Function call event emulation. Function call event emulation What does call emulation mean?

About six months ago, I was asked something like this: “I use a large framework that launches a certain function on a user action. I want, without changing the code of this function, to execute my own code on the event of this function call.”. The practice is far from the best, the function call event does not exist, I just twisted my finger at my temple and said that this is a terrible shit code, you should not do this, and this, simply, is impossible.

A couple of days ago, heading home on a relatively warm winter evening, not typical for Odessa, I had an atypical thought: “What if we try to do what Bogdan asked six months ago?” Arriving home, I turned on the computer, and, within a couple of minutes, I did what I planned. First of all, I was interested in how the built-in methods would behave if they were overridden, and whether it was possible to somehow call their previous state, which was before the override, after that. I knew that if the object is redefined, then the references to it will not be destroyed, keeping the same look. As for the built-in functions, there were doubts. It turns out you can.

Most likely, I will never even need to use such a tool, but, purely hypothetically, perhaps someone will have the task of tracing a call to a particular function, receiving a report on each call, consisting of:

1. Execution result
2. Arguments passed
3. Call context (what is this when called)
4. Number of function calls after handler creation

(This list is fully consistent with the arguments passed to the handler)

addCallListener = function(func, callback)( var callNumber = 0; return function()( var args = .slice.call(arguments); var result; try ( result = func.apply(this, arguments); callNumber++; ) catch (e) ( callback(e, args, this, callNumber); throw e; ) callback(result, args, this, callNumber); return result; ) )

Very simple and short, right?

Then, we redefine some function as follows:

SomeFunct = addCallListener(someFunct, function(result, args, self, callNumber)( //Do Something )); // or Constructor.prototype.method = addCallListener(Constructor.prototype.method, function(result, args, self, callNumber)( //Do Something ));

Obviously, it should be "visible" in the part of the code where it happens.

A few examples

To run the examples, you must have an open console (in chrome it is called by Ctrl+Shift+i).

Thanks to the comrades from the javascript.ru forum for criticism and additions.

UPD
Slightly expanded the function: now instead of one callback, an object is passed as the second argument

1. before (called before the function starts)
2. success (called if the function succeeded)
3. error (if an error occurred)
4. after (called anyway, regardless of success)

Each handler is passed an object

1. self (context)
2. name (function name)
3. status("error" or "success")
4. successNumber (number of successful calls)
5. errorNumber (number of calls with an error)
6. result (result, if any)
7. error (error, if any)

In addition, the addCallListener function is now part of the Function constructor object to avoid hitting window or process.

You can fork and test here.

About six months ago, I was asked something like this: “I use a large framework that launches a certain function on a user action. I want, without changing the code of this function, to execute my own code on the event of this function call.”. The practice is far from the best, the function call event does not exist, I just twisted my finger at my temple and said that this is a terrible shit code, you should not do this, and this, simply, is impossible.

A couple of days ago, heading home on a relatively warm winter evening, not typical for Odessa, I had an atypical thought: “What if we try to do what Bogdan asked six months ago?” Arriving home, I turned on the computer, and, within a couple of minutes, I did what I planned. First of all, I was interested in how the built-in methods would behave if they were overridden, and whether it was possible to somehow call their previous state, which was before the override, after that. I knew that if the object is redefined, then the references to it will not be destroyed, keeping the same look. As for the built-in functions, there were doubts. It turns out you can.

Most likely, I will never even need to use such a tool, but, purely hypothetically, perhaps someone will have the task of tracing a call to a particular function, receiving a report on each call, consisting of:

1. Execution result
2. Arguments passed
3. Call context (what is this when called)
4. Number of function calls after handler creation

(This list is fully consistent with the arguments passed to the handler)

addCallListener = function(func, callback)( var callNumber = 0; return function()( var args = .slice.call(arguments); var result; try ( result = func.apply(this, arguments); callNumber++; ) catch (e) ( callback(e, args, this, callNumber); throw e; ) callback(result, args, this, callNumber); return result; ) )

Very simple and short, right?

Then, we redefine some function as follows:

SomeFunct = addCallListener(someFunct, function(result, args, self, callNumber)( //Do Something )); // or Constructor.prototype.method = addCallListener(Constructor.prototype.method, function(result, args, self, callNumber)( //Do Something ));

Obviously, it should be "visible" in the part of the code where it happens.

A few examples

To run the examples, you must have an open console (in chrome it is called by Ctrl+Shift+i).

Thanks to the comrades from the javascript.ru forum for criticism and additions.

UPD
Slightly expanded the function: now instead of one callback, an object is passed as the second argument

1. before (called before the function starts)
2. success (called if the function succeeded)
3. error (if an error occurred)
4. after (called anyway, regardless of success)

Each handler is passed an object

1. self (context)
2. name (function name)
3. status("error" or "success")
4. successNumber (number of successful calls)
5. errorNumber (number of calls with an error)
6. result (result, if any)
7. error (error, if any)

In addition, the addCallListener function is now part of the Function constructor object to avoid hitting window or process.

You can fork and test here.

All my life I used simple phones, and gave preference only to the Nokia brand. But life does not stand still, once I wanted a phone with a camera and Internet access - it's so convenient! In the mobile phone store, the model range of Nokia push-buttons was not large, but the 301 Dual variant was immediately looked at. I like it to be simple, but tasteful, without unnecessary annoying details. This phone in terms of appearance satisfied me 100%. I asked to see it closer - I liked everything. The purchase cost me four thousand. I also purchased a leather case.

I have two impressions about the phone. The first time I got used to it, everything seemed chic. Not so long ago, I changed my old Oka to Renault Logan - and so, the comparison was similar. I really liked the fact that everything in the phone is thought out to the smallest detail. Stylish and comfortable. What you need. But over time, of course, the cons also came to light, but first things first.

