This presentation will focus on analyzing PatchGuard on Windows 10 RS4 and provide an aggregated and updated view of the whole mechanism, from initialization to BSOD.
Since Windows 64b, PatchGuard has been of great interest in Windows security.
For most iterations of its development, several people have analyzed its main mechanisms and internals which, many times, led to a functional bypass. Researchers seem to agree on one thing: bypassing PatchGuard will always be theoretically possible since it runs at the same level as a driver. Which seems true, theoretically.
That said, just like vulnerability exploit isn't about NOP-sled anymore, bypassing PatchGuard isn't about hooking KeBugCheck anymore.
At first we will present the initialization of the different methods used by PatchGuard to create contexts. They are important because they determine how integrity checks will be triggered and by extension how they can be disabled. We will describe the older methods from previous Windows version as well as new ones, which are yet to be documented.
Then we will detail the initialization of the PatchGuard context structure, which holds all the data necessary to operate. Among others, this includes function pointers, random values initialized at boot time, or original checksums used later when verifying the integrity of critical Windows structures. We will show that modifying this critical structure isn't that difficult; the hardest part being finding each and every context.
Finally, we will explain how check routines operate, how their main algorithms perform integrity checks, and with the help of timeless analysis we will follow the careful process of triggering the BSOD if a modification is detected.
Luc Reginato - Reverse Engineer at Tetrane
lreginato@tetrane.com - @\_YouB\_
Luc is a Reverse Engineer at Tetrane (www.tetrane.com) specializing in applying timeless debugging to challenge Windows use-cases such as vulnerability analysis, malware analysis and tricky Windows mechanisms. His main research interests include any reverse engineering trick in general and Windows Kernel in particular.
