SlideShare a Scribd company logo

Bypassing patchguard on Windows 8.1 and Windows 10

H
Honorary_BoT

This document discusses techniques used by Patchguard, a mechanism in Windows 8.1 and 10 that protects the kernel from modifications. Patchguard uses code obfuscation, anti-debugging tricks, and periodic checksum validation to prevent unauthorized kernel patches. The document outlines various approaches that could be used to bypass Patchguard such as patching the kernel image, hooking functions, modifying checkers, or descheduling the context verification processes used by Patchguard. It provides details on specific functions and methods involved in Patchguard's context verification and suggests ways these could be descheduled to bypass the mechanism.

Engineering
1 of 16
Downloaded 102 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Bypassing patchguard on Windows 8.1 and Windows 10 Mark Ermolov, Artem Shishkin Positive Technologies
What is patchguard? ―“Please don’t patch our kernels” call from MS ―Even if your kernel patch is correct, you’ll catch a BSOD •0x109 CRITICAL_STRUCTURE_CORRUPTION ―Protected structures •System images: ntoskrnl.exe, win32k.sys, hal.dll etc. •System structures: IDT, GDT, Syscalltables etc. ―Periodic checksums validation for protected stuff ―Doesn’t work on Windows 9
What if we really need to? ―Go for it! ―But… •Patchguard developers are prepared for reverse engineers •Hyper-inlinedobfuscation © Alex Ionescu •Anti-debugging tricks •Several ways of checks invocation
Code obfuscation ―Symbol stripping
Code obfuscation ―Misleading names
Code obfuscation ―Code junk generation •Loop unrolling •Dead code insertion •Indirect calls and variable accesses
Anti-debugging ―Works only on free builds without kernel debugger!
Anti-debugging ―Randomly inserted checks for debugger presence
Anti-debugging ―If you use breakpoints, they will be included to a patchguard checksum, leading to a 0x109 bugcheck ―If you use hardware breakpoints, well…
Non-linear code flow ―Active usage of Vectored Exception Handling
Reverse-engineering ―For dynamic analysis with KD (with windbgf.e.) •Remove all kdpresence checks manually —Look them up with IDA scripting —Apply patches in KD with pykd —Do it before “Phase1InitializationDiscard“ ―For static analysis with IDA •Try not to give up waiting for patchguard initialization function decompilation ―Use something else, like hypervisor-based debugger ;)
Reverse-engineering ―Since patchguard is developed incrementally, the key functions in reversing it are •KiFilterFiberContext–chooses the way for invoking patchguard checks •Unnamed sub inside KiFilterFiberContext–creates a structure aka patchguard context and schedules it’s verification •Other functions (like context checkers) can be misleadingly named, but you can look them up around KiFilterFiberContextsince they are located in a single compilation unit
Bypassing patchguard ―There are different approaches •patch kernel image so that patchguard will just not start •hook KeBugCheckExand restore the state of a system •modify checkers so that they would be always valid •de-schedule contexts verification —This is what we’ve implemented
Contexts verification scheduling ―Context verification might be launched with •KeSetCoalescableTimer —A timer that periodically launches context verification •Prcb.AcpiReserved —A certain ACPI event (f.e. Idle transition) •Prcb.HalReserved —A haltimer clock •PsCreateSystemThread —A queued system thread that sleeps a random amount of time •KeInsertQueueApc —A queued regular kernel APC •KiBalanceSetManagerPeriodicDpc —A periodic event which happens every "KiBalanceSetManagerPeriod" ticks
Contexts verification descheduling ―So we’ve got to deschedulecontext verification once and for all •KeSetCoalescableTimer —Timer? Disable! •Prcb.AcpiReserved —Zero out this field •Prcb.HalReserved —Same here •PsCreateSystemThread —Scan sleeping worker threads and set wait time to infinite for suitable •KeInsertQueueApc —Same here •KiBalanceSetManagerPeriodicDpc —Revert to KiBalanceSetManagerDeferredRoutine
•research [at] ptsecurity[dot] com •www.ptsecurity.com •blog.ptsecurity.com Thank you!

