DETAILED ACTION
	This office action is in response to the request for continuation filed on February 11, 2022  in application 16/009,511.  
Claims 1-7, 9-18, 20-22, 24, 26, 28, 30, 32 are presented for examination.   Claims 1, 7, 12, 18, 24, 26 and 30 are amended.  Claim 8, 19, 23, 25, 27, 29 and 31 are previously cancelled. 

 The information disclosure statements (IDS) submitted on November 15, 2018, March 26, 2019, June 10, 2019, November 7, 2019, January 3, 2020 and January 24, 2020 were acknowledged. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-7, 9-18, 20-22, 24, 26, 28, 30, 32 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-7, 9-18, 20-22, 24, 26, 28, 30 and 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dalcher (US 2015/0199516) in further view of Shukla (US 2010/0031361). 

In regard to claim 1, Dalcher teaches a method for checking a defective function, applied to the defective functions in multiple versions, wherein the method comprises:
inline hook engine may be configured to place these hooks in line with code to be monitored in order to effectively monitor the execution of code that is of interest, para. 16);
wherein the jumping instruction is used to call a checking function for checking a parameter of the preset function (in-line hooks may comprise replacement instructions placed within the monitored code, where the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16); 
using the jumping instruction to call the checking function (the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16, at hook entry point of API, inline hook engine may save the process and/or thread information for matching against other hook point invocation, para. 26);
following the calling of the checking function, checking, by using the checking function, whether there is an exception in the parameter of the preset defective function (hooks may address the depth limitations of branch records, monitor newly-discovered APIs to be exploited by malware, used to check for malware bypassing API monitoring and operating system supported filtering, para. 32, 36-50); and 
returning, by the checking function, information indicating the exception of the parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50), to an upper-layer function calling the preset defective function, in a case that there is the exception of the parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26).

Shukla teaches of the procedure for an inline hook by finding the memory locations of the target functions, copy the first few instructions and replace with a jump statement to our function, perform processing before the target function is called, execute the copied instructions, call the target function using a jump, perform the post processing of the results returned by the target function (para. 41-47). 
It would have been obvious to modify the method of Dalcher by adding Shukla teaching of an inline hook.   A person of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to make the modification because it would provide detail procedure to create an inline hook (para. 41-47).

In regard to claim 2, Dalcher teaches the method according to claim 1, wherein the method further comprises:
executing the preset defective function in a case that there is no exception of the parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26);
after executing the preset defective function, checking whether there is an exception in a return value and/or a return parameter of the preset defective function (determine the legitimacy of the code and its owner in the handling of the test event, if the code is determined to be incorrectly present in the handling of a test event, security violation may be generated then proceed to step 232, fig. 2, para. 48); and
returning information indicating the exception of the return value and/or the return parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50) to the upper-layer function calling the preset defective function in a case that there is the exception of the return value and/or the return parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26).

In regard to claim 3, Dalcher teaches the method according to claim 2, wherein checking whether there is an exception in a parameter of the preset defective function comprises: return value and/or returning parameter of the preset defective function (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50)

In regard to claim 4, Dalcher teaches the method according to claim 1, wherein the method further comprises:
determining that the preset defective function is a sub-function, and is called multiple times in a parent function of the preset defective function (install secondary hooks, fig. 2, 223, para. 45, repeating the trace event if complete history is not assembled, fig. 2, 232, para. 49); and
secondary hooks may be installed at addresses based on for example addresses discovered through examination of branch records, fig. 2, 223, para. 45).

In regard to claim 5, Dalcher teaches the method according to claim 1, wherein before determining a preset defective function, the method further comprises: initializing the checking function to obtain a storage space for storing the checking function (inline hook engine may be configured to place these hooks … inline hook may replace instructions placed within the monitored code, or be placed and executed in any appropriate operating mode of the system, para. 16).

In regard to claim 6, Dalcher teaches the method according to claim 5, wherein after checking whether there is an exception in a parameter of the preset defective function, the method further comprises: uninstalling the checking function to release the storage space for storing the checking function (secondary hooks may be removed, fig. 2, 234, para. 50).

