Page 1 of 1

PG check

PostPosted:Sun Sep 16, 2018 9:30 am
by orwell
Hi. Is thre a way of checking if PatchGuard is actually initialized & running without triggering bugcheck?

Re: PG check

PostPosted:Mon Sep 17, 2018 8:43 pm
by t4L
You can safely assume that PG is running on all of x64 platforms. :mrgreen:

Re: PG check

PostPosted:Mon Sep 17, 2018 9:52 pm
by Vrtule
PG is not in effect if the system runs in Debug mode and a kernel debugger is attached to it (I am not sure whether the Debug mode alone is sufficient).

Re: PG check

PostPosted:Tue Sep 18, 2018 5:59 am
by orwell
Hello. Thank you for your posts. I think I did not put my question right.

What I mean is that I am looking for a way to tell if PatchGuard was initialized on boot and is running right now. Software such as UPGDSED makes patches to ntoskrnl that skip initialization of PG, and right now I'm checking for these patches. I'm curious if there is more elegant way.

Thanks!

Re: PG check

PostPosted:Tue Sep 18, 2018 12:33 pm
by tangptr
Whether PatchGuard is disabled or not can not be detected if malware has done manipulation.
You cannot check by files because you cannot be sure if you are checking the manipulated one or the backup. In most cases, you are checking backup.
You cannot check by dumping memory because the initialization codes are in ".init" section, where memory would be released after execution.