More Related Content

PPTX
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
PDF
Process injection - Malware style
Sander Demeester
 
PPTX
Steelcon 2014 - Process Injection with Python
infodox
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
Is That A Penguin In My Windows?
zeroSteiner
 
PDF
Practical Malware Analysis Ch12
Sam Bowne
 
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Process injection - Malware style
Sander Demeester
 
Steelcon 2014 - Process Injection with Python
infodox
 
Practical Windows Kernel Exploitation
zeroSteiner
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Security research over Windows #defcon china
Peter Hlavaty
 
Is That A Penguin In My Windows?
zeroSteiner
 
Practical Malware Analysis Ch12
Sam Bowne
 

What's hot (20)

PDF
Packers
Ange Albertini
 
PPTX
Fun With Dr Brown
zeroSteiner
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PPTX
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
PDF
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
PDF
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
PPTX
Vulnerability desing patterns
Peter Hlavaty
 
PPTX
Guardians of your CODE
Peter Hlavaty
 
PPTX
Back to the CORE
Peter Hlavaty
 
ODP
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
PDF
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
PPTX
Racing with Droids
Peter Hlavaty
 
PPTX
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
PDF
Metasploit - The Exploit Learning Tree
E Hacking
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
PDF
Practical Malware Analysis Ch13
Sam Bowne
 
Packers
Ange Albertini
 
Fun With Dr Brown
zeroSteiner
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
Vulnerability desing patterns
Peter Hlavaty
 
Guardians of your CODE
Peter Hlavaty
 
Back to the CORE
Peter Hlavaty
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
Racing with Droids
Peter Hlavaty
 
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
Metasploit - The Exploit Learning Tree
E Hacking
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Practical Malware Analysis Ch13
Sam Bowne
 
Ad

Viewers also liked (12)

PDF
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
PPTX
Rootkit internales
n|u - The Open Security Community
 
PDF
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
DefconRussia
 
PDF
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
PPTX
Linkmeup v23-compass-eos
eucariot
 
DOCX
Chuyên
mayvanphong8x
 
DOCX
Resume 2014 x3
Roberta Lara
 
ODP
βολος
maro1234567
 
PPTX
Why is linkedIn vital for B2B marketing
Lets learn Digital
 
PPTX
6460 oc public forum 12 nov 14
cozmotrouble
 
DOCX
Chuyên
mayvanphong8x
 
PPTX
business finance
ezraken
 
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
Rootkit internales
n|u - The Open Security Community
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
DefconRussia
 
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
Linkmeup v23-compass-eos
eucariot
 
Chuyên
mayvanphong8x
 
Resume 2014 x3
Roberta Lara
 
βολος
maro1234567
 
Why is linkedIn vital for B2B marketing
Lets learn Digital
 
6460 oc public forum 12 nov 14
cozmotrouble
 
Chuyên
mayvanphong8x
 
business finance
ezraken
 
Ad

Similar to Bypassing patchguard on Windows 8.1 and Windows 10 (20)

PDF
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
PPTX
Owning computers without shell access 2
Royce Davis
 
PPTX
Static Code Analysis for Projects, Built on Unreal Engine
Andrey Karpov
 
PDF
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
PDF
MFF UK - Advanced iOS Topics
Petr Dvorak
 
PPTX
Евгений Напрягло ".NET Framework Hosting API Overview"
Fwdays
 
PPT
Jenkins Overview
Ahmed M. Gomaa
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
PPTX
Simics - Break the Rules of Product Development
Real-Time Innovations (RTI)
 
PPTX
Kubernetes in Adform
Edgaras Apšega
 
PDF
how-to-bypass-AM-PPL
nitinscribd
 
PDF
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Dragos, Inc.
 
PPTX
Code quality
Provectus
 
PDF
UVM TUTORIAL;
Azad Mishra
 
PPTX
Securing the continuous integration
Irene Michlin
 
PDF
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
PPTX
Part of the DLM Story: Automated database build and test with TeamCity
Red Gate Software
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
PDF
Continuous Delivery the hard way with Kubernetes
Luke Marsden
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
Owning computers without shell access 2
Royce Davis
 
Static Code Analysis for Projects, Built on Unreal Engine
Andrey Karpov
 
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
MFF UK - Advanced iOS Topics
Petr Dvorak
 
Евгений Напрягло ".NET Framework Hosting API Overview"
Fwdays
 
Jenkins Overview
Ahmed M. Gomaa
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Simics - Break the Rules of Product Development
Real-Time Innovations (RTI)
 
Kubernetes in Adform
Edgaras Apšega
 
how-to-bypass-AM-PPL
nitinscribd
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Dragos, Inc.
 
