Updated Analysis of PatchGuard on Microsoft Windows 10 RS4

Mar 08, 2019 by Luc
Categories: Technical -
Tags: Reverse Engineering - PatchGuard - Exploit -


Since Windows 64b, PatchGuard has been of great interest in Windows security. In this white-paper, you will access our research done using REVEN v2.

For most iterations of its development, several people have analyzed its main mechanisms and internals which, many times, led to a functional bypass. Researchers seem to agree on one thing: bypassing PatchGuard will always be theoretically possible since it runs at the same level as a driver. Which seems true, theoretically.
That said, just like vulnerability exploit isn’t about NOP-sled anymore, bypassing PatchGuard isn’t about hooking KeBugCheck anymore.

This paper will present a complete overview of PatchGuard mecanisms, from the initialization to the Blue Screen Of Death, and insights about how we implemented a driver able to disable it. Especially, this research has been conducted using timeless analysis with Tetrane’s tool REVEN. Not a single debugger was used during this entire analysis.

Click to download the white paper.

Discover the Timeless Analysis technology used for this research: Watch the demo!

Next post: Full visibility of a Windows Kernel Bug with Timeless Analysis (CVE-2018-8410)
Previous post: Analysis of VLC Exploit Arbitrary Code Execution (CVE-2018-11529)