|
Searching for the PatchGuard DPC
PatchGuard currently uses a KTIMER object with an associated KDPC object, both
allocated within non-paged pool memory, as a periodic trigger used to start
PatchGuard's system integrity check routine. It should be possible to locate
this timer object in memory and cancel it, preventing PatchGuard from
executing.
The implementation of this technique is essentially a classical egghunt
style search through non-paged pool, with some specially defined restrictions
as to how to find the target. Specifically, one is looking for a region of
memory matching the following criteria:
- The memory is a valid KTIMER object. This means that the linked list entries should be valid, and point to other seemingly
valid KTIMER objects (or the list head), and that the type field of the KTIMER is consistent with a timer object.
- The timer should have a timer interval in the range of several minutes. PatchGuard applies a randomized fuzz factor to
the timer interval (within a small range), but verifying that the range of the timer is no more than several minutes (say 7
or 8) should be an ample sanity check.
- The timer should have a KDPC associated with it (and the pointer should be valid non-paged pool).
- The associated KDPC should have the appropriate type field.
- The associated KDPC should have a DPC routine that is within the confines of the kernel image in-memory.
- The associated KDPC should have a DeferredContext value that is a non-canonical kernel address.
After the DPC is found, it can simply be canceled in order to disable PatchGuard.
Similar approaches as could be used to prevent technique 4.6 would be applicable
here. Specifically, a diversity in the set of paths leading up to
PatchGuard's execution would make a technique like this, which is targetted at
one path (such as the timer DPC dispatcher) less effective at blocking
PatchGuard.
|