Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan

Integrity Checks Performed During System Initialization

During system initialization, PatchGuard performs integrity checks on several of the anti-debug mechanisms it has in place. If these mechanisms are altered on-disk, PatchGuard will detect the changes. For example, PatchGuard validates that the routine responsible for clearing debug register-based breakpoints contains the correct opcode bytes corresponding to the instructions used to actually zero out Dr7:

; Here, we are in SepAdtInitializePrivilegeAuditing, or the
; initialization routine for PatchGuard during system startup.
; This code fragment is designed to validate that the
; KiNoDebugRoutine routine contains the expected opcodes that
; are used to zero out debug register breakpoints.  If the
; routine does not contain the correct opcodes, PatchGuard
; makes an early exit from SepAdtInitializePrivilegeAuditing.
INIT:0000000000832A6D lea     rax, KiNoDebugRoutine
INIT:0000000000832A74 cmp     dword ptr [rax], 230FC033h
INIT:0000000000832A7A jnz     abort_initialization
INIT:0000000000832A80 add     rax, 4
INIT:0000000000832A84 cmp     word ptr [rax], 0C3F8h
INIT:0000000000832A89 jnz     abort_initialization