Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Reporting Verification Inconsistencies

In the event that PatchGuard detects that a critical structure has been modified, it calls the code-copy version of the symbol named nt!SdpCheckDll with parameters that will be subsequently passed to nt!KeBugCheckEx via the function table stored in the PatchGuard context. The purpose of nt!SdbpCheckDll is to zero out the stack and all of the registers prior to the current frame before jumping to nt!KeBugCheckEx. This is presumably done to attempt to make it impossible for a third-party driver to detect and recover from the bug check report. If all of the checks go as planned and there are no inconsistencies, the routine creates a new PatchGuard context and sets the timer again using the same routine that was selected the first time.