Externally, I like the phone. Stylish, neat, thin. Very good plastic. The size of the phone is relatively large, but fits in a pocket. The screen of the phone is large, the color does not irritate, the shades are soft and pleasing to the eye. The buttons are comfortable, plus they won’t wear off over time, but there is a chance that they will swell (I already had a phone with a similar “solid” keyboard, and it was always swollen from regular use, I hope this will not happen with this phone). The polyphony of the phone is clear, but relatively quiet. On the street and sometimes even at home, I can’t hear him and always miss calls. This applies to both "native" signals and downloaded music. Infuriates. But for listening to music, for example, the speaker is ideal. Sometimes at home I listen to the radio on speakerphone - it sounds like a good tape recorder. I really like the menu in the phone, it is convenient, there are various applications available. The phone book is great! Here you have a graph under the name, and under the surname. You can add a bunch of numbers to the contact, options - the sea. But there is no main thing, what I think should be in every phone - a black list. The trouble is aggravated by the fact that my mobile operator does not provide a service for blocking numbers. I tried, at the prompt of a knowledgeable person, to find the appropriate application - but in vain. So I had to change the number and be careful in terms of the circle of people who know him.

Internet .... This is a separate conversation. Pretty primitive. If you are looking for a phone that will allow you to comfortably communicate on social networks, forgetting about the computer - pass by. From this phone, only view updates. While the pages are loading, you will bite your nails. And I'm already used to constant glitches: actions very often go nowhere. This also applies to sending messages, comments, and loading pages (from the first time, as a rule, everything turns out "for nothing"). Messages, before sending, I always copy: if the action does not work, the entire text is down the drain. It happens, and a hundred times the same thing is sent. As for likes, it's a different story. Here you are, when you look through the tape, put likes on what you liked and scroll further, right? Everything is complicated here. The first like, as a rule, is put, and the second sends your news feed to the very beginning. And so regularly! Recently, I have been thinking more and more often about buying a new android-based touch phone, since all these imperfections have become rather annoying to me: it takes a lot of time and nerves.

And the phone is often buggy, which, to be honest, I did not expect from Nokia. For no reason, the screen turns white and the whole system reboots again. I don't like the fact that you can't see letters in the sun when you're typing, you don't like the camera... Obviously not 3.2! A maximum of 2 megapixels pulls. Yes, and the phone works as it is slightly slowed down, although at the same time my memory is almost empty (only one song is loaded per call). In terms of options, the phone seems to be smart, but inside there are a lot of names that I don’t understand. For example, "Call emulation" - what is it?

In general, I'm disappointed. I expected better. I like the design, everything else is so-so. I will buy another in due course. I rate the phone at an average of three points, but I recommend buying it: the price-quality ratio is quite adequate.

I'm updating my review six months after purchase. Today is January 3, 2015. With the phone and go, although at first there was a wild desire to change it. Over time, I got used to it, now I like it and don’t want another. To work on the Internet, I installed the Opera browser for myself, and now everything works fine. And the camera was not so bad. I would say that the quality of the photos will probably be better than other models of phones in this price category, and even some of those that are more expensive. They can be printed and not ashamed to post on social networks. The only caveat is that for some reason it takes better pictures indoors than on the street. The buttons did not swell over time, I was worried in vain. And the phone itself has not lost its "commodity" appearance. Periodically, as before, he catches glitches, but not often. A couple of times it happened that the phone turned off by itself and I could not turn it on for a long time. With what it was connected - I do not know. My memory is not full at all (I do not store photos and music on it, only SMS and contacts). I change the "three" to "four" points. Not such a bad phone.

The owners of the patent RU 2514141:

Technical field

The invention relates to anti-virus solutions, and more specifically to methods for emulating system function calls to bypass emulation countermeasures.

State of the art

The code of modern programs, including malicious programs, is a complex set of instructions: jumps, calls, loops, and so on. It should be noted that the complexity of executable files is constantly increasing, which is associated with the growing popularity of high-level programming languages, as well as the complication of computer equipment and operating systems. This applies to both trusted applications and malicious ones. Malicious applications can perform a number of typical actions, such as stealing passwords and other confidential user data, including a computer in a botnet for conducting DDoS attacks or sending spam, blocking the correct functioning of the system for the purpose of extortion, and other negative and undesirable actions from the user's point of view .

One method for investigating potential malware is to use an emulator, which is used by an antivirus application to analyze the application's behavior. There are various emulation methods. One of them is software simulation of the processor, memory, and other devices by creating virtual copies of the processor registers, memory, and the processor's instruction set. Thus, program instructions are executed not on a real processor, but on its virtual copy, and calls to system API functions emulate and send back the emulated result of the function.

To counter emulation of program code, malware creators use various tricks, which may be based on limitations associated with the emulation process and the implementation of the emulator in antivirus solutions. One of these approaches is to add a large number of instructions to the program code that do not carry a malicious component, but take time to emulate. Given the fact that the time allotted for emulating the program code is limited so as not to cause user dissatisfaction (as a rule, this time can be several seconds), the emulation process can stop before the execution of truly malicious code begins. One method of combating this anti-emulation approach is described in US7603713, which operates by executing a number of instructions on a real processor, which significantly speeds up the process of emulating unknown applications in order to get to the most malicious code. Another approach, disclosed in the application US20110225655, considers the option of defining an application as suspicious if it counteracts emulation. This approach is based on the fact that a safe (legitimate) application, as a rule, shows a warning about the impossibility of execution in the emulator, while a malicious one calmly terminates the execution or abruptly changes the execution vector (logic).

Another way to counter emulation is based on determining the fact that the application is currently running on the emulator, and not on the real operating system. It should be noted that the emulator creates a virtual copy of the processor, computer components and operating system (OS) only to a limited extent with truncated capabilities, since a complete recreation of all the capabilities of the same processor or system API functions is impossible for a number of reasons: , the presence of undocumented functions, a large drop in performance when running such an emulator. Thus, malware creators can use the following tricks to detect the fact of execution in an emulated environment:

Calling an undocumented or rarely used API function.

