|Informative Information for the Uninformed
Next: Obfuscating the PatchGuard Contexts Up: Protected Structure Initialization Previous: Processor MSRs Contents
PatchGuard creates a special sub-context (type 6), that is used to protect some internal routines that are used for debugging purposes by the kernel. These routines, such as nt!KdpStub, are intended to be used as a mechanism by which an attached debugger can handle an exception prior to allowing the kernel to dispatch it. bt!KdpStub is called indirectly through the nt!KiDebugRoutine global variable from nt!KiDispatchException. The routine that initializes the protection sub-context for these routines has been labeled nt!PgCreateDebugRoutineSubContext and is prototyped as shown below:
PPATCHGUARD_SUB_CONTEXT PgCreateDebugRoutineSubContext( IN PPATCHGUARD_CONTEXT ParentContext);
It appears that the sub-context structure is initialized with pointers to nt!KdpStub, nt!KdpTrap, and nt!KiDebugRoutine. It seems that this sub-context is intended to protect from a third-party driver modifying the nt!KiDebugRoutine to point elsewhere. There may be other intentions as well.