004-10-16 Novadigm, Inc. Method and system for patch management
JP2005149164A (en) * 2003-11-17 2005-06-09 Hitachi Ltd Method for calling external disclosure function stored in shared library
US7627898B2 (en) * 2004-07-23 2009-12-01 Microsoft Corporation Method and system for detecting infection of an operating system
US20060026584A1 (en) * 2004-07-27 2006-02-02 Muratori Richard D Explicit linking of dynamic link libraries
US8060856B2 (en) * 2004-11-18 2011-11-15 Aol Inc. Native objects accessible by platform neutral API
US7409691B2 (en) * 2004-12-03 2008-08-05 Microsoft Corporation Extending operating system subsystems
US7587722B2 (en) * 2004-12-03 2009-09-08 Microsoft Corporation Extending operating system subsystems
US7454762B2 (en) * 2004-12-07 2008-11-18 International Business Machines Corporation Method and computer program product for handling application references to undefined operating system services
US7415702B1 (en) * 2005-01-20 2008-08-19 Unisys Corporation Method for zero overhead switching of alternate algorithms in a computer program
WO2007005087A2 (en) * 2005-07-01 2007-01-11 Sudhir Pendse User customized portable desktop
US7874001B2 (en) * 2005-07-15 2011-01-18 Microsoft Corporation Detecting user-mode rootkits
US8281184B1 (en) * 2010-08-06 2012-10-02 Open Invention Network Llc System and method for reliable non-blocking messaging for multi-process application replication
EP3709539A1 (en) * 2005-09-26 2020-09-16 Nielsen Media Research, Inc. Methods and apparatus for metering computer-based media presentation
US7725882B1 (en) 2005-09-30 2010-05-25 Symantec Operating Corporation System and method for profiling processes in a computing system
US7805717B1 (en) 2005-10-17 2010-09-28 Symantec Operating Corporation Pre-computed dynamic instrumentation
US8176480B1 (en) 2006-02-27 2012-05-08 Symantec Operating Corporation Adaptive instrumentation through dynamic recompilation
WO2007130740A2 (en) * 2006-03-09 2007-11-15 The Force, Inc. Parts marking system and method
US7886285B2 (en) * 2006-03-14 2011-02-08 International Business Machines Corporation Combining software executable libraries
US8171482B1 (en) 2006-05-09 2012-05-01 Vmware, Inc. Application environment specifications for provisioning application specific runtime environments using subsets of resources required for execution
US9639696B1 (en) * 2006-09-29 2017-05-02 Symantec Operating Corporation Method and apparatus for analyzing end user license agreements
GB2442495B (en) * 2006-10-02 2009-04-01 Transitive Ltd Method and apparatus for handling dynamically linked function cells with respect to program code conversion
US8060858B2 (en) * 2006-12-29 2011-11-15 Sap Ag Injection library
US8347263B1 (en) 2007-05-09 2013-01-01 Vmware, Inc. Repository including installation metadata for executable applications
US11262996B2 (en) 2007-05-09 2022-03-01 Vmware, Inc. Repository including exclusion list
US7971047B1 (en) 2007-09-10 2011-06-28 Vmware, Inc. Operating system environment and installation
US9015180B1 (en) 2007-05-09 2015-04-21 Vmware, Inc. Repository including file identification
US8577937B1 (en) 2007-05-09 2013-11-05 Vmware, Inc. Repository including exclusion list
US8001083B1 (en) 2007-05-09 2011-08-16 Vmware, Inc. Repository including version management
US8219987B1 (en) 2007-08-24 2012-07-10 Vmware, Inc. Optimized virtual machine specification for provisioning application specific runtime environment
US8196140B2 (en) * 2008-01-11 2012-06-05 Microsoft Corporation Service function redirection for avoiding function evaluation blockages