Execute a set of CPU instructions and then check, for example, a set of flags. With insufficiently accurate emulation of processor commands, a number of flags may have different values ​​from those that would be set when executed on the processor.

Checking the correctness of the execution of the API function. The check can be very complicated and include the analysis of error codes returned by an incorrect call or checking the installed processor registers.

Search memory for specific bytes. For example, a byte-by-byte search for the MZ header in memory after loading kernel32.dll at process start. In Vista 64, kernel32.dll uses 64Kb alignment, and the area between the header and the first section will not be mapped to the process address space, and an exception will be thrown if you try to access it. If no exception has been logged, then the standard OS exception handler will be called and terminate the process.

The latter approach is used everywhere, since it allows you to constantly bypass existing emulators, it is impossible to implement the correct emulation of each API function for the reasons described above.

An analysis of the prior art and the possibilities that appear when combining them in one system allows us to obtain a new result, and improve the quality of detection of malicious applications using the method of emulating system function calls to bypass emulation countermeasures.

The essence of the invention

The technical result of the present invention is to enable the emulation of calls to system functions.

According to one of the implementation options, a method is provided for emulating system function calls to bypass emulation countermeasures, in which: an executable file is received as input to the emulator; checking a requirement condition for emulating system function calls; if at least one of the above conditions is met, system call emulation is used; emulate the execution of an executable file according to the sequential execution of instructions; when a system function call is detected, switching the emulation process to system call emulation; produce an emulation of a system function call in the form of a chain of low-level calls.

According to one of the particular implementation options, the condition for the requirement to emulate calls to system functions is the rapid completion of the emulation of the executable file.

According to another particular implementation variant, the condition for requiring emulation of system function calls is that there is no limit on the emulation time.

According to another of the particular implementation options, the condition for the requirement to emulate system function calls is the absence of information on an unknown file from the anti-virus application.

According to one of the particular implementation options, sequential execution of instructions is at least the execution of all transitions, both conditional and unconditional, as well as calling various functions within the executable file.

According to another particular implementation, the low-level call is an assembly language instruction.

According to another of the private implementation options, a low-level call is a sequential call of all related system functions.

According to one of the private implementation options, the emulation of a system function call is terminated when switching to kernel mode.

Brief description of the drawings

Additional objects, features and advantages of the present invention will become apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

Figure 1 illustrates an example of a classic emulator when processing an API function call.

2 shows an example of executing an API function in a Windows operating environment.

3 illustrates a method for emulating API function calls within the framework of the present invention.

4 shows a system within which the present invention may be implemented.

Fig. 5 illustrates a method for implementing the present invention.

6 is an example of a general purpose computer system on which the present invention may be implemented.

Description of embodiments of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The gist of the description is nothing but specific details provided to assist the person skilled in the art in a thorough understanding of the invention, and the present invention is defined only within the scope of the appended claims.

Figure 1 illustrates an example of a classic emulator when processing an API function call. When an API call is made to an application in a real OS, the OS performs a large number of actions, which is due to the complex internal architecture of the OS. Schematically, calling an API function results in the execution of a large number of instructions on the processor, after which the result of the work of the called API function is returned to the application. When the emulator is running, calling an API function does not lead to the same execution of a series of instructions as in a real OS, but instead, the application returns a simulated result of the API function. For example, when trying to create a file, the emulator will return a pointer to a virtual file. However, despite the general result of work (for example, returning a pointer to a file), the result of the work of the called API function may differ in the OS and the emulator, which is due to the fact that when calling the API function, for example, some of the processor registers can be changed, which will not be reflected when the emulator is running. This discrepancy can be used to counteract emulation and, first of all, by malware.

2 shows an example of executing an API function on a Windows operating system. WriteFile was chosen as an example of an API function. At block 210, the Windows application (eg, Microsoft Word or Notepad) attempts to write data to the file by calling the appropriate Win32 API function WriteFile in Kernel32.dll. Then, at step 220, NtWriteFile is called in Ntdll.dll (i.e., all related system functions are called in sequence), which in turn leads to a trap at step 230 and a search for the appropriate handler (which is done by the KiSystemService function in Ntoskrnl.dll ) when calling NtWriteFile. Note that this process occurs in user mode, and after the interrupt is called, a transition to kernel mode occurs. At step 240, NtWriteFile is called directly in Ntoskrnl.dll and the file is written directly at step 250 (details related to the operation of the file system driver are also hidden here). Based on this, it becomes clear that when even one API function is called in modern OS, a large number of operations occur (i.e., lower-level events within the framework of considering the OS structure itself), including the transition of application execution from user mode to kernel mode. When considering these operations from the point of view of executing instructions in assembly language, it becomes clear that it is very difficult to correctly emulate an API function call due to the need to take into account the state of all processor registers and the state of all internal OS structures.

As already noted, malware creators can use various options to check the correctness of the execution of an API function, including by checking the registers of the central processor to determine whether the application is running in the emulator. Thus, in order to bypass (or rather, pass) such a check, the present invention proposes a method for executing all called functions according to machine code instructions.

3 illustrates a method for emulating API function calls within the framework of the present invention. At step 310, the classic emulation of the application occurs, as, for example, in the case of emulation of the Notepad application (a small fragment of the application code is shown when debugging it in the OllyDbg debugger):

Instructions such as MOV, PUSH, SUB, LEA and the like will be emulated as is, i.e. by emulating assembler instructions using a virtual processor in the emulator. Once an API function call occurs (as determined at block 320), such as

then the emulation of such a call will occur according to machine instructions (step 330), taking into account all nested calls, as shown, for example, in Fig.2. When the transition to kernel mode is reached during the execution of the API function, which will be checked at step 340, the emulation will be transferred to the standard (normal, classic) mode, i.e. further calls will not be processed sequentially for each instruction, but only the result of the function call will be returned. Thereafter, the method returns from step 350 to step 310 for further emulation.

