This invention relates to computer operating systems. More specifically, it relates to a method and system for dynamic injection of execution logic into a shared memory space of a windowed operating system.
Software applications, such as 32-bit applications (e.g., Win32) for windowed operating systems, such as Windows 95/98/NT, by Microsoft Corporation of Redmond, Wash., execute as separate processes that execute within their own address space (WINDOWS and WIN32 are trademarks of Microsoft Corporation of Redmond, Wash.). The Windows 95/98/NT operation systems limit code that can execute within an address space to the code associated with a main executable module (e.g., xe2x80x9c.EXExe2x80x9d) and Dynamic Link Library (xe2x80x9cDLLxe2x80x9d) modules loaded by a process associated with the main executable module. As is known in the art, a Dynamic Link Library provides a mechanism for linking applications to libraries of functions at run-time.
However, there are many situations where additional functionality needs to be added to a process by injecting execution logic into an address space. In particular, there are situations where it is desirable to inject execution logic into new address spaces that will execute before any application-related code executes. For example, applications to monitor or alter the execution of other applications need such additional functionality.
There are a number of techniques known in the art to inject execution logic into an existing windowed operating system""s process. However, these techniques have a number of associated problems. Three of these injection techniques include Dynamic Link Library injection, code patching, and remote threads. The Dynamic Link Library injection technique involves loading a Windows 95/98/NT Dynamic Link Library into an address space and placing injection code within a xe2x80x9cDllMainxe2x80x9d function. A Dynamic Link Library""s DllMain function is called by the Windows 95/98/NT operating system when a process loads or unloads a Dynamic Link Library as well as when a new operating system thread is started or stopped within a process. Thus, loading a Dynamic Link Library into an address space will result in the injected code""s execution within an address space. However, the injected code will only be executed after the process begins executing.
As is known in the art, there are two ways to inject a Dynamic Link Library into a Windows address space including using an operating system registry key xe2x80x9cApplnit_DLLsxe2x80x9d or calling a xe2x80x9cSetWindowsHookExxe2x80x9d API function. As is known in the art, an operating system registry stores hardware, software and user configuration settings for particular a computer.
The AppInit_DLLs registry key can be used with Windows NT but is not implemented by Windows 95/98. A data value for the AppInit DLLs registry key can contain a list of Dynamic Link Library module file names. When a User Dynamic Link Library (e.g., USER32.DLL) is loaded into an address space on the Windows NT operating system the user Dynamic Link Library will attempt to load the modules listed in this registry key into a process address space. Use of the AppInit_DLLs registry key will only inject a Dynamic Link Library in a process that executes code within a user""s Dynamic Link Library (e.g., USER32.DLL).
Both Windows 95/98 and Windows NT implement a SetWindowsHookEx Application Programmer""s Interface (xe2x80x9cAPIxe2x80x9d) function. This function is used to hook events within a primary operating system thread or for other operating system threads. When SetWindowsHookEx events occur, a callback function within a Dynamic Link Library is called by the Windows 95/98/NT operating system. If the hooked thread belongs to a different process than the calling thread, Windows 95/98/NT loads the required Dynamic Link Library into the hooked operating system thread""s address space. This Dynamic Link Library injection will only be invoked after an application associated with a process has started executing.
Code patching techniques for Windows 95/98/NT known in the art require an injecting process to have access to a target process. First the injected code is copied to a memory area in the target process address space. Next the target process is altered so that the injected logic will be executed. Finally, code within an existing execution thread is altered to execute the injected code. This is typically accomplished by calling injected code within an existing process thread. Code patching is designed to work only on specific processes modified by a user and typically requires a high level of programming expertise.
The remote thread technique for Windows 95/98/NT also requires an injecting process having access to a target thread. The injected code is copied to a memory area in the target thread address space. Then a new thread is started for the target process. This new thread executes the injected code. The remote thread technique also works only on specific processes modified by a user.