In regard to claim 7, Dalcher teaches a method for checking a defective function, applied to the defective functions in multiple versions, wherein the method comprises:
determining a preset defective function (inline hook engine may be configured to place these hooks in line with code to be monitored in order to effectively monitor the execution of code that is of interest, para. 16);
executing the preset defective function (execution of code, para. 16); 
in-line hooks may comprise replacement instructions placed within the monitored code, where the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16, at hook entry point of API, inline hook engine may save the process and/or thread information for matching against other hook point invocation, para. 26); 
following the calling of the checking function, checking, by the checking function whether there is an exception in the return value and/or return parameter of the preset defective function (hooks may address the depth limitations of branch records, monitor newly-discovered APIs to be exploited by malware, used to check for malware bypassing API monitoring and operating system supported filtering, para. 32, 36-50); and 
in a case that there is the exception of the return value and/or the return parameter, returning, returning by the checking function, information indicating the exception of the return value and/or the return parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50) to an upper-layer function calling the preset function (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 
Dalcher does not clearly teach replacing codes of a preset line of the preset defective function with a jump instruction in an inline-hooking method, and storing the codes of the preset line of the preset defective function in a buffer when the defective function is checked for the first time. 
para. 41-47). 
Refer to claim 1 for motivational statement. 
 
In regard to claim 9, Dalcher teaches the method according to claim 7, wherein the method further comprises:
determining that the preset defective function is a sub-function, and is called multiple times in a parent function of the preset defective function (install secondary hooks, fig. 2, 223, para. 45, repeating the trace event if complete history is not assembled, fig. 2, 232, para. 49); and
determining a location of the sub-function in the parent function according to an index of the parent function (secondary hooks may be installed at addresses based on for example addresses discovered through examination of branch records, fig. 2, 223, para. 45).

In regard to claim 10, Dalcher teaches the method according to claim 7, wherein before determining a preset defective function, the method further comprises: initializing the checking function to obtain a storage space for storing the checking function (inline hook engine may be configured to place these hooks … inline hook may replace instructions placed within the monitored code, or be placed and executed in any appropriate operating mode of the system, para. 16).

secondary hooks may be removed, fig. 2, 234, para. 50).

In regard to claim 12, Dalcher teaches a device for checking a defective function, applied to the defective functions in multiple versions, wherein the method comprises:
one or more processors (processor, fig. 1, 102); and 
a storage device configured for storing one or more programs (memory, fig. 1, 104), wherein the one or more programs are executed by the one or more processors to enable the one or more processors to:
determine a preset defective function (inline hook engine may be configured to place these hooks in line with code to be monitored in order to effectively monitor the execution of code that is of interest, para. 16);
wherein the jumping instruction is used to call a checking function for checking a parameter of the preset function (in-line hooks may comprise replacement instructions placed within the monitored code, where the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16); 
use the jumping instruction to call the checking function (the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16, at hook entry point of API, inline hook engine may save the process and/or thread information for matching against other hook point invocation, para. 26);
hooks may address the depth limitations of branch records, monitor newly-discovered APIs to be exploited by malware, used to check for malware bypassing API monitoring and operating system supported filtering, para. 32, 36-50); and 
return, by the checking function, information indicating the exception of the parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50) to an upper-layer function calling the preset defective function, in a case that there is the exception of the parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 
Dalcher does not clearly teach replacing codes of a preset line of the preset defective function with a jump instruction in an inline-hooking method, and storing the codes of the preset line of the preset defective function in a buffer when the defective function is checked for the first time. 
Shukla teaches of the procedure for an inline hook by finding the memory locations of the target functions, copy the first few instructions and replace with a jump statement to our function, perform processing before the target function is called, execute the copied instructions, call the target function using a jump, perform the post processing of the results returned by the target function (para. 41-47). 
Refer to claim 1 for motivational statement. 

