Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: Overwriting PatchGuard Initialization Code
Up: Notable Protection Mechanisms
Previous: Misleading Symbol Names
Contents
Integrity Checks Performed During System InitializationDuring system initialization, PatchGuard performs integrity checks on several of the anti-debug mechanisms it has in place. If these mechanisms are altered on-disk, PatchGuard will detect the changes. For example, PatchGuard validates that the routine responsible for clearing debug register-based breakpoints contains the correct opcode bytes corresponding to the instructions used to actually zero out Dr7:
; ; Here, we are in SepAdtInitializePrivilegeAuditing, or the ; initialization routine for PatchGuard during system startup. ; ; This code fragment is designed to validate that the ; KiNoDebugRoutine routine contains the expected opcodes that ; are used to zero out debug register breakpoints. If the ; routine does not contain the correct opcodes, PatchGuard ; makes an early exit from SepAdtInitializePrivilegeAuditing. ; INIT:0000000000832A6D lea rax, KiNoDebugRoutine INIT:0000000000832A74 cmp dword ptr [rax], 230FC033h INIT:0000000000832A7A jnz abort_initialization INIT:0000000000832A80 add rax, 4 INIT:0000000000832A84 cmp word ptr [rax], 0C3F8h INIT:0000000000832A89 jnz abort_initialization
|