FORM-2
THE PATENTS ACT, 1970
(39 OF 1970)
AND
THE PATENTS RULES, 2003
(As Amended)
COMPLETE SPECIFICATION
(See section 10; rule 13)
"Dynamic Scan of Objects of an Operating System'
HCL Technologies Ltd., a corporation organized and existing under the laws of India, of No. 8, MTH Road, Ambattur Industrial Estate, Chennai~600 058 Tamil Nadu India.
The following specification particularly describes the nature of this invention and the manner in which it is to be performed:

DYNAMIC SCAN OF OBJECTS OF AN OPERATING SYSTEM
Field of the Disclosure: -
The present disclosure relates to scan of objects of an Operating System (OS) and more specifically to, dynamic scan of objects of the OS by identifying actual objects of the OS.
Background:-
There are approximately 65k internal ports within a network system, which are periodically scanned to ensure security of data operations. Additionally, port scanning is an attempt to detect what services are active on a particular host. Such scanning of ports is usually achieved by sending packets to each port in a sequential or random manner. The packets sent to each port are such as an evaluated packet aimed at various ports on a particular host; any packet directed to the inactive or blocked by firewall port and commonly used packets such ping type sort.
The success of a port scan depends on the ability of the scan to identify the open ports in a system. According to conventional art, the ports are scanned sequentially and establish a complete connection with each port These port scanners are typically designed to set off distress notification in case any potential threat to the stability of the network system is identified; however, they do not focus on the scan results at all. Therefore, many a times the port scanner bypasses firewalls and even avoids port alarms to disclose a probable active hidden open port to the network system.
Summary: -
Embodiments of the present disclosure relate to dynamic scan of objects in an Operating System (OS). An embodiment of the present disclosure illustrates a method for dynamic scan of objects of the Operating System comprising identification of an appropriate module of the OS, analysis of attributes of operating structures of the identified module, retrieval of actual objects and corresponding addresses, storage of retrieved actual objects and corresponding addresses

followed by generation of a list of actual objects based on the stored objects and their addresses.
According to an example of the embodiment, the analysis of attributes of operating structures of the identified module may comprise receiving instruction to analyze the identified module, verifying initialization of variables of the identified module and identifying actual objects and their corresponding addresses.
Another embodiment of the disclosure the actual objects comprise active as well as hidden objects.
An embodiment of the present disclosure illustrates a system for dynamic scan of objects of an OS comprising a module identification unit, an analyzing unit coupled to the module identification unit and an object processor coupled to the analyzing unit. The module identification unit is configured to identify an appropriate module for the OS while the analyzing unit is configured to analyze the attributes of operating structures of the identified module. The object processor is configured to retrieve, store and generate a list of actual objects and corresponding addresses.
According to an example of the embodiment, the analyzing unit may be additionally configured to receive instructions to analyze the identified module, verify initialization of variables of the identified module and identify actual objects and their corresponding addresses.
Another embodiment of the disclosure illustrates a dynamic scanner for an OS comprising a module identification unit configured to identify an appropriate module for the OS, an analyzing unit coupled to the module identification unit configured to analyze attributes of operating structures of the identified module and an object processor coupled to the analyzing unit configured to retrieve, store and generate a list of actual objects and corresponding addresses.

Another embodiment of the present disclosure discloses a cellular user equipment comprising a module identification unit configured to identify an appropriate module for the OS, an analyzing unit coupled to the module identification unit configured to analyze the attributes of operating structures of the identified module and an object processor coupled to the anaiyzing unit configured to retrieve, store and generate a list of actual objects and corresponding addresses.
Brief Description of Figures: -
The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the drawings to reference like features and components.
Figure 1 illustrates a flow diagram representation of a method for dynamic scan of an
Operating System (OS) according to an embodiment of the present disclosure.
Figure 2 illustrates a flow diagram representation of analyzing attributes of operating
structures according to an embodiment of the present disclosure.
Figure 3 illustrates a flow diagram representation of a method for dynamic scan of an
Operating System according to an example of an embodiment of the present disclosure.
Figure 4 illustrates a block diagram representation of a system for dynamic scan of an
operating system according to an embodiment of the present disclosure.
Figure 5 illustrates a block diagram representation of a system for detecting security
threat in an operating system according to an embodiment of the present disclosure.

Detailed Description: -
The following discussion provides a brief, general description of a suitable computing environment in which various embodiments of the present disclosure can be implemented. The aspects and embodiments are described in the general context of computer executable mechanisms such as routines executed by a general purpose computer e.g. a server or personal computer. The embodiments described herein can be practiced with other system configurations, including Internet appliances, hand held devices, multi-processor systems, microprocessor based or programmable consumer electronics, network PCs, mini computers, mainframe computers and the like. The embodiments can be embodied in a special purpose computer or data processor that is specifically programmed configured or constructed to perform one or more of the computer executable mechanisms explained in detail below.
Exemplary embodiments now will be described with reference to the accompanying drawings. The disclosure may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey its scope to those skilled in the art. The terminology used in the detailed description of the particular exemplary embodiments Illustrated in the accompanying drawings is not intended to be limiting.
Embodiments of the method for dynamic scan of objects of an Operating System (OS) of the present disclosure are described in Figures 1, 2 and 3. The methods are illustrated as a collection of blocks in a logical flow graph, which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. The order in which the process is described is not intended to be construed as a limitation, and any number of the described blocks can be combined in any order to implement the process, or an alternate process.

