“PatchGuard,” also known as “Kernel Patch Protection” (KPP), is a crucial security feature integrated into the 64-bit versions of the Windows operating system. Its primary objective is to maintain the integrity of the operating system by thwarting various forms of attacks, particularly those involving hooking, patching, and direct manipulation of kernel objects. This proactive measure ensures that kernel code and data structures are rigorously verified to prevent unauthorized modifications or code injections by both developers and potential attackers.
Mechanics of PatchGuard
PatchGuard operates by periodically scanning different kernel code areas and data structures, including the System Service Descriptor Table (SSDT), Interrupt Descriptor Table (IDT), Global Descriptor Table (GDT), Hardware Abstraction Layer (HAL), Network Driver Interface Specification (NDIS), debug routines, and the loaded module list, among others. During system execution, it computes a checksum of sensitive memory areas and compares it to the checksum obtained at boot time, prior to any user driver loading. A discrepancy triggers a Blue Screen of Death (BSOD), identified by BugCheck code 0x109, commonly referred to as “CRITICALSTRUCTURECORRUPTION.”
Introduced in 2005 alongside the launch of 64-bit versions of Windows XP and Windows Server 2003, PatchGuard’s internal verification processes remain largely undisclosed by Microsoft. However, it is widely believed that these checks are randomized and can vary in frequency from seconds to minutes.
Bypassing Techniques
Over the years, various techniques have emerged aimed at bypassing PatchGuard, including notable methods such as “GhostHook,” “InfinityHook,” and “ByePg.” These developments highlight the ongoing cat-and-mouse game between security measures and those seeking to exploit vulnerabilities within the operating system.
For those interested in delving deeper into the causes of BugCheck code 0x109, comprehensive documentation is available through Microsoft’s resources. This exploration not only enhances understanding of PatchGuard’s functionality but also sheds light on the broader landscape of operating system security.
For further insights and discussions, you can follow Shlomi Boutnaru on Twitter or explore his other writings on Medium, where he shares a wealth of knowledge on various tech topics.
