Vulnerability Research

Since Windows 64b, PatchGuard has been of great interest in Windows security. In this white-paper, you will access our research done using **[esReven](https://eshard.com/esreven) v2**.

&nbsp;

[![BANNER_End_2.png](/uploads/BANNER_End_2_d8b0f41672.png)](https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf)

&nbsp;


For most iterations of its development, several people have analyzed its main mechanisms and internals which, many times, led to a functional bypass. Researchers seem to agree on one thing: **bypassing PatchGuard will always be theoretically possible since it runs at the same level as a driver**. Which seems true, theoretically. That said, just like vulnerability exploit isn’t about NOP-sled anymore, **bypassing PatchGuard isn’t about hooking KeBugCheck anymore**.

This paper will present a **complete overview of PatchGuard mechanisms**, from the initialization to the Blue Screen Of Death, and insights about how we implemented a driver able to disable it. Especially, this research has been conducted using timeless analysis with **eShard**’s tool **[esReven](https://eshard.com/esreven)**. Not a single debugger was used during this entire analysis.

&nbsp;

[![BANNER_End_1.png](/uploads/BANNER_End_1_940803b17e.png)](https://youtu.be/WtamOCTgMkU)
*[TETRANE is now eShard](https://eshard.com/posts/eshard-tetrane)*

&nbsp;



Updated Analysis of PatchGuard on Microsoft Windows 10 RS4

Corporate News

We are thrilled to unveil [esReverse](https://eshard.com/esreverse), eShard's cutting-edge platform dedicated to **binary security analysis**. esReverse offers a comprehensive environment for software binary analysis that seamlessly integrates static, dynamic, and stress testing capabilities. 

More than a tool, esReverse changes the way the binary analysis expertise is developed by reconciling techniques, supporting collaborative work and empowering experts with a totally flexible platform. esReverse sets a new standard, not only by facilitating but by accelerating the enhancement of critical binary analysis capabilities in teams of experts.

&nbsp;

![esReverse by eShard platform binary analysis tool.gif](/uploads/es_Reverse_by_e_Shard_platform_binary_analysis_tool_5d2af7d705.gif)

&nbsp;

**esReverse core platform** is a web-based application that requires no local installation, making it effortlessly accessible from any device with a web browser. Tailored to meet the stringent requirements of top-secret organizations, esReverse is flexible by design, allowing seamless integration across diverse IT infrastructures. Whether deployed on air-gapped, on-premises systems or extended through cloud services, esReverse adapts to the specific needs of your operational environment, ensuring uncompromised security and adaptability.

By integrating JupyterLab with its notebook functionality, all team members share the same platform for their individual or collaborating analysis work. It offers a stable and mature environment to make effective collaboration and to develop the internal expertise. Acting as a hub for cutting-edge tools from the research community, esReverse enables users to organize their binary analysis tasks, share insights, and easily revisit their work. This platform not only streamlines collaboration but also serves as a foundation for accumulating and accessing collective knowledge and innovation.

&nbsp;

### ➕ Extensions

esReverse extensions for [Intel](https://eshard.com/Intel_extension), [ARM](https://eshard.com/ARM_extension) or RISC-V focuses on providing unparalleled emulation capabilities for covering many dynamic analyses: code profiling, fault injection, dynamic fuzzing or even timeless analysis. 

Through its extensions and the experience in Reven technology, esReverse offers a comprehensive array of options for emulating: 

- a full **Intel** x86, x64 system, facilitating the execution of any Windows or Linux operating system.
- **ARM** binary, enabling the emulation of IoT firmware, or systems such as Android for kernel investigation or mobile application,
- **RISC-V** binary, enabling the emulation of IoT firmware.

&nbsp;

![esReverse by eShard platform dynamic analysis binary tool timeless analysis](/uploads/es_Reverse_by_e_Shard_platform_dynamic_analysis_binary_tool_timeless_analysis_a36264c456.gif)


&nbsp;

This offers the opportunity to implement sophisticated binary analysis and combine them:

#### Validate codes against fault injections or fuzzing:

Inheriting years of practical experience in hardware physical attacks, esReverse introduces sophisticated fault injection features designed to rigorously test binaries and confirm the effectiveness of their protections. This flexible and high-performance tool enables code validation and thorough investigation into the robustness of security measures embedded within binary code. Furthermore, esReverse facilitates pre-production testing through the creation of targeted fault campaigns and seamless integration of scripts into CI/CD pipelines, **embodying a proactive DevSecOps approach.**

Maintaining its commitment to an open platform philosophy, esReverse enables the orchestration of fuzzing campaigns that merge binary emulation with renowned tools like AFL++ or Boofuzz, or even with custom-built frameworks. Once initiated, the platform excels in overseeing the exploration of potential vulnerabilities revealed through suspicious crash scenarios. This is achieved by leveraging in-depth code coverage analysis and the innovative approach of timeless analysis, making esReverse an indispensable asset for comprehensive security assessments.

&nbsp;

#### esReven technology for Timeless Analysis:

esReverse **Timeless Analysis** allows thorough examination of system execution (CPU, Memory, Hardware Events). Analysts can scrutinize, rewind, and track execution to comprehend behavior, diagnose issues, or analyze flow without real-time operation constraints. The feature is available for Intel and ARM softwares.

esReverse **Data Tainting** for Intel binaries enables tracking data flow to identify how "tainted" data can impact program execution, aiding in the discovery of vulnerabilities such as security breaches or bugs. By marking inputs as tainted and observing their propagation, taint analysis ensures secure handling of sensitive data and prevents untrusted data from infiltrating critical system components.

&nbsp;

![esReverse by eShard platform expertise cybersecurity software binary.gif](/uploads/es_Reverse_by_e_Shard_platform_expertise_cybersecurity_software_binary_d302f858b9.gif)

&nbsp;

### Expertise Modules extensions

Recognizing the gap between theoretical knowledge and practical application, eShard experts continuously craft expertise material to transfer knowledge and expertise in the complex field of binary analysis. These modules encapsulate years of R&D through comprehensive catalogs of examples and techniques, both explained and implemented, alongside reference binaries or traces. Designed to be both a knowledge hub and a practical toolkit, our technical content not only provides deep insights but is also ready to be applied directly to your setup, bridging the gap between reading and doing.


&nbsp;

------

&nbsp;

In summary, esReverse strives to be the ultimate toolbox for security analysts, seamlessly combining technology and expertise into a collaborative platform. 

Explore more on our website or reach out to us to experience the power of esReverse firsthand.

[![esReverse Release-02.png](/uploads/es_Reverse_Release_02_ce4cf59a87.png)](https://u.eshard.com/esreverse)

![Website-Section-info-esreverse-funded.gif](/uploads/Website_Section_info_esreverse_funded_811b67552c.gif)


Updated Analysis of PatchGuard on Microsoft Windows 10 RS4

Categories

you might also be interested in

Introducing esReverse 2024.01 — for Binary Security Analysis

ALL-IN-ONE PLATFORM

PHYSICAL ATTACKS

EXPERTISE SERVICES

ALL-IN-ONE PLATFORM

DIFFERENT USAGES

EXPERTISE SERVICES

INDUSTRIES

ABOUT US

FOLLOW US

Updated Analysis of PatchGuard on Microsoft Windows 10 RS4

Categories

you might also be interested in

Introducing esReverse 2024.01 — for Binary Security Analysis