| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
Protection Improvements
PatchGuard 3 implements several incremental improvements designed to protect PatchGuard from third party code attempting to disable it as compared to PatchGuard 2. The majority of the alterations to PatchGuard's self-defense logic appear to be direct responses to previously published, publicly-known bypass techniques, rather than general improvements meant to make PatchGuard 3 more resilient to analysis and attack. In this vein, while the alterations to PatchGuard 3 (over PatchGuard 2) are effective at disabling most previously-published bypass mechanisms that the author is aware of, it is not exceedingly difficult to alter many previous attack mechanisms to be effective against PatchGuard 3. Many of the protection systems that were implemented in PatchGuard 2 are still present in PatchGuard 3 in some form or another, though some of them have been altered to resist previously-published attacks.
This chapter will describe a number of specific improvements that have been made.
Subsections
- Multiple Concurrent PatchGuard Check Contexts
- Filtering of Exception Codes Used to Trigger PatchGuard Execution
- Executing PatchGuard Without SEH
- Randomized Call Frames in Repurposed DPC Routine Exception Paths
- Expanded Set of Protected Regions