Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Bypass Approaches

With the most critical aspects of how PatchGuard operates explained, the next goal is to attempt to see if there are any ways in which the protection mechanisms offered by it can be bypassed. This would entail either disabling or tricking the validation routine. While there are many obvious approaches, such as the creation of a custom boot loader that runs prior to PatchGuard initializing, or through the modification of ntoskrnl.exe to completely exclude the initialization vector, the approaches discussed in this chapter are intended to be usable in a real-world environment without having to resort to intrusive operations and without requiring a reboot of the machine. In fact, the primary goal is to create a single standalone function, or a few functions, that can be dropped into device drivers in a manner that allows them to just call one routine to disable the PatchGuard protections so that the driver's existing approaches for hooking critical structures can still be used.

It is important to note that some of the approaches listed here have not been tested and are simply theoretical. The ones that have been tested will be indicated as such. Prior to diving into the particular bypass approaches, though, it is also important to consider general techniques for disabling PatchGuard on the fly. First, one must consider how the validation routine is set up to run and what it depends on to accomplish validation. In this case, the validation routine is set to run in the context of a timer that is associated with a DPC that runs from a system worker thread that eventually leads to the calling of an exception handler. The DPC routine that is used is randomly selected from a small pool of functions and the timer object is assigned a random DueTime in an effort to make it harder to detect.

Aside from the validation vector, it is also known that when PatchGuard encounters an inconsistency it will call nt!KeBugCheckEx with a specific bug check code in an attempt to crash the system. These tidbits of understanding make it possible to consider a wide range of bypass approaches.