execute the preset defective function in a case that there is no exception of the parameter of the preset defective function (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26);
check whether there is an exception in a return value and/or a return parameter of the preset defective function after the one or more processors executes the preset defective function (determine the legitimacy of the code and its owner in the handling of the test event, if the code is determined to be incorrectly present in the handling of a test event, security violation may be generated then proceed to step 232, fig. 2, para. 48); and
return information indicating the exception of the return value and/or return parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50) to the upper-layer function calling the preset defective function in a case that there is the exception of the return value and parameter of the preset defective function (determine whether a complete history of the execution flow of handling the trace event has been assembled, fig. 2, 232, para. 49, sending information to the primary hook handlers that a trace event is no longer in process, fig. 2, 236, para. 50).
 
determine whether a complete history of the execution flow of handling the trace event has been assembled, fig. 2, 232, para. 49).

In regard to claim 15, Dalcher teaches the device according to claim 12, wherein the one or more programs are executed by the one or more processors to enable the one or more processor further to: determine that the preset defective function is a sub-function, and is called multiple times in a parent function of the preset defective function (install secondary hooks, fig. 2, 223, para. 45, repeating the trace event if complete history is not assembled, fig. 2, 232, para. 49), and determine a location of the sub-function in the parent function according to an index of the parent function (secondary hooks may be installed at addresses based on for example addresses discovered through examination of branch records, fig. 2, 223, para. 45).

In regard to claim 16, Dalcher teaches the device according to claim 12, wherein the one or more programs are executed by the one or more processors to enable the one or more processor further to: initialize the checking function to obtain a storage space for storing the checking function (inline hook engine may be configured to place these hooks … inline hook may replace instructions placed within the monitored code, or be placed and executed in any appropriate operating mode of the system, para. 16).

secondary hooks may be removed, fig. 2, 234, para. 50).

In regard to claim 18, Dalcher teaches a device for checking a defective function, applied to the defective functions in multiple versions, wherein the method comprises:
one or more processors (processor, fig. 1, 102); and 
a storage device configured for storing one or more programs (memory, fig. 1, 104), wherein the one or more programs are executed by the one or more processors to enable the one or more processors to:
determine a preset defective function (inline hook engine may be configured to place these hooks in line with code to be monitored in order to effectively monitor the execution of code that is of interest, para. 16);
execute the preset defective function (execution of code, para. 16); 
wherein the jumping instruction is used to call a checking function for checking a parameter of the preset function (in-line hooks may comprise replacement instructions placed within the monitored code, where the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16); 
use the jumping instruction to call the checking function (the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16, at hook entry point of API, inline hook engine may save the process and/or thread information for matching against other hook point invocation, para. 26);
hooks may address the depth limitations of branch records, monitor newly-discovered APIs to be exploited by malware, used to check for malware bypassing API monitoring and operating system supported filtering, para. 32, 36-50); and 
return, by the checking function, information indicating the exception of the parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50) to an upper-layer function calling the preset defective function, in a case that there is the exception of the parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 
Dalcher does not clearly teach replacing codes of a preset line of the preset defective function with a jump instruction in an inline-hooking method, and storing the codes of the preset line of the preset defective function in a buffer when the defective function is checked for the first time. 
Shukla teaches of the procedure for an inline hook by finding the memory locations of the target functions, copy the first few instructions and replace with a jump statement to our function, perform processing before the target function is called, execute the copied instructions, call the target function using a jump, perform the post processing of the results returned by the target function (para. 41-47). 
Refer to claim 1 for motivational statement. 
install secondary hooks, fig. 2, 223, para. 45, repeating the trace event if complete history is not assembled, fig. 2, 232, para. 49), and determine a location of the sub-function in the parent function according to an index of the parent function (secondary hooks may be installed at addresses based on for example addresses discovered through examination of branch records, fig. 2, 223, para. 45).

In regard to claim 21, Dalcher teaches the device according to claim 18, wherein the one or more programs are executed by the one or more processors to enable the one or more processor further to: initialize the checking function to obtain a storage space for storing the checking function (inline hook engine may be configured to place these hooks … inline hook may replace instructions placed within the monitored code, or be placed and executed in any appropriate operating mode of the system, para. 16).

