|Informative Information for the Uninformed|
Next: Bypass Techniques Up: Notable Protection Mechanisms Previous: Integrity Checks Performed During Contents
After PatchGuard has initialized itself, it intentionally zeros out much of the code responsible for setting up PatchGuard. It is assumed that this is done in an attempt to prevent third party drivers from analyzing kernel code in-memory in order to detect or defeat PatchGuard. This approach is obviously trivially bypassed by opening the kernel image on disk, however.
After boot, many PatchGuard-related routines contain all zeros:
0: kd> u nt!KiNoDebugRoutine nt!KiNoDebugRoutine: fffff800`011a4b20 0000 add byte ptr [rax],al nt!FsRtlUninitializeSmallMcb: fffff800`011a4aa2 0000 add byte ptr [rax],al 0: kd> u nt!KiGetGdtIdt nt!KiGetGdtIdt: fffff800`011a4a20 0000 add byte ptr [rax],al 0: kd> u nt!RtlpDeleteFunctionTable nt!RtlpDeleteFunctionTable: fffff800`011a1010 0000 add byte ptr [rax],al
Most of the PatchGuard initialization code resides in the INITKDBG section of ntoskrnl. Portions of this section are zeroed out during initialization.