US8578393B1 (en) * 2008-06-18 2013-11-05 Alert Logic, Inc. Log message collection employing on-demand loading of message translation libraries
US8171141B1 (en) 2009-04-02 2012-05-01 Vmware, Inc. Provisioning system including stack manager
US20100321382A1 (en) 2009-06-18 2010-12-23 Scalable Display Technologies, Inc. System and method for injection of mapping functions
KR101671795B1 (en) * 2010-01-18 2016-11-03 삼성전자주식회사 Computer system and method for preventing dynamic link library injection attack
US8954929B2 (en) * 2010-03-29 2015-02-10 Microsoft Corporation Automatically redirecting method calls for unit testing
US8514234B2 (en) * 2010-07-14 2013-08-20 Seiko Epson Corporation Method of displaying an operating system's graphical user interface on a large multi-projector display
US8695022B2 (en) 2011-10-13 2014-04-08 Microsoft Corporation Context for replacement functions
US9141356B2 (en) 2011-12-14 2015-09-22 Microsoft Technology Licensing, Llc Process for generating dynamic type
EP2817723B1 (en) * 2012-02-21 2017-06-07 ZIH Corp. Electrically configurable option board interface
US9952840B2 (en) 2012-05-15 2018-04-24 International Business Machines Corporation Conditional sequential selection of external reference resolutions
US9009693B2 (en) * 2013-05-08 2015-04-14 Microsoft Corporation Out-of-band framework libraries within applications
EP3049886A4 (en) * 2013-09-27 2017-05-17 Intel Corporation Techniques for tracing wakelock usage
US9348625B2 (en) 2014-05-23 2016-05-24 Google Inc. Application access to native and bundled libraries
US9483283B1 (en) * 2014-11-20 2016-11-01 Apptimize, Inc. Enhanced code callback
US10048960B2 (en) * 2014-12-17 2018-08-14 Semmle Limited Identifying source code used to build executable files
CN106406857B (en) * 2016-08-30 2021-04-13 惠州学院 Memory multiplexing method and device for dynamic link library
US10235161B2 (en) * 2017-02-06 2019-03-19 American Megatrends, Inc. Techniques of adding security patches to embedded systems
US10698666B2 (en) 2017-12-29 2020-06-30 Microsoft Technology Licensing, Llc Automatically building software projects
CN109271414B (en) * 2018-12-05 2021-08-13 北京安华金和科技有限公司 IPC-based database local communication auditing method
US10915426B2 (en) * 2019-06-06 2021-02-09 International Business Machines Corporation Intercepting and recording calls to a module in real-time
US11074069B2 (en) * 2019-06-06 2021-07-27 International Business Machines Corporation Replaying interactions with transactional and database environments with re-arrangement
US11016762B2 (en) 2019-06-06 2021-05-25 International Business Machines Corporation Determining caller of a module in real-time
US10929126B2 (en) 2019-06-06 2021-02-23 International Business Machines Corporation Intercepting and replaying interactions with transactional and database environments
US11036619B2 (en) 2019-06-06 2021-06-15 International Business Machines Corporation Bypassing execution of a module in real-time
CN113254101B (en) * 2021-05-27 2023-02-03 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium
CN115859274B (en) * 2022-12-12 2023-11-21 安芯网盾(北京)科技有限公司 Method and system for monitoring event log behavior of Windows process emptying system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0752647A1 (en) * 1995-07-06 1997-01-08 Sun Microsystems, Inc. Method and apparatus for providing versioning information in software projects
US5673315A (en) * 1994-02-15 1997-09-30 International Business Machines Corporation Method and system for software asset usage detection and management

