A forum for reverse engineering, OS internals and malware analysis 

ntkrnlmp.exe

Ask your beginner questions here.

ntkrnlmp.exe

 #10598  by Smerpy
 Mon Dec 26, 2011 2:58 pm
Hello all, I am trying to disable patchguard and driver signing using Fyyre's disable_pg_ds.

I followed the instructions given in the readme and am able to select 'Patchguard Disabled v2' as a boot option in the startup but after selecting it, I'm presented with an error

Windows failed to start. A recent hardware or software change might be the cause...

File: \Windows\system32\ntkrnlpa.exe
Status: 0xc0000428
Info: Windows cannot verify the digital signature of this file

And yes, I tried using the Vista DVD's repair option, it doesn't work either.

What am i doing wrongly ?

Thanks in advance.

Re: ntkrnlmp.exe

 #10613  by everdox
 Mon Dec 26, 2011 8:53 pm
That hard disk write method might be a little outdated since recent windows updates, I know they removed some key functions from the debugging symbols to make it more difficult. Like KeFilterFiberContext, which was responsible for patchguard initialization.

You must make sure that you also overwrite the prologue of SeValidateImageHeader in winload before making a binary patch to any of those, and you would also need to fix the PE checksum.

this dbghelp function can do the checksum workload for you if you aren't familiar with the algorithm.

http://msdn.microsoft.com/en-us/library ... 85%29.aspx
 Return to “Newbie Questions”