Driver to bypass PatchGuard 3

[LooneyLynn]

Hello ,

to find out whether it is practial to extend my hooking library to kernel mode, I recently wrote two drivers disabling PatchGuard 2 and PatchGuard 3 on the latest Windows versions (including all updates). The source code and extensive documentation is available.

The PatchGuard 3 driver shows where Microsoft has to provide further hardening and the documentation also gives some hints to make it almost unexploitable.

Maybe someone likes to review the documentation and code on http://www.codeplex.com/easyhook/Rel...eleaseId=15850.

If the link doesn't work: http://code.google.com/p/easyhook-co...downloads/list

REAL PC ISSUE FIXED BY NOW... Follow the codeplex link for the latest release... I also added a fix for the latest windows update!

regards
Christoph Husse

[Meriadoc]

Hi Christoph I was only looking at easyhook the other day. Thanks for driver source code.

Would you be able to bypass patch guard with DEP on under LUA using your method?

[LooneyLynn]

>Would you be able to bypass patch guard with DEP on under LUA using your method?

Well DEP is enabled for all applications, services and windows essentials on my system (maximum setting).. BTW, I never heard of DEP in kernel mode. LUA seems to refer to Limited User Account?!
Of course this driver won't bypass security mechanisms! You will need an administrator account to install the driver; but then all things will be fine..

>Thanks for driver source code.

I hope it is useful to you. I also recommend to read the documentation.

regards
chris

[Meriadoc]

Christoph, I would like to test in a virtual machine but incidentally can changes be reversed on a real system?

Quote:

I also recommend to read the documentation.

I have read it and re-reading, nice work.

edit : okay I've come across the answer to my question.

Quote:

OPERATION SUCCEEDED, PATIENT DEAD
So what we have done so far? We disabled PatchGuard 3 on Windows Vista SP1, all updates installed.
Of course the patches we applied were not that common coding style ;-). But everyone will agree
that potential malware is written like that and actually the patches are very stable for a given OS. You
may rollback all changes after approx. 20 minutes. The reason is that PatchGuard will only add a new
code path, if the system check routine is invoked. So when we block its execution for a reasonable
period of time, there is nothing to block anymore… My driver does not support rolling back the
changes so far and in fact never will. This is also why you can’t unload it after patching.

Quote:

Originally Posted by LooneyLynn

>Would you be able to bypass patch guard with DEP on under LUA using your method?

Well DEP is enabled for all applications, services and windows essentials on my system (maximum setting).. BTW, I never heard of DEP in kernel mode. LUA seems to refer to Limited User Account?!
Of course this driver won't bypass security mechanisms! You will need an administrator account to install the driver; but then all things will be fine..

>Thanks for driver source code.

I hope it is useful to you. I also recommend to read the documentation.

regards
chris

Thank you very much, I will go through the documentation.

[LooneyLynn]

Well currently there seems to be an issue on a real PC. Please only execute it in a virtual machine!

The problem is not the driver itself, at least not the PatchGuard disabling part. There is an issue with MmGetVirtualForPhysical() which I am using to search the memory. It works well in a virtual machine but raises an uncatchable page fault on a real PC. That is really insane! I am currently working on a solution so please stand by...

It is no real issue, because I only use the method to speed up search...

[LooneyLynn]

The issues on a real PC are fixed. Also a fix for the latest windows update is now available...

regards
chris

[DavidXanatos]

Hi,
First of all GREAT WORK

I saw in your documentation that you solve the PG problem by not involving the PG code, but wasn't it be also possible to patch the PG Code so that it simply does not check anything and just exits? Wouldn't it be simpler this way?

[LooneyLynn]

If you find a way to determine the patchguard code at runtime and get it to exit it would be of course easier...

But this is like aksing isn't it easier to get to the ISS by using a teleporter instead of a space shuttle?!...

regards
chris

[DavidXanatos]

And Patching it off line in the binary file? wouldn't that be easier?

I'm not an assembler expert so I may ask questions that may seam trivial to a expert, please excuse this

Just a few thoughts,
I presume the PG causes some well defined exception when it detects a manipulation, and this one must be catched some ware setting there a break point and then looking from where it come wouldn't that be possible? (I have only experience with user mode applications so I may be way of here.)
Or would this address be after the reboot again different?

Is it possible to recover from a exception that is handled by the BSOD routine, maby the modification could just ignore the crashes caused by PG?


PS: Regarding the Teleporter there actually plans to put one (thou it works yet only with single photons) on a satellite or the ISS

[LooneyLynn]

Don't presume so much, just read the article on codeplex... ;-).

regards
chris

[LooneyLynn]

http://www.codeproject.com/KB/vista-...atchguard.aspx