Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan

Overwriting PatchGuard Initialization Code Post-Boot

After PatchGuard has initialized itself, it intentionally zeros out much of the code responsible for setting up PatchGuard. It is assumed that this is done in an attempt to prevent third party drivers from analyzing kernel code in-memory in order to detect or defeat PatchGuard. This approach is obviously trivially bypassed by opening the kernel image on disk, however.

After boot, many PatchGuard-related routines contain all zeros:

0: kd> u nt!KiNoDebugRoutine
fffff800`011a4b20 0000            add     byte ptr [rax],al

fffff800`011a4aa2 0000            add     byte ptr [rax],al

0: kd> u nt!KiGetGdtIdt
fffff800`011a4a20 0000            add     byte ptr [rax],al

0: kd> u nt!RtlpDeleteFunctionTable
fffff800`011a1010 0000            add     byte ptr [rax],al

Most of the PatchGuard initialization code resides in the INITKDBG section of ntoskrnl. Portions of this section are zeroed out during initialization.