Updated Analysis of PatchGuard on Microsoft Windows 10 RS4
Since Windows 64b, PatchGuard has been of great interest in Windows security.
For most iterations of its development, several people have analyzed its main mechanisms and internals which, many times, led to a functional bypass. Researchers seem to agree on one thing: bypassing PatchGuard will always be theoretically possible since it runs at the same level as a driver. Which seems true, theoretically.
That said, just like vulnerability exploit isn't about NOP-sled anymore, bypassing PatchGuard isn't about hooking KeBugCheck anymore.
This paper will present a complete overview of PatchGuard mecanisms, from the initialization to the Blue Screen Of Death, and insights about how we implemented a driver able to disable it.
Especially, this research has been conducted using timeless analysis with Tetrane’s tool REVEN. Not a single debugger was used during this entire analysis.
