The kernel mediates several types of control transfers that a runtime code manipulation system needs to follow in order to intercept all code. The most common type is message delivery, shown here. This takes the form of a signal in Linux, or a callback, asynchronous procedure call, or exception on Windows. The operation of message delivery is similar in all cases. While in the kernel, whether due to a system call or a scheduling pre-emption, the kernel checks to see if there are any pending messages for the application. If there are, the kernel suspends the current user context and invokes the handler that the application has registered for that message type. Now, since this is a direct transfer of control by the kernel, if we don't intercept this the entire handler is going to run natively. Windows GUI programs spend the majority of their time in handlers, so if we do not intercept these kernel-mediated transfers we're going to miss much of the executed code.
|Copyright © 2004 Derek Bruening|