These injection techniques do not provide the ability for injected code to be the first non-operating system code to execute in new address space for a new process created by a windowed operating system. In addition these injection techniques are designed to work on specific processes modified by a user and do not allow injection techniques that are generally applicable to any process created by a windowed operating system.
Thus, it is desirable to inject execution logic into new address spaces for new processes created by a windowed operating system that will execute before any application-related associated with the process executes. The injected execution logic should be generally applicable to any process created by a windowed operating system and not require a user""s to modify specific processes.
In accordance with preferred embodiments of the present invention, some of the problems associated with injecting execution logic that executes prior to any application logic are overcome. Methods and system for dynamically injecting execution logic into a shared memory space of a windowed operating system is provided.
One aspect of the present invention includes a method for dynamically injecting execution logic into a shared memory space of a windowed operating system. This method includes starting an injection application with a kernel application used by a windowed operating system. An injection virtual device driver is loaded from the injection application into a first pre-determined memory location in an area of shared memory in the windowed operating system. The virtual injection device driver is used to alter protected areas of memory within the windowed operating system. An injection dynamic link library is loaded from the injection application into a second pre-determined memory location within an area of shared memory for the windowed operating system. A main dynamic link library function within an original kernel dynamic link library including kernel functions for the windowed operating system is located from the injection dynamic link library. A jump command is inserted from the injection dynamic link library within the main dynamic link library function in the kernel dynamic link library to create a modified kernel dynamic link library in memory. The jump command jumps to an injection hook function within the injection dynamic link library whenever a new windowed operating system process is created. The injection hook function within the injection dynamic link library includes multiple injection functions that are executed by the windowed operating system prior to executing any application related logic in a new process address space created by the windowed operating system. The original kernel dynamic link library is replaced in memory with the modified kernel dynamic link library on the windowed operating system. The modified kernel dynamic link library on the windowed operating system is used for kernel services anytime a new process is requested on the windowed operating system.
Another aspect of the invention is method for using dynamically injected execution logic in a windowed operating system. This method includes receiving a request to create a new process is on a windowed operating system. A modified kernel dynamic link library including a modified main dynamic link library function with jump command to jump to an injection hook function within an injection dynamic link library is loaded into shared memory within the windowed operating system. The modified kernel dynamic link library was modified by an injection application. The jump command in the main kernel dynamic link library function allows injection logic to be executed prior to executing any application related logic in a new process address space created by the windowed operating system. The modified main dynamic link library function in the kernel dynamic link library is executed to jump to the injection hook function within the injection dynamic link library to execute injection logic prior to executing any application related logic in a new process address space created by the windowed operating system.
Another aspect of the invention includes a system for dynamically injecting execution logic into a shared memory space of a windowed operating system. The injection system includes an injection application, an injection dynamic link library, an injection hook function, and an injection virtual device driver into a shared memory space of a windowed operating system. The injection application is used for loading an injection virtual device driver and an injection dynamic link library into a shared memory space of a windowed operating system. The injection dynamic link library includes multiple injection functions for executing injection logic and for modifying a main kernel dynamic link library function in an original kernel dynamic link library with jump command to jump to an injection hook function within an injection dynamic link library. The injection functions from the injection dynamic link library are used to execute injection logic prior to executing any application related logic in a new process address space created by a windowed operating system. The injection hook function is used for calling injection functions from an injection dynamic link library. The injection hook function is called with a jump command inserted into a main dynamic link library function in an original kernel dynamic link library loaded when a windowed operating system creates a new process. The injection virtual device driver is used for altering protected memory areas within a windowed operating system.
The methods and system of the present invention allow execution logic to be injected into new processes created by windowed operating systems. The execution logic is executed prior to any application related logic in a new process address space created by windowed operating systems. The methods and system of the present invention may be used for debugging aids, hooking other processes, tracing the execution of an application, and for other purposes.
The foregoing and other features and advantages of an illustrative embodiment of the present invention will be more readily apparent from the following detailed description, which proceeds with references to the accompanying drawings.