Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Bypassing patchguard on Windows 8.1 and Windows 10

12.242 Aufrufe

Veröffentlicht am

Slides from ZeroNights 2014 FastTrack section

Veröffentlicht in: Ingenieurwesen
  • Dating for everyone is here: ❶❶❶ http://bit.ly/2Q98JRS ❶❶❶
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Sex in your area is here: ❤❤❤ http://bit.ly/2Q98JRS ❤❤❤
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Very Easy To Follow. This plans are great. I was able to bring my laptop batteries and several other types of batteries back to life with your methods. Your instructions are very easy to follow. I have a few more batteries I'm going to recondition today also. ♥♥♥ https://bit.ly/2t1uc6e
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Bypassing patchguard on Windows 8.1 and Windows 10

  1. 1. Bypassing patchguard on Windows 8.1 and Windows 10 Mark Ermolov, Artem Shishkin Positive Technologies
  2. 2. What is patchguard? ―“Please don’t patch our kernels” call from MS ―Even if your kernel patch is correct, you’ll catch a BSOD •0x109 CRITICAL_STRUCTURE_CORRUPTION ―Protected structures •System images: ntoskrnl.exe, win32k.sys, hal.dll etc. •System structures: IDT, GDT, Syscalltables etc. ―Periodic checksums validation for protected stuff ―Doesn’t work on Windows 9
  3. 3. What if we really need to? ―Go for it! ―But… •Patchguard developers are prepared for reverse engineers •Hyper-inlinedobfuscation © Alex Ionescu •Anti-debugging tricks •Several ways of checks invocation
  4. 4. Code obfuscation ―Symbol stripping
  5. 5. Code obfuscation ―Misleading names
  6. 6. Code obfuscation ―Code junk generation •Loop unrolling •Dead code insertion •Indirect calls and variable accesses
  7. 7. Anti-debugging ―Works only on free builds without kernel debugger!
  8. 8. Anti-debugging ―Randomly inserted checks for debugger presence
  9. 9. Anti-debugging ―If you use breakpoints, they will be included to a patchguard checksum, leading to a 0x109 bugcheck ―If you use hardware breakpoints, well…
  10. 10. Non-linear code flow ―Active usage of Vectored Exception Handling
  11. 11. Reverse-engineering ―For dynamic analysis with KD (with windbgf.e.) •Remove all kdpresence checks manually —Look them up with IDA scripting —Apply patches in KD with pykd —Do it before “Phase1InitializationDiscard“ ―For static analysis with IDA •Try not to give up waiting for patchguard initialization function decompilation ―Use something else, like hypervisor-based debugger ;)
  12. 12. Reverse-engineering ―Since patchguard is developed incrementally, the key functions in reversing it are •KiFilterFiberContext–chooses the way for invoking patchguard checks •Unnamed sub inside KiFilterFiberContext–creates a structure aka patchguard context and schedules it’s verification •Other functions (like context checkers) can be misleadingly named, but you can look them up around KiFilterFiberContextsince they are located in a single compilation unit
  13. 13. Bypassing patchguard ―There are different approaches •patch kernel image so that patchguard will just not start •hook KeBugCheckExand restore the state of a system •modify checkers so that they would be always valid •de-schedule contexts verification —This is what we’ve implemented
  14. 14. Contexts verification scheduling ―Context verification might be launched with •KeSetCoalescableTimer —A timer that periodically launches context verification •Prcb.AcpiReserved —A certain ACPI event (f.e. Idle transition) •Prcb.HalReserved —A haltimer clock •PsCreateSystemThread —A queued system thread that sleeps a random amount of time •KeInsertQueueApc —A queued regular kernel APC •KiBalanceSetManagerPeriodicDpc —A periodic event which happens every "KiBalanceSetManagerPeriod" ticks
  15. 15. Contexts verification descheduling ―So we’ve got to deschedulecontext verification once and for all •KeSetCoalescableTimer —Timer? Disable! •Prcb.AcpiReserved —Zero out this field •Prcb.HalReserved —Same here •PsCreateSystemThread —Scan sleeping worker threads and set wait time to infinite for suitable •KeInsertQueueApc —Same here •KiBalanceSetManagerPeriodicDpc —Revert to KiBalanceSetManagerDeferredRoutine
  16. 16. •research [at] ptsecurity[dot] com •www.ptsecurity.com •blog.ptsecurity.com Thank you!