Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep

Anti-Debugging Code at PatchGuard Initialization Time

As with PatchGuard 2, PatchGuard 3 includes a sizable amount of anti-debugging code at runtime that is intended to frustrate attempts to step through the PatchGuard initialization routines with a debugger. Most of this code is based upon checking if a debugger is present while the PatchGuard initialization routines are executing (which should not typically occur as the PatchGuard initializtion routines are only called if a debugger is not attached), and if a debugger is so detected, disable interrupts and entering a spin loop so as to unrecoverably freeze the system.

Although this anti-debugging code may appear intimidating at first, disabling them is only a matter of locating all references to KdDebuggerNotPresent within the PatchGuard initialization routine and patching out the checks into the debugger. For example, the author used the following set of commands in the debugger at initialization time to disable the anti-debugging checks for Windows Vista x64 SP0, kernel version 6.0.6000.16514:

bp nt!KeInitAmd64SpecificState + 12 "r @edx = 1 ; r @eax = 1 ; g"
bp nt!KiFilterFiberContext
eb nt!KiFilterFiberContext+0x20 eb
eb nt!KiFilterFiberContext+0x19a eb

eb fffff800`01c63d22 eb
eb fffff800`01c64686 eb
eb fffff800`01c652be eb
eb fffff800`01c65334 eb
eb fffff800`01c65880 eb
eb fffff800`01c65a65 eb
eb fffff800`01c67479 eb
eb fffff800`01c68798 eb
eb fffff800`01c6a940 eb
eb fffff800`01c6b7a9 90 90
eb fffff800`01c6b7dd eb
eb fffff800`01c6bad9 eb
eb fffff800`01c6d0e7 eb
eb fffff800`01c6d2f6 eb
eb fffff800`01c6d650 eb
eb fffff800`01c65c3a 90 90 90 90 90 90
eb fffff800`01c690b1 90 90 90 90 90 90