How to boost PatchGuard : it’s all about gong fu!
June 4, 2013
by zer0mem
4 comments
In this post i will take a look at PatchGuard, at classic scenario of bypassing this protection and also at little bit diferent one. I will also examine new way (bust most probably not new, just reinvented cause it is too obvious and quite efective) how to locate & abuse page guard context and its behaviour.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
typedef struct _KDPC { UCHAR Type; UCHAR Importance; volatile USHORT Number; LIST_ENTRY DpcListEntry; PKDEFERRED_ROUTINE DeferredRoutine; PVOID DeferredContext; PVOID SystemArgument1; PVOID SystemArgument2; __volatile PVOID DpcData; } KDPC, *PKDPC, *PRKDPC; |
PoC and some explanation of code, of its weaknes and points to research are included