Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 3» 2006.Jan


Next: Bypass Approaches Up: Implementation Previous: Executing the PatchGuard Verification   Contents

Reporting Verification Inconsistencies

In the event that PatchGuard detects that a critical structure has been modified, it calls the code-copy version of the symbol named nt!SdpCheckDll with parameters that will be subsequently passed to nt!KeBugCheckEx via the function table stored in the PatchGuard context. The purpose of nt!SdbpCheckDll is to zero out the stack and all of the registers prior to the current frame before jumping to nt!KeBugCheckEx. This is presumably done to attempt to make it impossible for a third-party driver to detect and recover from the bug check report. If all of the checks go as planned and there are no inconsistencies, the routine creates a new PatchGuard context and sets the timer again using the same routine that was selected the first time.