Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan

Bypass Techniques

Despite the myriad anti-reverse-engineering and anti-debug techniques employed by PatchGuard version 2, it is hardly invincible to being bypassed by third party code. Contrary to one might expect, given the descriptions in the initial section of this article, there are a number of holes in PatchGuard's armor that can be exploited by third party software. Several potential techniques for bypassing PatchGuard version 2 are outlined below, including one technique that includes functional proof of concept code. These techniques are applicable to the version of PatchGuard currently shipping with Windows XP x64 Edition with all hotfixes, Windows Server 2003 x64 Edition with all hotfixes, and Windows Vista x64 with all hotfixes at the time that this article was written. The author has only written a complete implementation of the first proposed bypass technique, although the remaining proposed bypass approaches are expected to be viable in principle.