Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Protected Structure Initialization

The structures that PatchGuard protects are represented by individual sub-context structures. These structures are composed at the beginning by the contents of the parent PatchGuard structure (PATCHGUARD_CONTEXT). This includes the function pointers and other values assigned to the parent. The sub-contexts are identified by general types that provide the validation routine with something to key off of.

This section will explain how each of the individual structures have their protection sub-contexts initialized. At the time of this writing, the structures have their protection sub-contexts initialized in the order described below:

  1. System images
  2. SSDT
  4. Debug routines

After all the sub-contexts have been initialized, the parent protection context is XOR'd and a timer is initialized and set. The purpose of this timer, as will be shown, is to run the validation half of the PatchGuard subsystem on the data that is collected. Aside from the specific protection sub-contexts listed in the following subsections, it was observed by the authors that the routine that initializes the PatchGuard subsystem also allocated sub-context structures of types that could not be immediately discerned. In particular, these types had the sub-context identifiers of 0x4 and 0x5.