Abstract: A method for reactivation of software products includes activating a first software product associated with a reactivation policy group. A hardware identifier derived from the computer hardware configuration is bound with the first software product activation. A second software product is activated having an associated reactivation binding list. Reactivation is requested for the first software product and an updated hardware identifier is associated with a reactivation policy group of the first software product. The second software product may be spared the request for reactivation if the second product can be associated with the reactivation of the first software product given the binding list is compatible with the reactivation policy group.

Abstract: A mechanism is provided, where a post-build utility is used to store stack and call tree information within a section of an executable program or separate file. The stack information aids an authentication module during the execution of the program in walking up a stack in order to obtain return addresses on the stack. In one aspect of the invention, by comparing the return address sequence to the call tree sequence, which specifies the allowed function call sequence of the program, a determination can be made whether the program is executing (as evidenced by the stack) the way it should be executing (as required by the call tree). If the call tree sequence differs from the return address sequence, a suspicion is raised that a hacker is attempting to jump from foreign code into sensitive code of the program by changing the function calling sequence.

Abstract: A method and system for efficient foreign code detection is presented. In one aspect of the invention, an authentication module examines pages which are referenced by thread stacks in a process space, where the pages may contain foreign code. The module can walk up the thread stacks to examine return address that reference such pages. In another aspect, the module checks random pages referenced by the stack. In yet another aspect, the module checks any nearby suspicious pages to checked pages referenced by the stack. Additionally, the module checks the instruction pointer referenced page, the pages and calling code described by the page fault history, and any pages with event handling functions, dynamic link library functions, or other functions that are likely to run.

Abstract: A method and system are provided that override constructors such that the constructors not only initialize objects but also provide notification about virtual pointers of the objects. This notification is provided to a list that stores which virtual pointers are created and where they are supposed to be pointing. By knowing the address of the virtual tables that the virtual pointers are supposed to be pointing to, a determination can be made whether the virtual tables are the correct virtual tables or whether they may be different virtual tables that have been substituted in by a hacker and that contain pointers to foreign code.

Abstract: A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.

Abstract: Upon a first process encountering a triggering device, a second process chooses whether to proxy-execute code corresponding to the triggering device of the first process on behalf of such first process based at least in part on whether a license evaluator of the second process has determined that the first process is to be operated in accordance with the terms and conditions of a corresponding digital license. The license evaluator at least in part performs such determination by running a script corresponding to the triggering device in the code of the first process. Thus, the first process is dependent upon the second process and the license for operation thereof.

Abstract: A method for reactivation of software products includes activating a first software product associated with a reactivation policy group. A hardware identifier derived from the computer hardware configuration is bound with the first software product activation. A second software product is activated having an associated reactivation binding list. Reactivation is requested for the first software product and an updated hardware identifier is associated with a reactivation policy group of the first software product. The second software product may be spared the request for reactivation if the second product can be associated with the reactivation of the first software product given the binding list is compatible with the reactivation policy group.

Abstract: A method of detecting pirated software includes receiving a request for a software update by a client computer and providing to the client computer a test to be performed. The test is performed on the client computer against the client software application. The client computer may be denied a software update as a result of the test finding an illegitimate copy of the client software. The invention may be practiced in a network environment where a server transfers a test program for a client to execute upon request of a software update. The test performs an integrity check and denies the request for a software update if the client software is found to be illegitimate.

Abstract: A first computer process has code including at least one triggering device, and a digital license corresponding to the first process sets forth terms and conditions for operating same. A second computer process proxy-executes code corresponding to each triggering device of the first process on behalf of same. The second process includes a license evaluator for evaluating the license to determining that the first process is to be operated in accordance with the terms and conditions set forth in such license. A third computer process includes the code corresponding to each triggering device of the first process and an address of the triggering device in the first process. Thus, the first process is dependent on and cannot be operated without the second process and the third process.

Abstract: A first process operating on a computer comprises code to be executed in connection therewith, where the code includes at least one triggering device. A digital license corresponds to the first process and sets forth terms and conditions for operating the first process. A second process operating on the computer proxy-executes code corresponding to each triggering device of the first process on behalf of such first process. The second process includes a license evaluator for evaluating the license to determine whether the first process is to be operated in accordance with the terms and conditions set forth in such license, and the second process chooses whether to in fact proxy-execute based at least in part on determination of the license evaluator. Thus, the first process is dependent upon the second process for operation thereof.