Jump to content
Nytro

Defeating PatchGuard

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Defeating PatchGuard

Bypassing Kernel Security Patch Protection in Microsoft Windows

By Deepak Gupta, McAfee Labs,

and Xiaoning Li, Intel Labs

Table of Contents
Summary 3
Introduction 3
Kernel Patching 4
PatchGuard 5
Initialization and operations 5
Initialization 6
Operations 6
Attacks and countermeasures 7
Exception handler hooking 7
Hooking KeBugCheckEx 8
Debug register attack with general detect bit on 8
Translation cache attack 11
Patching the kernel timer DPC dispatcher 11
A generic attack 12
A New Level of Security 18

Summary

The kernel forms the core of any operating system. In conjunction with device drivers, the kernel

abstracts interfaces for processes, memory management, file system, networking, and other services

used by application developers. The kernel and other device drivers run at ring 0, the highest privilege,

and form the bottom of the stack. Attacking the kernel and drivers puts an attacker in an advantageous

position and helps hide footprints (rootkit activity). This stealth is required because most antimalware

scanners update very frequently. If malware leaves behind footprints, then it can be traced, contained,

and easily caught. Thus kernel-level malware with rootkit abilities are a very high-risk category.

To protect the 64-bit Windows kernel, Microsoft created Kernel Patch Protection, commonly called

PatchGuard. We haven’t seen many attacks on the 64-bit kernel barring some incidents of TDL4/Alureon

and Xpaj. (These are actually “bootkit” attacks against the hard drive’s master boot record that can

be prevented or cleaned later.) We know of no attack in the wild that targets PatchGuard and then

patches the kernel image or critical kernel data structures. However, independent research, including

our own, has proved that it is possible to defeat PatchGuard. These “white hat” attacks were published

with proof of concept code and are purely for educational purposes. However, just as we have seen

with earlier versions of Windows, malware developers will eventually find a way to crack the operating

system’s defenses.

Unlike 32-bit x86 processors, 64-bit processors from Intel come with virtualization extensions that can

be used to set memory and CPU-register protections at the hardware level. DeepSAFE technology is

one such offering from the collaborative efforts of Intel and McAfee; it will be instrumental in staying

one step ahead of malware authors.

Download:

http://www.mcafee.com/us/resources/reports/rp-defeating-patchguard.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...