Code quality
Provectus
 
UVM TUTORIAL;
Azad Mishra
 
Securing the continuous integration
Irene Michlin
 
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
Part of the DLM Story: Automated database build and test with TeamCity
Red Gate Software
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Continuous Delivery the hard way with Kubernetes
Luke Marsden
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 

Recently uploaded (20)

PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PDF
composite construction of structures.pdf
AinieButt1
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Sustainable Sites - Green Building Construction
mhdumerali
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
Project quality management in manufacturing
BarMusaTetik
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Well-logging-methods_new................
ZafriFarid
 
composite construction of structures.pdf
AinieButt1
 

Bypassing patchguard on Windows 8.1 and Windows 10

  • 1. Bypassing patchguard on Windows 8.1 and Windows 10 Mark Ermolov, Artem Shishkin Positive Technologies
  • 2. What is patchguard? ―“Please don’t patch our kernels” call from MS ―Even if your kernel patch is correct, you’ll catch a BSOD •0x109 CRITICAL_STRUCTURE_CORRUPTION ―Protected structures •System images: ntoskrnl.exe, win32k.sys, hal.dll etc. •System structures: IDT, GDT, Syscalltables etc. ―Periodic checksums validation for protected stuff ―Doesn’t work on Windows 9
  • 3. What if we really need to? ―Go for it! ―But… •Patchguard developers are prepared for reverse engineers •Hyper-inlinedobfuscation © Alex Ionescu •Anti-debugging tricks •Several ways of checks invocation
  • 6. Code obfuscation ―Code junk generation •Loop unrolling •Dead code insertion •Indirect calls and variable accesses
  • 7. Anti-debugging ―Works only on free builds without kernel debugger!
  • 8. Anti-debugging ―Randomly inserted checks for debugger presence
  • 9. Anti-debugging ―If you use breakpoints, they will be included to a patchguard checksum, leading to a 0x109 bugcheck ―If you use hardware breakpoints, well…
  • 10. Non-linear code flow ―Active usage of Vectored Exception Handling
  • 11. Reverse-engineering ―For dynamic analysis with KD (with windbgf.e.) •Remove all kdpresence checks manually —Look them up with IDA scripting —Apply patches in KD with pykd —Do it before “Phase1InitializationDiscard“ ―For static analysis with IDA •Try not to give up waiting for patchguard initialization function decompilation ―Use something else, like hypervisor-based debugger ;)
  • 12. Reverse-engineering ―Since patchguard is developed incrementally, the key functions in reversing it are •KiFilterFiberContext–chooses the way for invoking patchguard checks •Unnamed sub inside KiFilterFiberContext–creates a structure aka patchguard context and schedules it’s verification •Other functions (like context checkers) can be misleadingly named, but you can look them up around KiFilterFiberContextsince they are located in a single compilation unit
  • 13. Bypassing patchguard ―There are different approaches •patch kernel image so that patchguard will just not start •hook KeBugCheckExand restore the state of a system •modify checkers so that they would be always valid •de-schedule contexts verification —This is what we’ve implemented
  • 14. Contexts verification scheduling ―Context verification might be launched with •KeSetCoalescableTimer —A timer that periodically launches context verification •Prcb.AcpiReserved —A certain ACPI event (f.e. Idle transition) •Prcb.HalReserved —A haltimer clock •PsCreateSystemThread —A queued system thread that sleeps a random amount of time •KeInsertQueueApc —A queued regular kernel APC •KiBalanceSetManagerPeriodicDpc —A periodic event which happens every "KiBalanceSetManagerPeriod" ticks
  • 15. Contexts verification descheduling ―So we’ve got to deschedulecontext verification once and for all •KeSetCoalescableTimer —Timer? Disable! •Prcb.AcpiReserved —Zero out this field •Prcb.HalReserved —Same here •PsCreateSystemThread —Scan sleeping worker threads and set wait time to infinite for suitable •KeInsertQueueApc —Same here •KiBalanceSetManagerPeriodicDpc —Revert to KiBalanceSetManagerDeferredRoutine
  • 16. •research [at] ptsecurity[dot] com •www.ptsecurity.com •blog.ptsecurity.com Thank you!