PG check

Forum for discussion about kernel-mode development.
Post Reply
User avatar
orwell
Posts: 3
Joined: Mon Jun 01, 2015 5:21 am

PG check

Post by orwell » Sun Sep 16, 2018 9:30 am

Hi. Is thre a way of checking if PatchGuard is actually initialized & running without triggering bugcheck?

t4L
Global Moderator
Posts: 139
Joined: Tue Mar 09, 2010 5:44 pm

Re: PG check

Post by t4L » Mon Sep 17, 2018 8:43 pm

You can safely assume that PG is running on all of x64 platforms. :mrgreen:

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: PG check

Post by Vrtule » Mon Sep 17, 2018 9:52 pm

PG is not in effect if the system runs in Debug mode and a kernel debugger is attached to it (I am not sure whether the Debug mode alone is sufficient).

User avatar
orwell
Posts: 3
Joined: Mon Jun 01, 2015 5:21 am

Re: PG check

Post by orwell » Tue Sep 18, 2018 5:59 am

Hello. Thank you for your posts. I think I did not put my question right.

What I mean is that I am looking for a way to tell if PatchGuard was initialized on boot and is running right now. Software such as UPGDSED makes patches to ntoskrnl that skip initialization of PG, and right now I'm checking for these patches. I'm curious if there is more elegant way.

Thanks!

User avatar
tangptr
Posts: 28
Joined: Mon Nov 14, 2016 11:14 am
Location: People Republic of China
Contact:

Re: PG check

Post by tangptr » Tue Sep 18, 2018 12:33 pm

Whether PatchGuard is disabled or not can not be detected if malware has done manipulation.
You cannot check by files because you cannot be sure if you are checking the manipulated one or the backup. In most cases, you are checking backup.
You cannot check by dumping memory because the initialization codes are in ".init" section, where memory would be released after execution.
At long last, the jumping hands of time will be halted by a weakling cast in eternal solitude.

Post Reply