Browse Prior Art Database

Method for Executing Dynamic Instrumentation Code in Kernel and User Mode

IP.com Disclosure Number: IPCOM000199350D
Publication Date: 2010-Aug-31
Document File: 4 page(s) / 111K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method for dynamic instrumentation of applications is disclosed. More specifically, a method for executing dynamic instrumentation code of an application in kernel-mode as well as in user-mode is disclosed. The method enables secured and efficient execution of dynamic instrumentation code.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 4

Method for Executing Dynamic Instrumentation Code in Kernel and User Mode

Disclosed is a method for executing dynamic instrumentation code of an application in kernel-mode as well as in user-mode. The method involves implementing dynamic instrumentation by using a process address space for storing the dynamic instrumentation code. This is achieved by defining an appropriate trampoline for the dynamic instrumentation code.

A flowchart illustrating a method for defining a trampoline is shown in Fig. 1. The method involves gathering information about text address of a process to be instrumented. From the dynamic instrumentation code, information about instrumentation code/handler to be executed in kernel-mode is gathered. Similarly, information about instrumentation code/handler to be executed in user-mode is also gathered. The required information may be gathered by taking input from a user.

The method then checks the validity of the text address of the process. If the text address is not valid, the method is terminated, else, the text address is enhanced by including a memory map function (for example, memory mapping ()) for a page. The memory map function enables allocation of memory as part of the text address when a request to instrument the process is invoked.

Thereafter, a trampoline is copied to the text address. The trampoline is defined to include instructions to save a register-state and thread stack of the process. An instruction to call instrumentation code/handler to be executed in the user-mode is also included. Other instructions defined in the trampoline include restoring the register-state, copying of original instructions of the process, and moving to an instruction after the breakpoint in the process. The instructions in the trampoline may be included through following functions:

Tramp

_registers()

_userspace

_registers()

_copy()

_instruction()

The trampoline is copied in the text address before the original instruction is replaced by a breakpoint instruction.

The instrumentation code/handler to be executed in the user-mode and the trampoline are copied by the kernel in the memory allocated to the text address. Additionally, call

1

_

dyninst:

Save

Call

_handler()

Restore

Original

Jump next

_insn

Page 2 of 4

back routines for the instrumentation code/handler corresponding to the user-mode and the instrumentation code/handler corresponding to the kernel-mode are registered to be called when the breakpoint is hit. Thereafter, the breakpoint is inserted in the process to be instrumented.

Figure 1

A flow chart illustrating a method for executing dynamic instrumentation of an

2

[This page contains 2 pictures or other non-text objects]

Page 3 of 4

application in the kernel-mode as well as in the user-mode is shown in Fig. 2.

F...