In the area of anti-virus software, it is known in the art to modify the operating system of a computer to assist with anti-virus techniques. For example, it is known to modify the kernel of an operating system to assist with the scanning of files to help detect a computer virus that might be present in a file.
FIG. 1 is an example of a prior art operating system 10 that uses a kernel hook module 30 to assist with anti-virus efforts. Operating system 10 includes user space 20 that makes system calls available for processes and kernel space 22 that includes the low-level system software. For example, user space 20 includes the commands “open,” “close,” “execve” and “exit” that can be used by a process running on a computer to open a file, close a file, execute a file or exit a process. Of course, other commands are available. Normally, use of a command 24 results in a system call 26 into the kernel space that directs the call to the system call table 28. Absent any modification to the kernel space 22, system call table 28 would direct an open command via pointer 32 to the actual procedure “open” 33 that would then open a file in the normal course.
In some circumstances, though, a kernel hook module (KHM) 30 is added to an operating system to intercept certain system calls. In this example, the procedures “openhook,” “closehook” and “exechook” have been added via the kernel hook module to intercept and replace the normal system calls “open,” “close” and “exec.” In other words, the pointers in the system call table 28 are modified to redirect the system calls to the new procedures added in the kernel hook module. For example, when an “open” system call is made, pointer 32′ now redirects the flow to procedure “openhook” 34 in the kernel hook module instead of to the original procedure “open” 33. The advantage is that the procedure “openhook” 34 can now provide additional functionality in addition to simply opening a file. In the anti-virus context, a KHM is added into an operating system to replace important file system calls such as open, close and exec. By doing so, the additional code in the KHM procedures can perform real-time scanning of files before the files are actually opened or closed. If a file is found to be infected with a computer virus, the additional code of the KHM can return with an error code, thus denying the user process access to that file. Thus a KHM can be used in anti-virus efforts.
Because of the interaction with kernel source code, a KHM for a specific version of a kernel must be built with that version's kernel source code in order to function properly. Unfortunately, for certain operating systems such as Linux, there are a large number of kernel versions and more are being added constantly. FIG. 2 illustrates an example of the countless number of Linux kernels in existence for a few of the better-known operating systems. Because there are so many different kernels for Linux, it is a daunting and time-consuming task to create a KHM for each kernel and to constantly create a new KHM for each new kernel version released.
The process of building a KHM for each new kernel version is tedious and time-consuming as an engineer performs this task manually. It can take upwards of one hour for an engineer to build a new KHM for a new Linux kernel. Furthermore, if even a small mistake is made during the KHM build process, the resulting KHM can cause the entire operating system to crash. Because a newly-built KHM is often delivered to numerous customers to assist with anti-virus efforts, an engineer building a KHM must be extraordinarily careful when performing the build process.
One company, Network Associates, Inc., has a Linux anti-virus software product that relies upon a KHM. The approach used by Network Associates is to provide the customer all related source code and let the customer build the KHM by themselves. This approach has a couple of drawbacks. First, the company cannot guarantee the quality of the built KHM because the end user may make a mistake during the build process. Secondly, the company cannot merge in the latest fix for the KHM unless the end user desires to update the source code by themselves. In short, there is no formal testing or quality assurance if the end user is allowed to build the KHM by themselves manually.
In view of the above, and improved technique for providing kernel hook modules to end users is desired.