Informative Information for the Uninformed
Current
v9
v8
v7
v6
v5
v4
v3
v2
v1
All
About
Vol 6
»
2007.Jan
Next:
Contents
Contents
Subverting PatchGuard Version 2
12/2006
Skywing
skywing@valhallalegends.com
http://www.nynaeve.net
Contents
Foreword
Introduction
Notable Protection Mechanisms
Anti-Debug Code During Initialization
Expanded Set of DPC Routines
Self-Decrypting and Mutating System Integrity Check Routine
Obfuscation of System Integrity Check Calls via Structured Exception Handling
Disruption of Debug Register-Based Breakpoints
Misleading Symbol Names
Integrity Checks Performed During System Initialization
Overwriting PatchGuard Initialization Code Post-Boot
Bypass Techniques
Interception of _C_specific_handler
Interception of DPC Exception Registration
Interception of PsInvertedFunctionTable
Interception of KiDebugTrapOrFault
General Detect Bit Interception
Patching the Kernel Timer DPC Dispatcher
Searching for the PatchGuard DPC
TLB Desynchronization (Split TLB)
DPC Routine Patching
Subverting PatchGuard
Future Direction of PatchGuard and ``Anti-Hack'' Systems
Conclusion
Bibliography
About this document ...