4 shows a system within which the present invention may be implemented. Suppose there is an unknown executable file 410 on the user's computer, which should be emulated to determine whether it might be malicious. It should be clarified that an executable file should be understood not only as executable files that have the PE or ELF format, but also other files containing various code, such as .class or .jar files (for execution in the Java virtual machine), various script files , such as .vbs and many others. The file 410 itself contains instructions 420, the serial emulation of which reproduces the execution of file 410. Note that serial emulation includes the execution of all jumps, both conditional and unconditional, as well as calling various functions within the executable file 410. In serial emulation, each instruction 420 gets to the input of the instruction parsing module 430 inside the emulator 405, while this module determines whether the instruction is a call to the system API function and, if the answer is positive, the emulator 405 emulates the call to this function (displayed as 450) in the form of a chain of lower-level events, such as shown, for example, in Fig. 2 (ie, steps 210-230 in Fig. 2 prior to entering kernel mode). Otherwise, the emulator 405 emulates its execution as part of the classic emulation (shown as 440), i.e. returns the simulated result of the function (i.e. without emulating all the stages marked in Fig.2). In some cases, the instruction to call an API function can be emulated, just as it would be done in the case of classical 440 emulation. For example, the URLDownloadToFile function in the low-level representation contains a complex chain of calls to the TCP / IP driver, and serial emulation of such a chain may not be practical . In one implementation, the desirability of using system call emulation is determined by the instruction parser 430, for example, based on known information about the speed of the emulation of certain calls.

Fig. 5 illustrates a method for implementing the present invention. At block 510, an attempt is made to emulate the executable file 410 on the user's computer. At block 520, it is checked whether emulation of system API functions is required.

Requirements for emulating system functions:

The initial emulation completed very quickly and without alerting the user. This usually means that the application detects the fact of running in the emulator, while not notifying the user about it, which is usually done by dangerous programs.

It is required to carry out a deeper emulation of the executable file 410. This happens if the executable file 410 has not been encountered before, which means that there is no information on an unknown file from the anti-virus application within which the emulator is running (i.e. it is not classified and is not located in anti-virus application databases as a malicious or safe application).

The classic emulator detected methods to counter emulation, such as: calling API functions with obviously incorrect parameters followed by checking the status (code) of the error, checking volatile registers after calling API functions, scanning the contents of system modules, trying to detect a debugger in the system, as well as calls standard methods for detecting execution under a virtual machine (RedPill).

Detection of the use of self-unpacking or self-protection techniques (packers and protectors).

The need to emulate a potentially malicious application as part of the user's OS with all the libraries and interpreters present (for example, .NET or Java). Also, the proposed emulation method allows you to emulate batch and control files, such as a batch file (batch file) with the extension .bat or .cmd, powershell scripts, reg files for entering data into the registry and other types of files, the launch of which leads to the execution code on the user's computer.

The time for emulation is not limited by strict limits, for example, it can be tens of seconds or even several minutes or more, which is typical during the first analysis of the application.

Fulfillment of at least one of these requirements leads to the emulation of system calls 450 at block 530 to emulate API functions by machine instructions, as shown in Fig.4. Otherwise, at step 540, only the classic emulation 440 is used. Using such requirements allows a more flexible approach to the emulation process within the antivirus application without causing user dissatisfaction, which is associated with an additional load due to the need to emulate API functions by machine instructions.

6 shows an example of a general purpose computer system, a personal computer or a server 20, comprising a central processing unit 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processing unit 21. The system bus 23 is implemented , as any bus structure known from the prior art, containing in turn a bus memory or bus memory controller, a peripheral bus, and a local bus that is capable of interfacing with any other bus architecture. System memory contains a read only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the main procedures that provide information transfer between the elements of a personal computer 20, for example, at the time of loading the operating systems using ROM 24.

The personal computer 20, in turn, contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31, such as CD-ROM, DVD -ROM and other optical storage media. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 via the hard disk interface 32, the magnetic disk interface 33, and the optical drive interface 34, respectively. Drives and related computer storage media are non-volatile means of storing computer instructions, data structures, program modules, and other data of the personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that are capable of storing data in a computer-readable form (solid-state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55.

The computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38 and program data 39. The user has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40, manipulator " mouse" 42). Other input devices (not shown) may be used: microphone, joystick, game console, scanner, etc. Such input devices are typically connected to computer system 20 via serial port 46, which in turn is connected to the system bus, but may be connected in other ways, such as through a parallel port, game port, or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not shown), such as speakers, a printer, or the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection to another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the being personal computer 20, shown in Fig.6. Other devices may also be present in the computer network, such as routers, network stations, peer-to-peer devices, or other network nodes.

The network connections may form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using networks, the personal computer 20 may use a modem 54 or other means to communicate with a wide area network such as the Internet. Modem 54, which is an internal or external device, is connected to system bus 23 via serial port 46. It should be clarified that network connections are only exemplary and are not required to represent the exact network configuration, i. in fact, there are other ways to establish a connection by technical means of communication from one computer to another.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention defined by the formula. A person skilled in the art will appreciate that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

1. A method for emulating system function calls to bypass emulation countermeasures, in which:
a) receive an executable file at the input of the emulator;
b) check the conditions of the requirement to emulate system function calls;
c) if at least one of the above conditions is met, system call emulation is used;
d) emulate the execution of an executable file according to the sequential execution of instructions;
e) when a system function call is detected, the emulation process is switched to system call emulation;
f) emulate a system function call in the form of a chain of low-level calls.

2. The method of claim 1, wherein the condition for requiring emulation of system function calls is that the emulation of the executable file be completed quickly.

3. The method of claim 1, wherein the condition for requiring emulation of system function calls is that there is no limit on the emulation time.

4. The method according to claim 1, in which the condition for the requirement to emulate calls to system functions is the absence of information on an unknown file from the anti-virus application.

5. The method according to claim 1, wherein the sequential execution of the instructions is at least the execution of all jumps, both conditional and unconditional, as well as calling various functions within the executable file.

