Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
ForewordAbstract: Windows Vista x64 and recently hotfixed versions of the Windows Server 2003 x64 kernel contain an updated version of Microsoft's kernel-mode patch prevention technology known as PatchGuard. This new version of PatchGuard improves on the previous version in several ways, primarily dealing with attempts to increase the difficulty of bypassing PatchGuard from the perspective of an independent software vendor (ISV) deploying a driver that patches the kernel. The feature-set of PatchGuard version 2 is otherwise quite similar to PatchGuard version 1; the SSDT, IDT/GDT, various MSRs, and several kernel global function pointer variables (as well as kernel code) are guarded against unauthorized modification. This paper proposes several methods that can be used to bypass PatchGuard version 2 completely. Potential solutions to these bypass techniques are also suggested. Additionally, this paper describes a mechanism by which PatchGuard version 2 can be subverted to run custom code in place of PatchGuard's system integrity checking code, all while leaving no traces of any kernel patching or custom kernel drivers loaded in the system after PatchGuard has been subverted. This is particularly interesting from the perspective of using PatchGuard's defenses to hide kernel mode code, a goal that is (in many respects) completely contrary to what PatchGuard is designed to do. Thanks: The author would like to thank skape, bugcheck, and Alex Ionescu. Disclaimer: This paper is presented in the interest of education and the furthering of general public knowledge. The author cannot be held responsible for any potential use (or misuse) of the information disclosed in this paper. While the author has attempted to be as vigilant as possible with respect to ensuring that this paper is accurate, it is possible that one or more mistakes might remain. If such an inaccuracy or mistake is located, the author would appreciate being notified so that the appropriate corrections can be made.
|