36 results about "Loadable kernel module" patented technology

Incremental single and multiprocess checkpointing and restoration is described, which is transparent in that the application program need not be modified, re-compiled, or re-linked to gain the benefits of the invention. The processes subject to checkpointing can be either single or multi-threaded. The method includes incremental page-boundary checkpointing, as well as storage checkpointing of data files associated with applications to ensure correct restoration without the need to restore files for other application programs. Incremental and full checkpoints are asynchronously merged to ensure proper operation while reducing checkpointing delay. By way of example a user-level programming library is described for loading into the address space of the application in conjunction with a loadable kernel module (LKM) or device driver used to capture and restore process state on behalf of the application. These techniques are particularly well suited for use with high-availability (HA) protection programming.

A system, computerized method and computer-readable medium are provided for the detection of an operating system exploitation, such as a rootkit install. The operating system is monitored to ascertain an occurrence of anomalous activity resulting from operating system behavior which deviates from any one of a set of pre-determined operating system parameters. Each parameter corresponds to a dynamic characteristic associated with an unexploited operating system. Output can then be generated to indicate any anomalous activity that is ascertained. The computer-readable medium may comprise a loadable kernel module for detecting hidden patches, processes, files or other kernel modules.

A technique that supports improved debugging of kernel loadable modules (KLMs) that involves allocating a first portion of a memory and detecting a first kernel loadable module (KLM) requesting an allocation of at least a portion of the memory. The first KLM is then loaded into the first portion of the memory and a first identifier is associated with the first KLM and the first portion. The access of a second portion of the memory by the first KLM, the second portion being distinct from the first portion is detected and an indication that the first KLM has accessed the second portion is generated.

An indication is received. The indication is of an address in a first page in virtual memory used by an application with a static memory corruption. A loadable kernel module will monitor the address. Access to the first page in virtual memory is changed from read / write access to read only access. A second page in virtual memory is created with read / write access. Whether a page fault occurs on the first page in virtual memory during the execution of the application with the static memory corruption is determined.

Embodiment of the invention provides compiling method and device for a loadable kernel module (LKM). The method comprises the steps of reading one or plurality of LKM die plates corresponding to an assembly when the assembly of an application program is triggered; detecting whether the one or the plurality of LKM die plates support the system kernel of a processor of the current device and / or the current operation system; if so, adapting the LKM die plate to the system kernel of the current operation system; compiling the LKM through the adapted LKM die plate. With the adoption of the method and device, the workload can be greatly reduced, the cost is decreased, the application program can gradually support different system structures and kernel range, and therefore, the application program capable of supporting a plurality of processor system frames and system kernels in a large range can be created.

The invention relates to the computer field, and discloses a kernel update method and device, and computer equipment. The computer device executes the kernel update method to update the loadable kernel module in the kernel; firstly, the first interface mapping table is set to invalid, and the invalid first interface mapping table makes the interface module stop sending service requests of business applications to the first The driving logic of the driving logic module, so that the first driving logic module suspends providing driving services for business applications; then replace the first driving logic module in the loadable kernel module with the second driving logic module, and add it in the second interface mapping table Each interface in the interface module and the driving logic in the second driving logic module corresponding to the interface are recorded in . After the loadable kernel module is updated, the second driver logic module executes the driver logic on the new service request forwarded by the interface module according to the second interface mapping table, so as to resume providing driver services for business applications.

The invention provides a kernel mode Rootkit detection method based on system virtualization technology. A Rootkit principle, system calling and an LKM (Loadable Kernel Module) are analyzed deeply to obtain the behavior characteristic of hiding of own module information of kernel mode Rootkit. Specific to the characteristic, the Rootkit detection method based on cross view validation is designed. A Xen kernel is changed to intercept system calling, so that a credible view is constructed. An infected view is constructed by using a user mode tool of a target client. Hidden modules are found by comparing the credible view with the infected view.