A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #32118  by orwell
 Sun Sep 16, 2018 9:30 am
Hi. Is thre a way of checking if PatchGuard is actually initialized & running without triggering bugcheck?
 #32120  by t4L
 Mon Sep 17, 2018 8:43 pm
You can safely assume that PG is running on all of x64 platforms. :mrgreen:
 #32121  by Vrtule
 Mon Sep 17, 2018 9:52 pm
PG is not in effect if the system runs in Debug mode and a kernel debugger is attached to it (I am not sure whether the Debug mode alone is sufficient).
 #32122  by orwell
 Tue Sep 18, 2018 5:59 am
Hello. Thank you for your posts. I think I did not put my question right.

What I mean is that I am looking for a way to tell if PatchGuard was initialized on boot and is running right now. Software such as UPGDSED makes patches to ntoskrnl that skip initialization of PG, and right now I'm checking for these patches. I'm curious if there is more elegant way.

Thanks!
 #32123  by tangptr
 Tue Sep 18, 2018 12:33 pm
Whether PatchGuard is disabled or not can not be detected if malware has done manipulation.
You cannot check by files because you cannot be sure if you are checking the manipulated one or the backup. In most cases, you are checking backup.
You cannot check by dumping memory because the initialization codes are in ".init" section, where memory would be released after execution.