The present invention relates to a method and system for intercepting an application program interface within a computer system, in general and to a method and system of diverting control from an application program interface to user supplied functions within a computer system, in particular. The present invention further includes dynamic installation of associated software, within the user portion of an operating system and within the kernel portion of the operating system for the implementation thereof.
The present invention provides a method of implementing better security within a computer system and enhances security capabilities for systems such as Windows and NT. The present invention further provides a method of better control over function call routines also known as application program interface routines (API) in a manner transparent to the user.
Numerous security systems have previously been proposed and implemented in various systems such as UNIX and the like. None of the previous solutions provide an efficient, time saving and cost effective manner for controlling APIs. On the contrary, previous systems, relating to security in general, have resulted in high costs to users to implement, maintain and upgrade said systems.
Previously known systems, such as the Windows and NT operating systems, fail to secure computer systems making use of APIs from misuse of APIs. There is thus a need for a method for intercepting an application program interface within a computer system.
Therefore it is the object of the present invention to provide a method and system whereby API functions called by user applications are not allowed to execute unless the calling process has the requisite authority and privilege.
One application of such a system could be a security application whereby certain API functions called by user applications are not allowed to execute unless the calling process has the requisite authority and privilege.
Another application might include a system profiler whereby any or all API function calls issued by an application are tracked and used to generate statistics about the behavior of the user application.
Yet another application might include intensive parameter checking in conjunction with parameter filtering or parameter correction, whereby any or all API function input parameters sent by the calling application program and the return values from the API routine itself are handled according to prescribed rules.
Constructive in the abstraction of providing API function interception in a computerized environment is that the user-supplied code can be inserted and installed within the operating system where it can be accessed.
API routines are a primary target of intruders and executing API routines is a major objective of intruders in the acts of illegal access attempts from outside the operating system platform.
In Operating Systems (O/S) having many APIs as the interface between the program applications and the O/S, intruders are required to execute API functions if they want to gain access to higher privileges or obtain O/S services. Thus, intruders are able to obtain critical resources of the computing environment.
It is therefore the object of the present invention to provide a method and system whereby API functions called by user applications are not allowed to execute unless the calling process has the requisite authority and privilege.
It is also the object of the present invention to provide a method and system whereby parameters associated with the API functions to be examined and processed according to the authority and privilege of the calling process.
It is also the object of the present invention to provide a method and system whereby resulting values associated with the API functions to be examined and processed according to the authority and privilege of the calling process.
It is an object of the present invention to initialize API controlling routine and to hook at least one API routine in memory space associated with user application.
It is also the object of the present invention to replace the hooked API routine code with user supplied code, the user supplied code to be executed upon calling the API by the user application program.
It is also the object of the present invention to receive a call from a previously hooked API and generating a predefined series of operations to control said API operation.
It is also an object of the present invention to manage operation of API controlling routine, to collect and store information corresponding to the API routine.
It is also the object of the present invention to identify the API routine, to obtain the API routine address and to determine the address of at least one user supplied module associated with re-direction of flow of execution of the API routine.
It is further the object of the present invention to enable enhanced privileges relating to memory space associated with the API routine, to store API routine code associated with first re-direction of flow of execution to be later replaced, to store API routine code address associated with second re-direction of flow of execution, to store API routine code associated with second redirection of flow of execution and replacing the API routine code stored with user supplied code associated with first re-direction of flow of the API routine.
It is also the object of the present invention to restore API routine code previously stored associated with first re-direction of flow of execution to be later replaced, to replace API routine code with user supplied code associated with second re-direction of flow of execution of the API routine and to call the API routine based upon response generated corresponding whether API routine is to be executed in association with user predefined rules.
It is further the object of the present invention to replace the API routine code stored with user supplied code associated with first re-direction of flow of execution of the API routine and to restore previously stored API routine code associated with second re-direction of flow of execution.
It is also the object of the present invention to limit execution of the user application to the specific API routine corresponding to execution time of API routine based on response generated corresponding to whether API routine is to be executed in association with user predefined rules.
It is also the object of the present invention to cancel the limit on execution of the user application to the specific API routine corresponding to execution time of API routine.
It is a further object of the present invention to execute user supplied code for determining return values of the API routine and to manipulate process level flow control structure to enable return of control to user application.
There is also provided in the present invention a method of inserting user supplied code into memory space of user application by injecting loader code into active process memory space associated with the user application and executing loader code to further load user supplied code into memory space, the user supplied code operative to further control API execution.
Also provided in the present invention are an apparatus controlling the method of providing user control of the API, which includes an initalizer for obtaining list of active processes within the computer system, an injector for injecting API interception module into said active processes, means for monitoring predetermined system calls operative to further injection of API interception routine into new created process and means for updating the list of active processes.
There is also provided in the present invention an apparatus to provide system call interception, which includes means to obtain a list of active processes within the computer system, means to open processes within a computer system and means to issue notification massages associated with the system calls.