Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan

Misleading Symbol Names

One of the things that Microsoft needed to consider when implementing PatchGuard is that would-be attackers would have access to the operating system symbols. As a debugging aid, Microsoft makes symbols for the entire operating system publicly available. It is not feasible to remove the operating system symbols from public access (doing so would severely hinder ISVs in the process of debugging their own drivers). As a result, Microsoft took the route of using misleading function names to shroud PatchGuard routines from casual inspection. Many of the internal PatchGuard routines have names that are seemingly legitimate-sounding at first glance, such that without a detailed knowledge of the kernel or actually inspecting these routines, it would be difficult to simply look at a list of all symbols in the kernel and locate the routines responsible for setting up PatchGuard.

The following is a listing of some of the misleading symbols that are used during PatchGuard initialization:

  1. RtlpDeleteFunctionTable
  2. FsRtlMdlReadCompleteDevEx
  3. RtlLookupFunctionEntryEx
  4. SdbpCheckDll
  5. FsRtlUninitializeSmallMcb
  6. KiNoDebugRoutine
  7. SepAdtInitializePrivilegeAuditing
  8. KiFilterFiberContext