Does PatchGuard stop kernel level keyloggers? Or rather, did it?

Discussion in 'other anti-malware software' started by SpongeGuard, Oct 8, 2010.

Thread Status:
Not open for further replies.
  1. SpongeGuard

    SpongeGuard Registered Member

    Joined:
    Sep 16, 2010
    Posts:
    22
    I know PatchGuard made it hard/near impossible for rootkits to infect an x64 system and retain system stability, but how about kernel level keyloggers? Since PatchGuard protects the kernel, are keyloggers that don't use TDL3's method of infection still hindered by PatchGuard?
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    PatchGuard can't protect against kernel-level keyloggers as they are using legitimate IRP filtering. Or it may use another trick (driver device function hook) PG does not control.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    then 64 is not as secure as they promissed:D
     
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    It was only a matter of time until x64 would be exposed to threats it supposedly would be immune to.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Doesn,t every kernel based keylogger needs to install a driver for its keylogging and this driver install will be stopped by PatchGuard?
     
  6. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    No. Test the Zemana keylogger or Spyshelters keylogger on a Windows x64 system and you'll have the evidence right there. :) Please note that those keyloggers are not actually malware, but merely testing tools. :)
     
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    There is only one really working protection mechanism to prevent malware in kernel mode- loading only signed driver files. But it can be subverted with MBR trick. PatchGuard doesn't protect the system as advertised.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree;)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They are not kernel based keyloggers I think.
     
Thread Status:
Not open for further replies.