1. Field of the Invention
The present invention relates to an apparatus, a method, and a computer readable medium for monitoring a program; specifically to an apparatus, a method, and a computer readable medium for monitoring a program by the application program interface hooking (API hooking) technique.
2. Descriptions of the Related Art
Due to the popularization of the Internet, nowadays viruses that attack computers mainly come from the Internet, such as worms and Trojans. In a computer using Microsoft window system, worms and Trojans usually take the control of the execution to attack the computer when the problem of buffer overflow occurs during the execution of a program or when the system of the computer calls application program interfaces (APIs).
FIG. 1A illustrates the concept that a program 111 calls a target API 112 of the prior art. The directions of the arrows 113, 114 in the figure indicate the directions of the call and the return, respectively. From the arrows 113, 114, it is known that the program 111 calls the target API 112 directly and the target API 112 returns to the program 111 after the execution directly as well.
Currently, most anti-virus software looks for and records a feature of a worm/Trojan after a computer has been attacked for the first time. The feature of the worm/Trojan is then added to a virus code for future comparison. Current anti-virus software adopts a technique called decompile to achieve that. The execution file of a program is decompiled to get return addresses of all APIs, which will be compared with when the execution file is executed another time. The technique has two main disadvantages. First, not all execution files can be decompiled, such as plug-ins and dynamically loaded programs. Second, all APIs have to be monitored and consume huge resources.
Consequently, how to provide an efficient API monitoring technique so that even compiled programs and plug-ins can be monitored during execution is still a critical issue in this field.