Figure 1 of the present disclosure illustrates a flow diagram representation of a method for dynamic scan of objects of an Operating System (OS) according to an embodiment. The method comprises identifying an appropriate module of the OS 101, analyzing attributes of operating structures of the identified module 102, retrieving actual objects and corresponding addresses 103, storing retrieved actual objects and corresponding addresses 104 and generating a list of actual objects based on the stored objects and their addresses 105.
The step of analyzing attributes of operating structures of the identified module 102 is further illustrated in Figure 2 of the present disclosure. The step according to an embodiment of the present disclosure comprises receiving instruction to analyze the identified module 201, verifying initialization of variables of the identified module 202 and identifying objects and their corresponding addresses 203.
According to an embodiment of the present disclosure, the actual objects comprise active as well as hidden objects. These objects may be kernel objects. According to an embodiment of the present disclosure, the loadable kernel module, which acts into the kernel space thereby altering the memory space to conceal itself, is identified. Since, such kernel objects remain hidden during conventional scan of an OS, the present disclosure conducts a dynamic scan as illustrated in embodiment of Figure 1 to identify the actual kernel object and working directly on the kernel object related to allocating ports. According to certain embodiments of the present disclosure, the actual objects of the OS may be identified using the Direct Kernel Object Manipulation (DKOM) technique, which is illustrated further in the specification.
Figure 3 of the present disclosure illustrates a flow diagram representation of a method for dynamic scan of an OS according to an example of the embodiment of the present disclosure as described in Figure 1. The example of the embodiment identifies the actual objects of the OS by an in-depth analysis of TCPIP.sys using the DKOM technique. According to the example, the dynamic scan identifies the kernel objects for any Windows OS driven device. According to the figure, the appropriate module of the OS i.e. TCPIP.sys is identified in the memory 301. A

customized PE (Portable Executable) loader is used to load the identified TCPIP.sys 302 from the hard disc of the device. The entry point for the loaded TCPIP.sys is identified 303 and a SymbolicLink is thereby created 304. A symbolic link is mainly a file-system object that points to another file system object. Consequent to the link creation, the call to tlinit is identified 305. This step refers to receipt of instructions to analyze the identified TCPIP.sys module and verifying initialization of variables of the module. If the call for initiation is identified 306, the addresses of objects i.e. the kernels are identified through the table listed as AddrObJTable 307 and only on location of the table 308, the addresses for the kernels is returned 309. In case the call for initiation is not identified or the table is not identified, the operation run by the device is ended.
Therefore, the addresses of all objects I.e. loaded kernel modules are returned to user which include the active as well as hidden kernel objects.
Figure 4 refers to a system for dynamic scan of objects of an OS according to an embodiment of the present disclosure. According to the embodiment, the system comprises a module identification unit 401 configured to identify an appropriate module for the OS. The system additionally comprises an analyzing unit 402 coupled to the module identification unit 401 and an object processor coupled to the analyzing unit 402. The analyzing unit 402 is configured to analyze attributes of operating structures of the identified module while the object processor 403 is configured to retrieve, store and generate a list of actual objects and corresponding addresses.
According to an embodiment of the present disclosure the actual objects comprise active as well as hidden objects. These objects may be kernel objects of a loaded kernel module in the OS. According to another embodiment, the analyzing unit may be configured further to receive instruction to analyze the identified module, verify initialization of variable of the identified module and consequently, identify the actual objects and their corresponding addresses.

Network systems are designed to hold data traffic across different segments and therefore, ports of such system are periodically scanned. The embodiments of the present disclosure ensure that all ports of the system are scanned including the active as well as hidden ports. These ports may be referred to objects as well.
Certain embodiments of the present disclosure may be used to detect security threats in an OS. Figure 5 illustrates a system according to such embodiments comprises a static scanning unit 501; a dynamic scanning unit 502 and a comparator 503 coupled to the outputs of the static scanning unit 501 and the dynamic scanning unit 502. The static scanning unit 501 is configured to scan the ports of the system to generate a first list of actual object addresses and the dynamic scanning unit 502 is configured to scan the ports of the system to generate a second list of actual object addresses. The static scanning unit 501 is configured to assess memory dumps using Windows OS to generate the first list of actual object addresses, which is retained by the kernel to monitor the processes and objects. The embodiment may comprise a data storage unit configured to store the output of the static scanning unit 501. The dynamic scanning unit 502 is configured to scan the ports of the system in accordance with the embodiment described in Figures 1, 2 and 3. The second list of actual object addresses may be stored in the data storage unit as well. The comparator 503 is configured to receive the output of the static scanning unit 501 and the dynamic scanning unit 502 and compare the first and second list of actual object addresses. On comparison of the first and second list of actual object addresses, the system identifies the objects which were not detected by the static scanning system. This identifies any potential threat to the system that may damage the data information stored in the data storage unit, thereby identifying any illegitimate opening of ports through any application intending to cause harm to the system.
Embodiments of the present disclosure may be used in governance, audits and compliance around policies pertaining to system ports. Additionally, the state of ports is monitored in accordance with embodiments of the present disclosure, which may enable applications to map

