One method of monitoring the operation of a computer program (i.e., a computer process) is to monitor the branches or jumps from the program to one or more system calls. A system call is a routine that accomplishes a system-level (i.e., operating system) function on behalf of a computer process (e.g., memory allocation, accessing input or output devices). A system call is performed by the program being executed in order to execute a system-level routine. System calls are made by using a system call table in the computer's operating system. The routine that is called is responsible for returning control to the calling program after it has finished processing.
There are many different types of system calls. For example, the Windows NT/2000 operating system has system calls for System Information and Control (e.g., ZwQuerySystemInformation), Objects (e.g., ZwQueryObject), Virtual Memory (e.g., ZwAllocateVirtualMemory), Sections (e.g., ZwCreateSection), Threads (e.g., ZwSuspendThread), Processes (e.g., ZwTerminateProcess), Jobs (e.g., ZwAssignProcessToJobObject), Tokens (e.g., ZwDuplicateToken), Synchronization (e.g., ZwSetEvent), Time (e.g., ZwQueryPerformanceCounter), Execution Profile (e.g., ZwStartProfile), Ports (e.g., ZwConnectPort), Files (e.g., ZwReadFile), Registry Keys (e.g., ZwLoadKey), Security and Auditing (e.g., ZwAccessCheck), Power Management (e.g., ZwGetDevicePowerState), and Miscellany (e.g., ZwLoadDriver). Each system call has a routine associated with it that could require certain input data and produce certain output data.
The prior art method of monitoring system calls is to modify a system call table in a computer operating system so that each pointer in the table that would otherwise cause the program that does a system call to jump to the corresponding system call routine would cause the program to jump to another unique routine. Each unique routine would call its corresponding system call routine. The system call routine would execute as requested and return information to the unique routine that called it. The unique routine could then record whatever information about the system call that is possible. The unique routine would then return the output of the system call routine to the program so that the program could continue. To the program, it looks like it called a system call routine and received the result. However, the unique routine monitored the system call. A different custom routine is required for each system call, because each system call could require different parameters as input and produce different outputs. Skilled computer scientists are needed to write such routines, and every time a routine is added to a program, the program must be recompiled. Such tasks are prone to error and are expensive.
U.S. Pat. No. 6,735,774, entitled “METHOD AND APPARATUS FOR SYSTEM CALL MANAGEMENT,” discloses a device for and a method of managing system call that is in accordance with the prior art method described above. The present invention does not manage system calls as does U.S. Pat. No. 6,735,774, and U.S. Pat. No. 6,735,744 does not disclose the method of the present invention. U.S. Pat. No. 6,735,774 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20050066322 A1, filed on Sep. 18, 2003 now U.S. Pat. No. 7,412,694 entitled “METHOD FOR DETECTING PROGRAM PHASES WITH PERIODIC CALL-STACK SAMPLING,” discloses a method of monitoring system calls by counting the number of stack frames that are created in response to system calls. The present invention does not monitor system calls by counting stack frames created in response to system calls as does U.S. Pat. Appl. No. 20050066322 A1. Now U.S. Pat. No. 7,412,694 U.S. Pat. Appl. No. 20050066322 A1 is hereby incorporated by reference into the specification of the present invention.
There is a need for a method of monitoring systems calls that does not require unique routines for each system call to be monitored, specialized computer science skills, and recompiling with every addition or deletion of a system call to be monitored. The present method satisfies this need.