Updated Analysis of PatchGuard on Microsoft Windows 10 RS4Mar 08, 2019 by Luc
Categories: Technical -
Tags: Reverse Engineering - PatchGuard - Exploit -
Since Windows 64b, PatchGuard has been of great interest in Windows security. In this white-paper, you will access our research done using REVEN v2.
For most iterations of its development, several people have analyzed its main mechanisms and internals which, many times, led to a functional bypass. Researchers seem to agree on one thing: bypassing PatchGuard will always be theoretically possible since it runs at the same level as a driver. Which seems true, theoretically.
That said, just like vulnerability exploit isn’t about NOP-sled anymore, bypassing PatchGuard isn’t about hooking KeBugCheck anymore.
This paper will present a complete overview of PatchGuard mecanisms, from the initialization to the Blue Screen Of Death, and insights about how we implemented a driver able to disable it. Especially, this research has been conducted using timeless analysis with Tetrane’s tool REVEN. Not a single debugger was used during this entire analysis.
Discover the Timeless Analysis technology used for this research: