A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #27306  by breaker09
 Wed Nov 25, 2015 4:37 pm
I'm using Fyyre's method of disabling patchguard on Windows 10, but somehow I'm still getting a CRITICAL_STRUCTURE_CORRUPTION error. The difference is that normally patchguard would crash much quicker, within a few hours... But with the patch, it seems to crash after about 8 or 9 hours every time.

Anyone know what's going on here? Is patchguard getting reloaded somehow, and if so is there a way to stop that? I'd prefer not to have to reboot my PC every 8h.. :D
 #27310  by EP_X0FF
 Wed Nov 25, 2015 6:36 pm
Neverending story. Seriously. 2015 year comes to an end. You still need KPP to be disabled.
 #27320  by breaker09
 Thu Nov 26, 2015 5:38 pm
EP_X0FF wrote:Neverending story. Seriously. 2015 year comes to an end. You still need KPP to be disabled.
If I was more skilled at this stuff I'd try to write up a hypervisor, but for now I just have to settle for disabling KPP and rebooting every 8h. :D

Also another question: what are those three parameters that the patchguard init function takes? I've seen one different method of messing with patchguard where they would just set the parameters to 1 for the first call and then nop out the other calls..
 #27328  by EP_X0FF
 Fri Nov 27, 2015 4:25 am
Patchguard code obfuscated, it can be anything. It changes constantly with each Windows release because it is a part of MS DRM. If you want a quick way to disable PatchGuard, simply enable debug mode on your computer.