Driver to bypass PatchGuard 3

Discussion in 'other security issues & news' started by LooneyLynn, Aug 1, 2008.

Thread Status:
Not open for further replies.
  1. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
    Hello :p ,

    to find out whether it is practial to extend my hooking library to kernel mode, I recently wrote two drivers disabling PatchGuard 2 and PatchGuard 3 on the latest Windows versions (including all updates). The source code and extensive documentation is available.

    The PatchGuard 3 driver shows where Microsoft has to provide further hardening and the documentation also gives some hints to make it almost unexploitable.

    Maybe someone likes to review the documentation and code on http://www.codeplex.com/easyhook/Release/ProjectReleases.aspx?ReleaseId=15850.

    If the link doesn't work: http://code.google.com/p/easyhook-continuing-detours/downloads/list

    REAL PC ISSUE FIXED BY NOW... Follow the codeplex link for the latest release... I also added a fix for the latest windows update!

    regards
    Christoph Husse
     
    Last edited: Aug 2, 2008
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Christoph I was only looking at easyhook the other day. Thanks for driver source code.
     
  3. Arup

    Arup Guest

    Would you be able to bypass patch guard with DEP on under LUA using your method?
     
  4. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
    >Would you be able to bypass patch guard with DEP on under LUA using your method?

    Well DEP is enabled for all applications, services and windows essentials on my system (maximum setting).. BTW, I never heard of DEP in kernel mode. LUA seems to refer to Limited User Account?!
    Of course this driver won't bypass security mechanisms! You will need an administrator account to install the driver; but then all things will be fine.. :p

    >Thanks for driver source code.

    I hope it is useful to you. I also recommend to read the documentation. ;)

    regards
    chris
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Christoph, I would like to test in a virtual machine but incidentally can changes be reversed on a real system?

    I have read it and re-reading, nice work.

    edit : okay I've come across the answer to my question.
     
    Last edited: Aug 1, 2008
  6. Arup

    Arup Guest


    Thank you very much, I will go through the documentation.
     
  7. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
    Well currently there seems to be an issue on a real PC. Please only execute it in a virtual machine!

    The problem is not the driver itself, at least not the PatchGuard disabling part. There is an issue with MmGetVirtualForPhysical() which I am using to search the memory. It works well in a virtual machine but raises an uncatchable page fault on a real PC. That is really insane! I am currently working on a solution so please stand by... o_O

    It is no real issue, because I only use the method to speed up search...
     
  8. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
    The issues on a real PC are fixed. Also a fix for the latest windows update is now available...

    regards
    chris
     
  9. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    Hi,
    First of all GREAT WORK :thumb:

    I saw in your documentation that you solve the PG problem by not involving the PG code, but wasn't it be also possible to patch the PG Code so that it simply does not check anything and just exits? Wouldn't it be simpler this way?
     
  10. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
    If you find a way to determine the patchguard code at runtime and get it to exit it would be of course easier...

    But this is like aksing isn't it easier to get to the ISS by using a teleporter instead of a space shuttle?!...

    regards
    chris
     
  11. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    And Patching it off line in the binary file? wouldn't that be easier?

    I'm not an assembler expert so I may ask questions that may seam trivial to a expert, please excuse this :oops:

    Just a few thoughts,
    I presume the PG causes some well defined exception when it detects a manipulation, and this one must be catched some ware setting there a break point and then looking from where it come wouldn't that be possible? (I have only experience with user mode applications so I may be way of here.)
    Or would this address be after the reboot again different?

    Is it possible to recover from a exception that is handled by the BSOD routine, maby the modification could just ignore the crashes caused by PG?


    PS: Regarding the Teleporter there actually plans to put one (thou it works yet only with single photons) on a satellite or the ISS ;)
     
  12. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
    Don't presume so much, just read the article on codeplex... ;-).

    regards
    chris
     
  13. LooneyLynn

    LooneyLynn Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    7
Loading...
Thread Status:
Not open for further replies.