Rootkit works on X64 !

Thanks for the replies!

As far as I understand from the threads on kernelmode.info there are two ways to bypass patchguard:

1)You already have a signed driver. This requires adding your own certificate as trusted, see https://www.wilderssecurity.com/showthread.php?t=216615
Given how this works this isn't really suited for widespread automatic infections.
More successful but also a lot harder would be stealing a cert or cracking the underlying crpyto/hash/PKI.

2)A bootkit which injects code into the kernel before PG could check it or disables it at boot time. TDL does this.

Did I get this right?

 

As far as I understand, PatchGuard doesn't check for digital signatures of drivers, but checks for attemps to patch the kernel. The check for signed drivers is not a part of patchguard. But, AFAIK those are the possible technigues used to bypass both Patchguard and the check for signed drivers (I could be wrong though).

 

Judging by the comments in post #50, then your item 2) is not correct. Post #50 indicated that the kernel is not patched by TDL, but the miniport driver is.

The reassuring thing is that the User is protected from these sophisticated attacks when using Windows 7 x 64 out of the box i.e. UAC - it does bemuse me why some disable it.