Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Hybrid Interception

Of the techniques listed so far, the approaches taken to disable or otherwise prevent PatchGuard from operating as normal rely on two basic points of interception. In the case of the exception handler hooking approach, PatchGuard is subverted by preventing the actual verification routines from running. This point of interception can be seen as a before-the-fact approach. In the case of the nt!KeBugCheckEx hook, PatchGuard is subverted by preventing the reporting of the error that is associated with a critical structure modification being detected. This point of interception can be seen as an after-the-fact approach. A theoretical approach would be to combine the two concepts in a way that allows for more deterministic and complete detection of the execution of PatchGuard's verification routines.

One possible example of this type of approach would be to generalize the hooking of the exception handlers that are associated with the timer DPC routines that PatchGuard uses to the central entry point for C-style exceptions. This routine is named nt!__C_specific_handler and it is an exported symbol, making it quite useful if it can be harnessed. By hooking this routine, information about exceptions could be tracked and filtered for referencing after-the-fact information, as necessary, to determine that PatchGuard is running.