Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan

Searching for the PatchGuard DPC

PatchGuard currently uses a KTIMER object with an associated KDPC object, both allocated within non-paged pool memory, as a periodic trigger used to start PatchGuard's system integrity check routine. It should be possible to locate this timer object in memory and cancel it, preventing PatchGuard from executing.

The implementation of this technique is essentially a classical egghunt style search through non-paged pool, with some specially defined restrictions as to how to find the target. Specifically, one is looking for a region of memory matching the following criteria:

  1. The memory is a valid KTIMER object. This means that the linked list entries should be valid, and point to other seemingly valid KTIMER objects (or the list head), and that the type field of the KTIMER is consistent with a timer object.
  2. The timer should have a timer interval in the range of several minutes. PatchGuard applies a randomized fuzz factor to the timer interval (within a small range), but verifying that the range of the timer is no more than several minutes (say 7 or 8) should be an ample sanity check.
  3. The timer should have a KDPC associated with it (and the pointer should be valid non-paged pool).
  4. The associated KDPC should have the appropriate type field.
  5. The associated KDPC should have a DPC routine that is within the confines of the kernel image in-memory.
  6. The associated KDPC should have a DeferredContext value that is a non-canonical kernel address.

After the DPC is found, it can simply be canceled in order to disable PatchGuard. Similar approaches as could be used to prevent technique 4.6 would be applicable here. Specifically, a diversity in the set of paths leading up to PatchGuard's execution would make a technique like this, which is targetted at one path (such as the timer DPC dispatcher) less effective at blocking PatchGuard.