1. Field of the Invention
The present invention relates generally to data processing, and more particularly but not exclusively to application programming interfaces.
2. Description of the Background Art
Generally speaking, a computer operating system is a program that manages computer resources and other programs, which are referred to as “application programs.” A kernel is the core of the operating system and provides basic services for all other components of the operating system and application programs. Application programs and the kernel employ different and distinct regions of computer memory. Application programs are user-level programs and accordingly run in user mode in user mode space of the memory. On the other hand, the kernel runs in kernel mode in kernel mode space of the memory, which is generally restricted to kernel operations. Kernel mode is a privileged mode of processor execution in that it typically grants access to all system memory and all the processor's instructions.
Operating systems typically provide an interface that allows an application program in user mode to invoke kernel routines that perform low-level operations typically reserved for the kernel. Examples of these kernel routines include those for file manipulations, such as creating, reading, or modifying files. An antivirus employs kernel routines to detect and remove computer viruses. For example, an antivirus may request the service of a kernel routine to open a file in order to scan that file for computer viruses.
FIG. 1 shows a flow diagram schematically illustrating how an antivirus 10 may request the service of a kernel routine 13 by way of an OS kernel routine interface 11. The OS kernel routine interface 11, the OS kernel routines 13, and other components preceded by “OS” or “operating system” come standard with the operating system, and accordingly are from the vendor of the operating system. In the example of FIG. 1, the antivirus 10 in user mode invokes the operating system (OS) kernel routine interface 11, which may be part of the OS application programming interface (API). In response, the kernel routine interface 11 invokes the kernel routine 13 of interest in kernel mode, which performs the operation requested by the antivirus 10.
A rootkit comprises computer-readable program code designed to conceal running processes, files, or system data. Rootkits may be used to surreptitiously modify parts of the operating system or install themselves as drivers or kernel modules. Increasingly, rootkits are being used by virus coders as malicious code or part of malicious code. FIG. 2 shows a flow diagram schematically illustrating how a rootkit may intercept service requests to kernel routines. The example of FIG. 2 is the same as that of FIG. 1 except that a rootkit 12 intercepts calls to the OS kernel routines 13. The rootkit 12 compromises the call path from the antivirus 10 to the OS kernel routines 13. For example, the rootkit 12 may not perform the requested call to the OS kernel routines 13, thereby rendering the antivirus 10 ineffective.