DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it must be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Gene Su, Reg. No. 45,140 on 02/28/2022.

Please amend the specification as following:

Please replace the as-filed paragraph [0024] with the following:

[0024] In block 306, the instrumentation matches a pattern against memory references in the assembly code.  When the instrumentation detects the pattern from the memory references, block [[308]]306 may be followed by block 308.




Please amend the claims  1-2, 8, 10-11, 17, 19-21, 23, 26 as following:

(Currently Amended) A method for a hypervisor to dynamically discover internal address information of a guest kernel on a virtual machine, the method comprising: 
locating, by the hypervisor, a kernel system call or an exported function in an image of the guest kernel in guest memory of the virtual machine based on parsing an export table comprising addresses associated with one or more exported functions or exported data in the image of the guest kernel to locate an address of the kernel system call or the exported function, wherein the guest memory corresponds to virtual memory allocated by the hypervisor;
disassembling, by the hypervisor, machine code of the kernel system call or the exported function in the image into assembly code;
detecting, by the hypervisor, a pattern from memory references in the assembly code, wherein the pattern includes at least one of:
a call to a specific exported function with [[an]]a first internal global data as a parameter for the specific exported function;
a call to an internal function with a specific exported global data as a parameter for the internal function;
a specific exported function returning a value at an offset in an internal data structure; and
a second internal global data; and
after detecting the pattern, determining, by the hypervisor, the internal address information of the guest kernel associated with the first internal global data, the internal function, the internal data structure, or the second internal global data from the assembly code.  

2.  (Currently Amended) The method of claim 1, wherein: 
for detecting the call to the specific exported function with the first internal global data as the parameter for the exported function, the internal address information comprises an address of the first internal global data.

8.  (Currently Amended) The method of claim 1, wherein:
for detecting the specific instruction that operates on the second internal global data, the internal address information comprises an address of the second internal global data.  

locating, by the hypervisor, a kernel system call or exported function in an image of the guest kernel in guest memory of the virtual machine based on parsing an export table comprising addresses associated with one or more exported functions or exported data in the image of the guest kernel to locate an address of the kernel system call or the exported function, wherein the guest memory corresponds to virtual memory allocated by the hypervisor;
disassembling, by the hypervisor, machine code of the kernel system call or exported function in the image into assembly code;
detecting, by the hypervisor, a pattern from memory references in the assembly code, wherein the pattern includes at least one of:
a call to a specific exported function with [[an]]a first internal global data as a parameter for the specific exported function;
a call to an internal function with a specific exported global data as a parameter for the internal function;

a specific instruction that operates on [[an]]a second internal global data; and
after detecting the pattern, determining, by the hypervisor, the internal address information of the guest kernel associated with the first internal global data, the internal function, the internal data structure, or the second internal global data from the assembly code.  

11. (Currently Amended) The medium of claim 10, wherein: 
for detecting the call to the specific exported function with the first internal global data as the parameter for the exported function, the internal address information comprises an address of the first internal global data.
17. (Currently Amended) The medium of claim 10, wherein:
for detecting the specific instruction that operates on the second internal global data, the internal address information comprises an address of the second internal global data.

19. (Currently Amended) A computer system, comprising:
a memory;
a secondary memory storing code for a hypervisor;
a processor configured to load the code from the secondary memory to main memory and execute the code to:
locate, by the hypervisor, a kernel system call or exported function in an image of a guest kernel in memory of a virtual machine based on parsing an export table comprising addresses associated with one or more exported functions or exported data in the image of the guest kernel to locate an address of the kernel system call or the exported function, wherein the memory corresponds to virtual memory allocated by the hypervisor;
disassemble, by the hypervisor, machine code of the kernel system call or exported function in the image into assembly code;
detect, by the hypervisor, a pattern from memory references in the assembly code, wherein the pattern includes at least one of: 
a first internal global data as a parameter for the specific exported function;
a call to an internal function with a specific exported global data as a parameter for the internal function;
a specific exported function returning a value at an offset in an internal data structure; and
a specific instruction that operates on [[an]]a second internal global data; and
after detecting the pattern, determine, by the hypervisor, the internal address information of the guest kernel associated with the first internal global data, the internal function, the internal data structure, or the second internal global data from the assembly code. 
 
20. (Currently Amended) The system of claim 19, wherein: 
for detecting the call to the specific exported function with the first internal global data as the parameter for the exported function, the first internal global data.

21. (Currently Amended) The system of claim 20, wherein the processor is further configured to execute the code to track a register in the assembly code; and 
wherein determine the internal address information of the guest kernel from the assembly code comprising looking up a value stored in the register after detecting the call to the specific exported function.   
  
23. (Currently Amended) The system of claim 22, wherein the processor is further configured to track a register in the assembly code; and
wherein detect[[ing]] the call comprises detecting an address of the specific exported global data being loaded in the register followed by the call to the internal function.
     
26. (Currently Amended) The system of claim 19, wherein:
for detecting the specific instruction that operates on the second internal global data, the internal address information comprises an address of the second internal global data.  
Reason for Allowance



The following is an examiner’s statement of reasons for allowance:
Interpreting the claims in light of the specification, Examiner finds the claimed invention is patentably distinct from the prior art of record. The prior art of record does not expressly teach or render obvious the invention as recited in amended independent claims.

Lin et al. (US Pub. No. 2015/0033227 A1) teaches a method for a hypervisor to dynamically discover internal address information of a guest kernel on a virtual machine, the method comprising: locating, by the hypervisor, a kernel system call or an exported function in an image of the guest kernel in guest memory of the virtual machine, wherein the guest memory corresponds to virtual memory allocated by the hypervisor; disassembling, machine code of the kernel system call or the exported function in the image into assembly code; detecting a pattern from memory references in the assembly code, wherein the pattern includes at least one of a specific exported function returning a value at an offset in an internal data structure and a specific instruction that operates on an internal global data; and after detecting the pattern, determining, the internal address information of the guest kernel associated with an internal function, global data, reference or data structure from the assembly code.

; and determining, by the hypervisor, the internal address information associated with an internal function, global data, reference or data structure from the assembly code.

Lawson (US Patent No. 10,203,968 B1) teaches wherein pattern includes one of a call to a specific exported function with an internal global data as a parameter for the specific exported function; a call to an internal function with a specific exported global data as a parameter for the internal function.

The combination of prior art of record does not expressly teach or render obvious the limitations of “locate, by the hypervisor, a kernel system call or exported function in an image of a guest kernel in a virtual memory of a virtual machine based on parsing an export table comprising addresses associated with one or more exported functions or exported data in the image of the guest kernel to locate an address of the kernel system call or the exported function, disassembling, by the hypervisor, machine code of the kernel system call or the exported function in the image into assembly code; and detecting, by the hypervisor, a pattern from memory references in the assembly code”, when taken in the context of the claims as a whole, as recited in claim independent claims 1, 10 and 19 were not disclosed in the prior art of record.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU ZAR GHAFFARI whose telephone number is (571)270-3799.  The examiner can normally be reached on Monday-Thursday 9:00 - 17:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai AN can be reached on 571-272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 



/ABU ZAR GHAFFARI/Primary Examiner, Art Unit 2195