Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: KeBugCheckEx Protection
Up: Additional Protection Mechanisms
Previous: Timer List Obfuscation
Contents
Anti-Debugging Code at PatchGuard Initialization TimeAs with PatchGuard 2, PatchGuard 3 includes a sizable amount of anti-debugging code at runtime that is intended to frustrate attempts to step through the PatchGuard initialization routines with a debugger. Most of this code is based upon checking if a debugger is present while the PatchGuard initialization routines are executing (which should not typically occur as the PatchGuard initializtion routines are only called if a debugger is not attached), and if a debugger is so detected, disable interrupts and entering a spin loop so as to unrecoverably freeze the system. Although this anti-debugging code may appear intimidating at first, disabling them is only a matter of locating all references to KdDebuggerNotPresent within the PatchGuard initialization routine and patching out the checks into the debugger. For example, the author used the following set of commands in the debugger at initialization time to disable the anti-debugging checks for Windows Vista x64 SP0, kernel version 6.0.6000.16514:
bp nt!KeInitAmd64SpecificState + 12 "r @edx = 1 ; r @eax = 1 ; g" bp nt!KiFilterFiberContext eb nt!KiFilterFiberContext+0x20 eb eb nt!KiFilterFiberContext+0x19a eb
eb fffff800`01c63d22 eb eb fffff800`01c64686 eb eb fffff800`01c652be eb eb fffff800`01c65334 eb eb fffff800`01c65880 eb eb fffff800`01c65a65 eb eb fffff800`01c67479 eb eb fffff800`01c68798 eb eb fffff800`01c6a940 eb eb fffff800`01c6b7a9 90 90 eb fffff800`01c6b7dd eb eb fffff800`01c6bad9 eb eb fffff800`01c6d0e7 eb eb fffff800`01c6d2f6 eb eb fffff800`01c6d650 eb eb fffff800`01c65c3a 90 90 90 90 90 90 eb fffff800`01c690b1 90 90 90 90 90 90
|