6. The method of claim 1, wherein the low-level call is an assembly language instruction.

7. The method of claim 1, wherein the low-level call is a sequential call of all associated system functions.

8. The method according to claim 1, which ends the emulation of a system function call upon transition to kernel mode.

Similar patents:

The invention relates to computer technology. The technical result is to improve the quality of malware detection.

SUBSTANCE: invention relates to means for verifying public key certificates. The technical result is to reduce the likelihood of unauthorized access.

The invention relates to the field of automatic configuration of security tools during the execution of application programs. The technical result is to reduce the computing resources consumed by the security tool during the execution of the application program without losing the quality of security.

The invention relates to systems and methods for filtering messages based on user reports. The technical result of the present invention is to identify messages belonging to different categories, such as, for example, the category of messages containing spam, based on user reports.

The invention relates to a system for managing user access rights to information related to flight and aircraft safety. The technical result is to ensure the identification of users who have access to the specified information. A system for managing access rights to on-board application programs and data and a method used by this system, as well as an aircraft containing this system, are proposed. The system for managing access rights to on-board information of a user on board an aircraft contains at least one identification device (10) configured to read information about the user's identity contained in his personal card, and an on-board computer (1), containing means (11) for managing access rights, configured to authenticate the user and determine access rights to on-board information depending on the identity of the user. 3 n. and 7 z.p. f-ly, 2 ill.

The invention relates to an information processing device and method, and a recording medium with a program for controlling the information processing device. The technical result is to increase the speed of data processing. The device is configured to read the application program from the recording medium on which the application program serving as content, the first root certificate issued to the application program, and the second root certificate issued before the issuance of the first root certificate to the application program is recorded, and to execute the application program. wherein the information processing device comprises: generation means for forming in the storage device a first folder for storing data to be processed by the application program, the first folder being associated with the first root certificate; and a copy means for copying to the first folder the data contained in the second folder, the second folder being associated with the second root certificate in case the second folder is present in the storage device. 3 n. and 7 z.p. f-ly, 19 ill.

The invention relates to the distribution of a cryptographic secret key between the transmitting and receiving parties. The technical result consists in the possibility of automatic regulation of protection and the waiting time for generating a cryptographic secret key by setting the number of iterations, on the basis of which the number of messages to be exchanged during the generation of a cryptographic secret key is controlled. The device for receiving and transmitting data in a secure manner contains a key generation controller and a unit for providing the number of iterations. 4 n. and 7 z.p. f-ly, 17 ill.

The invention relates to an image sending device requiring authentication to use the device and the function it provides. The technical result is to provide the possibility of setting the inheritance of authentication information for sending images and displaying a screen for entering authentication information in accordance with the method of setting the destination. To this end, the first authentication processing for user authentication is performed in the image sending device, the authentication information used in the case where the first authentication processing is performed is stored, and the destination to which the sending means sends the image data is set through a variety of kinds of point setting methods. destination. Then, the processing for the second authentication required for the sender to send the image data to the set destination is performed, and it is determined whether to use the authentication information stored in the information storage means when the processing for the second authentication is performed based on the destination setting method. 3 n. and 5 z.p. f-ly, 17 ill.

SUBSTANCE: invention relates to wireless communication, namely to a method for secure transmission of an access control client. The technical result is to increase security. The method comprises requesting a user access control client from a wireless network, wherein the request is associated with a first validating certificate; receiving a user access control client and a second validation certificate, wherein the first and second validating certificates are issued by a trusted entity; and storing the user access control client in the secure element if the second validating certificate is valid; wherein the user access control client is stored in an individual segment from among the plurality of segments constituting the secure element, and subsequent modifications to the stored user access control client can only be performed using the second confirmation certificate; and access to the wireless network is limited to (i) access by the user's access control client and (ii) requests from the user's access control clients. 3 n. and 19 z.p. f-ly, 8 ill.

The invention relates to computer technology and telecommunications, is intended to solve problems of protecting computer information. The technical result of the invention is to increase the speed by increasing the degree of parallelism. The way to perform three rounds of transformation is along the x, y, z axes. In the first round, N 2D layer change transformations L x0, L x1, ..., L x(N-1) are performed; in the second round, N two-dimensional layer replacement transformations L y0 , L y1 , ..., Ly (N-1) are performed; in the third round, N two-dimensional layer change transformations L z0, L z1, ..., L z(N-1) are performed. 5 ill., 1 tab.

The invention relates to means for managing measurement results. The technical result is to reduce the processing time of information. Provide transmission by the biological information measurement device of authentication related to the authentication of the biological information measurement device. EFFECT: determination of the need for authentication by the biological information measurement device. Ensure that the control device receives both the authentication-related information related to the authentication and the biological information from the biological information measurement device. Ensure that the control device performs authentication based on information related to authentication. The biological information received by the communication means is stored in the storage means, regardless of whether the authentication result of the authenticating means is positive or negative. Legitimate authentication information is transmitted by the communication means if it is determined by the means for determining whether authentication is necessary, and dummy information is transmitted by the communication means if it is determined that authentication is not required. 3 n. and 2 z.p. f-ly, 10 ill.

The invention relates to means for ensuring the security of electronic network transactions. The technical result is to increase the security of electronic transactions via the Internet. Perform the procedure of enhanced (multi-factor) authentication of clients and servers, procedures of hashing, signing with an electronic signature and verifying the electronic signature of clients and servers. Perform the process of scanning the client software environment, after which they make decisions about the criticality or non-criticality of the software environment vulnerabilities detected in the system clients. In the process of interaction between the participants, copies of the decisions of clients and servers, signed by their electronic signatures, on the continuation or closing of sessions between clients and servers are archived. 2 n. and 6 z.p. f-ly, 1 ill.

The invention relates to a method and apparatus for performing a cryptographic transformation in an electronic component. The technical result consists in increasing the security of establishing connections with password authentication by increasing the efficiency of cryptographic transformation. In the method, the point P(X,Y) is obtained based on the parameter t on an elliptic curve that satisfies the expression Y2=f(X), and based on the polynomials X1(t), X2(t), X3(t) and U(t ) satisfying the equality f(X1(t)).f(X2(t)).f(X3(t))=U(t)2 in Fq, with q=3 mod 4, then the value of the parameter t is obtained and determine the point P by performing sub-steps, in which (i) calculate X1=X1(t), X2=X2(t), X3=X3(t) and U=U(t), (ii) if the element f(X1) .f(X2) is a square, then check if the element f(X3) is a square in Fq, and if it is, then calculate the square root of the element f(X3) to get the point P(X3), (iii) otherwise check whether the element f(X1) is a square, and if it is, calculate the square root of f(X1) to get the point P(X1), (iv) else calculate the square root of the element f(X2) to get the point P(X2 ), and then this point P is used in a cryptographic application. 2 n. and 6 z.p. f-ly, 3 ill.

The group of inventions relates to means for controlling at least one process occurring in a safety-related system. The technical result consists in providing the possibility of flexible and generalized certification of security-related systems. To this end, a method is proposed for monitoring a safety-related system by means of a monitoring device provided for monitoring a safety-related system, in which: selecting a first process from a plurality of processes executing on the monitoring device, generating a call by the first process; transferring the call to a device forming at least a part of the security-related system; selecting a second process from a plurality of processes executing on the security-related system; calculating, by the second process, a processing result by applying at least one predetermined function to the call; transferring, by the second process, the processing result to the first process; checking, by the first process, the processing result calculated by the second process with the processing result calculated by the first process, the processing result calculated by the first process applying the same at least one predefined function; and evaluating the safety-related system as being in a safe state if the processing result calculated by the first process and the processing result calculated by the second process agree. 3 n. and 8 z.p. f-ly, 2 ill.

The invention relates to methods for emulating system function calls to bypass emulation countermeasures. The technical result consists in providing the possibility of emulating calls to system functions. The result is achieved using a method for emulating system function calls to bypass emulation countermeasures, the method including the following steps: receiving an executable file as input to the emulator; checking the conditions of the requirement to emulate system function calls; if at least one of the above conditions is met, system call emulation is used; emulate the execution of an executable file according to the sequential execution of instructions; when a system function call is detected, switching the emulation process to system call emulation; produce an emulation of a system function call in the form of a chain of low-level calls. 7 w.p. f-ly, 6 ill., 1 tab.

The invention relates to methods for emulating system function calls to bypass emulation countermeasures. The technical result consists in providing the possibility of emulating calls to system functions. The result is achieved using a method for emulating system function calls to bypass emulation countermeasures, the method including the following steps: receiving an executable file as input to the emulator; checking the conditions of the requirement to emulate system function calls; if at least one of the above conditions is met, system call emulation is used; emulate the execution of an executable file according to the sequential execution of instructions; when a system function call is detected, switching the emulation process to system call emulation; produce an emulation of a system function call in the form of a chain of low-level calls. 7 w.p. f-ly, 6 ill., 1 tab.

Drawings to the RF patent 2514141

Technical field

The invention relates to anti-virus solutions, and more specifically to methods for emulating system function calls to bypass emulation countermeasures.

State of the art

The code of modern programs, including malicious programs, is a complex set of instructions: jumps, calls, loops, and so on. It should be noted that the complexity of executable files is constantly increasing, which is associated with the growing popularity of high-level programming languages, as well as the complication of computer equipment and operating systems. This applies to both trusted applications and malicious ones. Malicious applications can perform a number of typical actions, such as stealing passwords and other confidential user data, including a computer in a botnet for conducting DDoS attacks or sending spam, blocking the correct functioning of the system for the purpose of extortion, and other negative and undesirable actions from the user's point of view .

One method for investigating potential malware is to use an emulator, which is used by an antivirus application to analyze the application's behavior. There are various emulation methods. One of them is software simulation of the processor, memory, and other devices by creating virtual copies of the processor registers, memory, and the processor's instruction set. Thus, program instructions are executed not on a real processor, but on its virtual copy, and calls to system API functions emulate and send back the emulated result of the function.

To counter emulation of program code, malware creators use various tricks, which may be based on limitations associated with the emulation process and the implementation of the emulator in antivirus solutions. One of these approaches is to add a large number of instructions to the program code that do not carry a malicious component, but take time to emulate. Given the fact that the time allotted for emulating the program code is limited so as not to cause user dissatisfaction (as a rule, this time can be several seconds), the emulation process can stop before the execution of truly malicious code begins. One method of combating this anti-emulation approach is described in US7603713, which operates by executing a number of instructions on a real processor, which significantly speeds up the process of emulating unknown applications in order to get to the most malicious code. Another approach, disclosed in the application US20110225655, considers the option of defining an application as suspicious if it counteracts emulation. This approach is based on the fact that a safe (legitimate) application, as a rule, shows a warning about the impossibility of execution in the emulator, while a malicious one calmly terminates the execution or abruptly changes the execution vector (logic).

Another way to counter emulation is based on determining the fact that the application is currently running on the emulator, and not on the real operating system. It should be noted that the emulator creates a virtual copy of the processor, computer components and operating system (OS) only to a limited extent with truncated capabilities, since a complete recreation of all the capabilities of the same processor or system API functions is impossible for a number of reasons: , the presence of undocumented functions, a large drop in performance when running such an emulator. Thus, malware creators can use the following tricks to detect the fact of execution in an emulated environment:

Calling an undocumented or rarely used API function.

Execute a set of CPU instructions and then check, for example, a set of flags. With insufficiently accurate emulation of processor commands, a number of flags may have different values ​​from those that would be set when executed on the processor.

Checking the correctness of the execution of the API function. The check can be very complicated and include the analysis of error codes returned by an incorrect call or checking the installed processor registers.

Search memory for specific bytes. For example, a byte-by-byte search for the MZ header in memory after loading kernel32.dll at process start. In Vista 64, kernel32.dll uses 64Kb alignment, and the area between the header and the first section will not be mapped to the process address space, and an exception will be thrown if you try to access it. If no exception has been logged, then the standard OS exception handler will be called and terminate the process.

The latter approach is used everywhere, since it allows you to constantly bypass existing emulators, it is impossible to implement the correct emulation of each API function for the reasons described above.

An analysis of the prior art and the possibilities that appear when combining them in one system allows us to obtain a new result, and improve the quality of detection of malicious applications using the method of emulating system function calls to bypass emulation countermeasures.

The essence of the invention

The technical result of the present invention is to enable the emulation of calls to system functions.

According to one of the implementation options, a method is provided for emulating system function calls to bypass emulation countermeasures, in which: an executable file is received as input to the emulator; checking a requirement condition for emulating system function calls; if at least one of the above conditions is met, system call emulation is used; emulate the execution of an executable file according to the sequential execution of instructions; when a system function call is detected, switching the emulation process to system call emulation; produce an emulation of a system function call in the form of a chain of low-level calls.

According to one of the particular implementation options, the condition for the requirement to emulate calls to system functions is the rapid completion of the emulation of the executable file.

According to another particular implementation variant, the condition for requiring emulation of system function calls is that there is no limit on the emulation time.

According to another of the particular implementation options, the condition for the requirement to emulate system function calls is the absence of information on an unknown file from the anti-virus application.

According to one of the particular implementation options, sequential execution of instructions is at least the execution of all transitions, both conditional and unconditional, as well as calling various functions within the executable file.

According to another particular implementation, the low-level call is an assembly language instruction.

According to another of the private implementation options, a low-level call is a sequential call of all related system functions.

According to one of the private implementation options, the emulation of a system function call is terminated when switching to kernel mode.

Brief description of the drawings

Additional objects, features and advantages of the present invention will become apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

Figure 1 illustrates an example of a classic emulator when processing an API function call.

2 shows an example of executing an API function in a Windows operating environment.

3 illustrates a method for emulating API function calls within the framework of the present invention.

4 shows a system within which the present invention may be implemented.

Fig. 5 illustrates a method for implementing the present invention.

6 is an example of a general purpose computer system on which the present invention may be implemented.

Description of embodiments of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The gist of the description is nothing but specific details provided to assist the person skilled in the art in a thorough understanding of the invention, and the present invention is defined only within the scope of the appended claims.

Figure 1 illustrates an example of a classic emulator when processing an API function call. When an API call is made to an application in a real OS, the OS performs a large number of actions, which is due to the complex internal architecture of the OS. Schematically, calling an API function results in the execution of a large number of instructions on the processor, after which the result of the work of the called API function is returned to the application. When the emulator is running, calling an API function does not lead to the same execution of a series of instructions as in a real OS, but instead, the application returns a simulated result of the API function. For example, when trying to create a file, the emulator will return a pointer to a virtual file. However, despite the general result of work (for example, returning a pointer to a file), the result of the work of the called API function may differ in the OS and the emulator, which is due to the fact that when calling the API function, for example, some of the processor registers can be changed, which will not be reflected when the emulator is running. This discrepancy can be used to counteract emulation and, first of all, by malware.

2 shows an example of executing an API function on a Windows operating system. WriteFile was chosen as an example of an API function. At block 210, the Windows application (eg, Microsoft Word or Notepad) attempts to write data to the file by calling the appropriate Win32 API function WriteFile in Kernel32.dll. Then, at step 220, NtWriteFile is called in Ntdll.dll (i.e., all related system functions are called in sequence), which in turn leads to a trap at step 230 and a search for the appropriate handler (which is done by the KiSystemService function in Ntoskrnl.dll ) when calling NtWriteFile. Note that this process occurs in user mode, and after the interrupt is called, a transition to kernel mode occurs. At step 240, NtWriteFile is called directly in Ntoskrnl.dll and the file is written directly at step 250 (details related to the operation of the file system driver are also hidden here). Based on this, it becomes clear that when even one API function is called in modern OS, a large number of operations occur (i.e., lower-level events within the framework of considering the OS structure itself), including the transition of application execution from user mode to kernel mode. When considering these operations from the point of view of executing instructions in assembly language, it becomes clear that it is very difficult to correctly emulate an API function call due to the need to take into account the state of all processor registers and the state of all internal OS structures.

As already noted, malware creators can use various options to check the correctness of the execution of an API function, including by checking the registers of the central processor to determine whether the application is running in the emulator. Thus, in order to bypass (or rather, pass) such a check, the present invention proposes a method for executing all called functions according to machine code instructions.

3 illustrates a method for emulating API function calls within the framework of the present invention. At step 310, the classic emulation of the application occurs, as, for example, in the case of emulation of the Notepad application (a small fragment of the application code is shown when debugging it in the OllyDbg debugger):

Instructions such as MOV, PUSH, SUB, LEA and the like will be emulated as is, i.e. by emulating assembler instructions using a virtual processor in the emulator. Once an API function call occurs (as determined at block 320), such as

then the emulation of such a call will occur according to machine instructions (step 330), taking into account all nested calls, as shown, for example, in Fig.2. When the transition to kernel mode is reached during the execution of the API function, which will be checked at step 340, the emulation will be transferred to the standard (normal, classic) mode, i.e. further calls will not be processed sequentially for each instruction, but only the result of the function call will be returned. Thereafter, the method returns from step 350 to step 310 for further emulation.

4 shows a system within which the present invention may be implemented. Suppose there is an unknown executable file 410 on the user's computer, which should be emulated to determine whether it might be malicious. It should be clarified that an executable file should be understood not only as executable files that have the PE or ELF format, but also other files containing various code, such as .class or .jar files (for execution in the Java virtual machine), various script files , such as .vbs and many others. The file 410 itself contains instructions 420, the serial emulation of which reproduces the execution of file 410. Note that serial emulation includes the execution of all jumps, both conditional and unconditional, as well as calling various functions within the executable file 410. In serial emulation, each instruction 420 gets to the input of the instruction parsing module 430 inside the emulator 405, while this module determines whether the instruction is a call to the system API function and, if the answer is positive, the emulator 405 emulates the call to this function (displayed as 450) in the form of a chain of lower-level events, such as shown, for example, in Fig. 2 (ie, steps 210-230 in Fig. 2 prior to entering kernel mode). Otherwise, the emulator 405 emulates its execution as part of the classic emulation (shown as 440), i.e. returns the simulated result of the function (i.e. without emulating all the stages marked in Fig.2). In some cases, the instruction to call an API function can be emulated, just as it would be done in the case of classical 440 emulation. For example, the URLDownloadToFile function in the low-level representation contains a complex chain of calls to the TCP / IP driver, and serial emulation of such a chain may not be practical . In one implementation, the desirability of using system call emulation is determined by the instruction parser 430, for example, based on known information about the speed of the emulation of certain calls.

Fig. 5 illustrates a method for implementing the present invention. At block 510, an attempt is made to emulate the executable file 410 on the user's computer. At block 520, it is checked whether emulation of system API functions is required.

Requirements for emulating system functions:

The initial emulation completed very quickly and without alerting the user. This usually means that the application detects the fact of running in the emulator, while not notifying the user about it, which is usually done by dangerous programs.

It is required to carry out a deeper emulation of the executable file 410. This happens if the executable file 410 has not been encountered before, which means that there is no information on an unknown file from the anti-virus application within which the emulator is running (i.e. it is not classified and is not located in anti-virus application databases as a malicious or safe application).

The classic emulator detected methods to counter emulation, such as: calling API functions with obviously incorrect parameters followed by checking the status (code) of the error, checking volatile registers after calling API functions, scanning the contents of system modules, trying to detect a debugger in the system, as well as calls standard methods for detecting execution under a virtual machine (RedPill).

Detection of the use of self-unpacking or self-protection techniques (packers and protectors).

The need to emulate a potentially malicious application as part of the user's OS with all the libraries and interpreters present (for example, .NET or Java). Also, the proposed emulation method allows you to emulate batch and control files, such as a batch file (batch file) with the extension .bat or .cmd, powershell scripts, reg files for entering data into the registry and other types of files, the launch of which leads to the execution code on the user's computer.

The time for emulation is not limited by strict limits, for example, it can be tens of seconds or even several minutes or more, which is typical during the first analysis of the application.

Fulfillment of at least one of these requirements leads to the emulation of system calls 450 at block 530 to emulate API functions by machine instructions, as shown in Fig.4. Otherwise, at step 540, only the classic emulation 440 is used. Using such requirements allows a more flexible approach to the emulation process within the antivirus application without causing user dissatisfaction, which is associated with an additional load due to the need to emulate API functions by machine instructions.

6 shows an example of a general purpose computer system, a personal computer or a server 20, comprising a central processing unit 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processing unit 21. The system bus 23 is implemented , as any bus structure known from the prior art, containing in turn a bus memory or bus memory controller, a peripheral bus, and a local bus that is capable of interfacing with any other bus architecture. System memory contains a read only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the main procedures that provide information transfer between the elements of a personal computer 20, for example, at the time of loading the operating systems using ROM 24.

The personal computer 20, in turn, contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31, such as CD-ROM, DVD -ROM and other optical storage media. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 via the hard disk interface 32, the magnetic disk interface 33, and the optical drive interface 34, respectively. Drives and related computer storage media are non-volatile means of storing computer instructions, data structures, program modules, and other data of the personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that are capable of storing data in a computer-readable form (solid-state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55.

The computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38 and program data 39. The user has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40, manipulator " mouse" 42). Other input devices (not shown) may be used: microphone, joystick, game console, scanner, etc. Such input devices are typically connected to computer system 20 via serial port 46, which in turn is connected to the system bus, but may be connected in other ways, such as through a parallel port, game port, or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not shown), such as speakers, a printer, or the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection to another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the being personal computer 20, shown in Fig.6. Other devices may also be present in the computer network, such as routers, network stations, peer-to-peer devices, or other network nodes.

The network connections may form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using networks, the personal computer 20 may use a modem 54 or other means to communicate with a wide area network such as the Internet. Modem 54, which is an internal or external device, is connected to system bus 23 via serial port 46. It should be clarified that network connections are only exemplary and are not required to represent the exact network configuration, i. in fact, there are other ways to establish a connection by technical means of communication from one computer to another.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention defined by the formula. A person skilled in the art will appreciate that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

CLAIM

1. A method for emulating system function calls to bypass emulation countermeasures, in which:

a) receive an executable file at the input of the emulator;

b) check the conditions of the requirement to emulate system function calls;

c) if at least one of the above conditions is met, system call emulation is used;

d) emulate the execution of an executable file according to the sequential execution of instructions;

e) when a system function call is detected, the emulation process is switched to system call emulation;

f) emulate a system function call in the form of a chain of low-level calls.

2. The method of claim 1, wherein the condition for requiring emulation of system function calls is that the emulation of the executable file be completed quickly.

3. The method of claim 1, wherein the condition for requiring emulation of system function calls is that there is no limit on the emulation time.

4. The method according to claim 1, in which the condition for the requirement to emulate calls to system functions is the absence of information on an unknown file from the anti-virus application.

5. The method according to claim 1, wherein the sequential execution of the instructions is at least the execution of all jumps, both conditional and unconditional, as well as calling various functions within the executable file.

6. The method of claim 1, wherein the low-level call is an assembly language instruction.

7. The method of claim 1, wherein the low-level call is a sequential call of all associated system functions.

8. The method according to claim 1, which ends the emulation of a system function call upon transition to kernel mode.