In regard to claim 22, Dalcher teaches the device according to claim 21, wherein the one or more programs are executed by the one or more processors to enable the one or more processor further to: uninstall the checking function to release the storage space for storing the checking function (secondary hooks may be removed, fig. 2, 234, para. 50).


determine a preset defective function (inline hook engine may be configured to place these hooks in line with code to be monitored in order to effectively monitor the execution of code that is of interest, para. 16);
wherein the jumping instruction is used to call a checking function for checking a parameter of the preset function (in-line hooks may comprise replacement instructions placed within the monitored code, where the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16); 
use the jumping instruction to call the checking function (the in-line hook may transfer control of the monitored code to a callback function when the hooked code is executed, para. 16, at hook entry point of API, inline hook engine may save the process and/or thread information for matching against other hook point invocation, para. 26);
following the calling of the checking function, check, by using the checking function, whether there is an exception in the parameter of the preset defective function (hooks may address the depth limitations of branch records, monitor newly-discovered APIs to be exploited by malware, used to check for malware bypassing API monitoring and operating system supported filtering, para. 32, 36-50); and 
return, by the checking function, information indicating the exception of the parameter (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50) to an upper-layer function calling the preset defective function, in a case that there is the exception of inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 
Dalcher does not clearly teach replacing codes of a preset line of the preset defective function with a jump instruction in an inline-hooking method, and storing the codes of the preset line of the preset defective function in a buffer when the defective function is checked for the first time. 
Shukla teaches of the procedure for an inline hook by finding the memory locations of the target functions, copy the first few instructions and replace with a jump statement to our function, perform processing before the target function is called, execute the copied instructions, call the target function using a jump, perform the post processing of the results returned by the target function (para. 41-47). 
Refer to claim 1 for motivational statement. 

In regard to claim 26, Dalcher teaches the method of claim 1, wherein the method further comprises: 
when the preset defective function is to be executed in a case that there is no exception in the parameter, executing the codes of the preset line stored in the buffer, and then returning to the preset defective function to execute the codes the codes of the next line of the preset line (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 

In regard to claim 28, Dalcher teaches the method of claim 7, wherein after checking whether there is an exception in a return value and/or a return parameter of the preset defective generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50), the method further comprise: returning to the preset defective function, and then following functions are executed in sequence in a case that there is no exception in the return value and/or the return parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 

In regard to claim 30, Dalcher teaches the device according to claim 12, wherein the one or more programs are executed by the one or more processors to enable the one or more processor further to: 
when the preset defective function is to be executed in a case that there is no exception in the parameter, executing the codes of the preset line stored in the buffer, and then returning to the preset defective function to execute the codes the codes of the next line of the preset line (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 

In regard to claim 32, Dalcher teaches the device according to claim 18, wherein the one or more programs are executed by the one or more processors to enable the one or more processor further to: after checking whether there is an exception in a return value and/or a return parameter of the preset defective function, returning to the preset defective function (generate security violation, determine whether a complete history of the execution flow of handling the trace event has been assembled and sending information to the primary hook handlers that a trace event is no longer in process fig. 2, 230, 232, 236, para. 48-50), and then following functions are executed in sequence in a case that there is no exception in the return value and/or the return parameter (inline hook engine may be configured to restore the execution state and restart execution from the API exit point, para. 29, from saved entry point hook invocation, para. 26). 
***********************************************
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO 892.
Xia et al. (US 2019/0286544) inline-hook
Vipat et al. (US 2015/0379263) inline hook replaces a part of a system API function
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LOAN TRUONG whose telephone number is 408-918-7552.  The examiner can normally be reached on 10AM-6PM PST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matt Kim can be reached on 571-272-4182.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 

/Loan L.T. Truong/Primary Examiner, Art Unit 2114      
Silicon Valley Regional Office
Loan.truong@uspto.gov