Bypass Techniques

Despite the myriad anti-reverse-engineering and anti-debug techniques employed by PatchGuard version 2, it is hardly invincible to being bypassed by third party code. Contrary to one might expect, given the descriptions in the initial section of this article, there are a number of holes in PatchGuard's armor that can be exploited by third party software. Several potential techniques for bypassing PatchGuard version 2 are outlined below, including one technique that includes functional proof of concept code. These techniques are applicable to the version of PatchGuard currently shipping with Windows XP x64 Edition with all hotfixes, Windows Server 2003 x64 Edition with all hotfixes, and Windows Vista x64 with all hotfixes at the time that this article was written. The author has only written a complete implementation of the first proposed bypass technique, although the remaining proposed bypass approaches are expected to be viable in principle.

• Interception of _C_specific_handler
• Interception of DPC Exception Registration
• Interception of PsInvertedFunctionTable
• Interception of KiDebugTrapOrFault
• General Detect Bit Interception
• Patching the Kernel Timer DPC Dispatcher
• Searching for the PatchGuard DPC
• TLB Desynchronization (Split TLB)
• DPC Routine Patching