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5583761A (en) * 1993-10-13 1996-12-10 Kt International, Inc. Method for automatic displaying program presentations in different languages
US5812848A (en) 1995-08-23 1998-09-22 Symantec Corporation Subclassing system for computer that operates with portable-executable (PE) modules
US6141698A (en) * 1997-01-29 2000-10-31 Network Commerce Inc. Method and system for injecting new code into existing application code
US5958010A (en) 1997-03-20 1999-09-28 Firstsense Software, Inc. Systems and methods for monitoring distributed applications including an interface running in an operating system kernel
US6202199B1 (en) * 1997-07-31 2001-03-13 Mutek Solutions, Ltd. System and method for remotely analyzing the execution of computer programs
US6463583B1 (en) * 1999-04-08 2002-10-08 Novadigm, Inc. Dynamic injection of execution logic into main dynamic link library function of the original kernel of a windowed operating system
US6698016B1 (en) * 2000-08-29 2004-02-24 Microsoft Corporation Method for injecting code into another process

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5673315A (en) * 1994-02-15 1997-09-30 International Business Machines Corporation Method and system for software asset usage detection and management
EP0752647A1 (en) * 1995-07-06 1997-01-08 Sun Microsystems, Inc. Method and apparatus for providing versioning information in software projects

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"METHOD FOR DYNAMICALLY LOADING MICROPROCESSOR SPECIFIC LIBRARY FUNCTIONS" IBM TECHNICAL DISCLOSURE BULLETIN,US,IBM CORP. NEW YORK, vol. 40, no. 6, 1 June 1997 (1997-06-01), pages 77-79, XP000728342 ISSN: 0018-8689 *
CHICAGO-SOFT, HANOVER, NEW HAMPSHIRE, US: "DLLAGATOR VERSION 2.0 GENERAL AVAILABILITY" , [Online] 6 April 1998 (1998-04-06), pages 1-3, XP002146207 Retrieved from the Internet: <URL:http://www.chicagosoft.com/htm/in_the _lab_DLLagator_availability.html> [retrieved on 2000-08-23] *
HUNT G., BRUBACHER D.: "DETOURS: BINARY INTERCEPTION OF WIN32 FUNCTIONS" TECHNICAL REPORT MSR-TR-98-33, MICROSOFT RESEARCH, MICROSOFT CORPORATION, ONE MICROSOFT WAY, REDMOND, WA 98052, US, [Online] pages 1-9, XP002146206 Retrieved from the Internet: <URL:http://ftp.research.microsoft.com/pub /tr/tr-98-33.pdf> [retrieved on 2000-08-28] *
KASPERESKY E. V.: "WIN95.K32" CENTRAL COMMAND INC., [Online] 1998, page 1 XP002146208 Retrieved from the Internet: <URL:http://www.avpve.com/viruses/win95/k3 2.html> [retrieved on 2000-08-29] *
LIVINGSTON, B.: "WINDOW MANAGER. APPLICATIONS CAN HELP GET YOU OUT OF LIFE IN DLL HELL" INFOWORLD, INFOWORLD MEDIA GROUP INC., [Online] vol. 20, no. 7, 16 February 1998 (1998-02-16), pages 1-3, XP002146209 Retrieved from the Internet: <URL:http://archive.infoworld.com/cgi-bin/ displayArchive.pl?/98/07/o02-07.38.htm> [retrieved on 2000-08-23] *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7320075B2 (en) 2001-11-20 2008-01-15 Safenet, Inc. Software protection method utilizing hidden application code in a protection dynamic link library object
CN111368299A (en) * 2020-03-02 2020-07-03 西安四叶草信息技术有限公司 Dynamic link library file hijacking detection method, device and storage medium
CN113296654A (en) * 2021-05-27 2021-08-24 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113296654B (en) * 2021-05-27 2023-12-29 深信服科技股份有限公司 Data processing method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
US6779187B1 (en) 2004-08-17
AU2981300A (en) 2000-11-14
US6550060B1 (en) 2003-04-15
WO2000062159A3 (en) 2001-01-04

Similar Documents

Publication Publication Date Title
US6550060B1 (en) Method and system for dynamic injection of dynamic link libraries into a windowed operating system
US6463583B1 (en) Dynamic injection of execution logic into main dynamic link library function of the original kernel of a windowed operating system
US5815702A (en) Method and software products for continued application execution after generation of fatal exceptions
Balzer et al. Mediating connectors
US7451451B2 (en) Operating system abstraction and protection layer
US6738965B1 (en) Trace information in a virtual machine
US7031989B2 (en) Dynamic seamless reconfiguration of executing parallel software
US6823509B2 (en) Virtual machine with reinitialization
US7784043B2 (en) Method and system for automated code-source indexing in Java Virtual Machine environment
US6698016B1 (en) Method for injecting code into another process
AU2002309834A1 (en) Operating system abstraction and protection layer
US20080163185A1 (en) Delay-load optimizer
US20070240136A1 (en) Apparatus and method for capabilities verification and restriction of managed applications in an execution environment
US20110145924A1 (en) Method for detection and prevention of loading executable files from the current working directory
US6223335B1 (en) Platform independent double compare and swap operation
US20020147903A1 (en) Initialising modules
US7134123B1 (en) Virtual machine with reset operation
US20140149996A1 (en) Runtime emulating static thread local storage of portable executable software code
JP2001043100A (en) Cashing untrusted module for module-by-module verification
US6085034A (en) Constructor based object initialization with overrides
Balzer et al. Mediating connectors: A non-bypassable process wrapping technology
EP0784264B1 (en) A computer-implemented process for determining a minimum code set for an executable application in a data processing system
US5335332A (en) Method and system for stack memory alignment utilizing recursion
CN117150487A (en) Dynamic link library file injection detection method and device
US20020174257A1 (en) Application assisted executable exports

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase