Trap Patching

Well-known to the virus writing community is the notion of ``trap patching''. When a system function is called, the operating system performs a look-up on the trap dispatch table to determine where in memory the desired function is located. In patching a system function, this address is replaced in the table with an address pointing to new code. Oftentimes, the new code will hand execution off to the original routine after it has served its purpose. In such a scenario, the patch appears invisible to the end user, as the original functionality still succeeds.

Trap patching has many uses beyond that of virus design. For Palm OS devices, trap patching has been made popular with HackMaster [13]. Any native functions in the Palm OS are potential vectors that can be trapped and exploited. This is not only the case for exported user programming interfaces, but includes those that are defined for system-use only.

To help in understanding trap patching as a vulnerability, consider a trivial denial-of-service event:

When a penUpEvent event is detected in the writing area, SysHandleEvent hands control over to the GrfProcessStroke API function. GrfProcessStroke is located in the trap dispatch table and the Program Counter starts execution at the address returned. If the GrfProcessStroke routine were replaced with a stub that returned immediately after entry, which is to say that the routine does nothing, the attack would result in characters being prevented from entering into the key queue.

Obviously, this constitutes a much more benign attack than ones that might be introduced with greater functionality.