open ports to their functioning. The network is explored for open ports, which could resuit in compromising the security policies of the organization, if an attack is imminent.
Certain embodiments of the present disclosure may be used in port management solutions to locate available user ports in a virtual environment, with multiple virtual machines on multiple hosts. It may be implemented in network management tools for discovery of new devices on the network and to enable event correlation with respect to newly opened ports.
As will be appreciated by one of skill in the art, the present invention may be embodied as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, a software embodiment or an embodiment combining software and hardware aspects all generally referred to herein as a "circuit" or "module." Furthermore, the present invention may take the form of a computer program product on a computer-usable storage medium having computer-usable program code embodied in the medium.
Furthermore, the present invention was described in part above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention.
It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer- readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus like a scanner/check scanner to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and schematic diagrams of Figures 1-5 illustrate the architecture, functionality, and operations of some embodiments of methods, systems, and computer program products for dynamic scan of objects of an Operating System (OS). In this regard, each block may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in other implementations, the function{5) noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending on the functionality involved.
In the drawings and specification, there have been disclosed exemplary embodiments of the invention. Although specific terms are employed, they are used in a generic and descriptive sense only and not for purposes of limitation, the scope of the invention being defined by the following claims

We claim: -
1. A method for dynamic scan of objects of an Operating System (OS) comprising: -
a. identifying an appropriate module of the OS;
b. analyzing attributes of operating structures of the identified module;
c. retrieving actual objects and corresponding addresses;
d. storing retrieved actual objects and corresponding addresses; and
e. generating a list of actual objects based on the stored objects and their
addresses.
2. A method as claimed in claim 1 wherein analyzing attributes of operating structures
comprises: ~
a. receiving instruction to analyze the identified module;
b. verifying initialization of variables of the identified module; and
c. identifying actual objects and their corresponding addresses.
3. A method as claimed in claim 1 wherein the actual objects comprise active as well as hidden objects.
4. A system for dynamic scan of objects of an operating system (OS) comprising: -
a. a module identification unit configured to identify an appropriate module for the
OS;
b. an analyzing unit coupled to the module identification unit configured to analyze
attributes of operating structures of the identified module; and
c. an object processor coupled to the analyzing unit configured to retrieve, store
and generate a list of actual objects and corresponding addresses.
5. A system as claimed in claim 4 wherein the analyzing unit is configured to: -

a. receive instruction to analyze the identified module;
b. verify initialization of variables of the identified module; and
c. identify actual objects and their corresponding addresses.
6. A system as claimed in claim 4 wherein the actual objects comprise active as well as hidden objects.
7. A dynamic scanner for an Operating System (OS) comprising: ~
a. a module identification unit configured to identify an appropriate moduie for the
OS;
b. an analyzing unit coupled to the module identification unit configured to analyze
attributes of operating structures of the identified module; and
c. an object processor coupled to the analyzing unit configured to retrieve, store
and generate a list of actual objects and corresponding addresses.
8. A dynamic scanner as claimed in claim 7 wherein the analyzing unit is configured to: ■-
a. receive instruction to analyze the identified module;
b. verifying initialization of variables of the identified module; and
c. identify actual objects and their corresponding addresses.
9. A dynamic scanner as claimed in claim 7 wherein the actual objects comprise active as well as hidden objects.
10. A cellular user equipment comprising: -
a. a module identification unit configured to identify an appropriate module for the
OS;
b. an analyzing unit coupled to the module identification unit configured to analyze
attributes of operating structures of the identified module; and

c. an object processor coupled to the analyzing unit configured to retrieve, store and generate a list of actual objects and corresponding addresses.
11. A cellular user equipment as claimed in claim 10 wherein the analyzing unit is configured
to:-
a. receive instruction to analyze the identified module; and
b. verify initialization of variables of the identified module; and
c. identify actual objects and their corresponding addresses.
12. A cellular user equipment as claimed in claim 10 wherein the actual objects comprise
active as well as hidden objects.
Dated this 06th day of January 2011
Of Anand and Anand Advocates Agents for the Applicant