Overview
Explore the critical design flaw in Windows Kernel Patch Protection (PatchGuard) during this 40-minute RSA Conference talk. Delve into PatchGuard's architecture, its role in preventing kernel code modifications, and the intricacies of an attack that exploits this vulnerability to completely disable PatchGuard's response. Learn about the system's checking mechanisms, crash response analysis, and various flaws, including issues with CPU debug registers and code servicing routines. Witness a demonstration of the attack, discuss potential problems and improvements, and gain insights into immediate and future mitigation strategies for enhancing Windows kernel security.
Syllabus
Introduction
About Me
Agenda
Objective
What is PatchGuard
What does PatchGuard check
Response analysis of PatchGuard
What happens after a crash
Flaws
Nonsense
CPU Debug registers
Code
Servicing Routine
Creating the Hook
Stall Routine
Log File Entry
Kernel Address
Demo
Problems and Improvements
What to Do Now
What to Do Next
Taught by
RSA Conference