Computer system administrators may collect various data related to the use of system resources to help characterize the use of the system resources, particularly with intent to prevent unauthorized access, identify malicious software, or to improve the allocation of the system resources, among other reasons.
Collection of this data may traditionally be accomplished by attaching an observer to a kernel and/or system call interface of an Operating System (OS). Accordingly, when a user-mode process requests system resources using the observed kernel system call, the observer may collect data and analyze the data as appropriate.
Further, Operating Systems have functionality to support interfaces to system resources other than kernel systems calls. For example, an OS may provide functionality via a Remote Procedure Call (RPC) interface. In some instances, the RPC interface may be implemented as a Local Procedure Call (LPC) interface configured to use RPC-style transport, serialization, and runtime-binding to perform LPC system calls without actually sending a call to a remote system.
Some LPC interfaces exist entirely in user-mode, preventing any meaningful, traditional form of observation by intercepting kernel system calls. Other LPC interfaces also reside in user-mode and can make one or more chained kernel system calls on behalf of the client, thereby masking the identity of the client process because the system call may appear to originate from the LPC interface.
In general, the source/originator of an operation performed by an LPC interface on behalf of the requestor may not lend itself to direct observation by a kernel system call as described above. Thus, despite the use of various kernel observers, any calls made to the LPC interface may remain uncollected and unanalyzed. Accordingly, the computer system administrators may capture an incomplete picture of the use of system resources.