Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Questions around patchguard on Windows 10 latest build

John__smithJohn__smith Member Posts: 3

Hello,

I had following questions around Patch-guard.

  1. Does patchguard protect against modification of DRIVER_OBJECT->MajorFunction function pointer array?
  2. Does patchguard protect against modification of DRIVER_OBJECT->DriverUnload?
  3. Are protections (1) and (2) provided only for select drivers or for all drivers?

Any pointers will be greatly appreciated.

Thanks.

Comments

  • 0xrepnz0xrepnz Member Posts: 41
    edited October 9
    A fun discussion is up ahead:)

    AFAIK PatchGuard protects against modifications of IRP dispatchers of specific drivers like ntfs. This is considered an undocumented detail. You should not modify the IRP dispatchers of drivers that do not belong to you for 3 reasons:
    1 - Even if PatchGuard doesn't protect this driver now, it may do it in the future.
    2 - You cannot assume anything about the structure of the IRP that is passed to an internal driver because it may change.
    3 - You cannot unload safely when you do that because there's no "rundown protection" to protect you (like in process callbacks for example) so you have to keep the driver loaded until reboot.

    Because of these reasons and probably others I'm not aware of, this approach is not recommended and supported.

    You can change IRP dispatchers of a DRIVER_OBJECT that you created though, this sometimes happens in scenarios where you have multiple drivers.

    About the DriverUnload I'm not sure if Patch Guard protects it, but this is not something you would want to do in your driver for similar reasons to the ones discussed above..

    Is there any specific reason you ask this question? Maybe there are alternative approaches to achieve your goal.
    Post edited by 0xrepnz on
    - Ori Damari
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,109
    edited October 10

    Why don’t you just try it. Then you’ll know.

    Seriously. That’s an actual question for the OP. Why post here when it will take you less than 5 minutes to try for yourself?

    One of my mentors, early in my engineering career taught me not to believe engineering “facts” just cuz somebody tells them to you. If you don’t see for yourself, it’s only really conjecture. He had a habit of repeating as true many things people told him, some of which turned out to be incorrect, and at one point it seriously damaged his credibility as an engineer. Just sayin’...

    Peter

    Post edited by Peter_Viscarola_(OSR) on

    Peter Viscarola
    OSR
    @OSRDrivers

  • John__smithJohn__smith Member Posts: 3

    @Peter_Viscarola_(OSR) said:
    Why don’t you just try it. Then you’ll know.

    Seriously. That’s an actual question for the OP. Why post here when it will take you less than 5 minutes to try for yourself?

    One of my mentors, early in my engineering career taught me not to believe engineering “facts” just cuz somebody tells them to you. If you don’t see for yourself, it’s only really conjecture. He had a habit of repeating as true many things people told him, some of which turned out to be incorrect, and at one point it seriously damaged his credibility as an engineer. Just sayin’...

    Peter

    I actually did try this on some of the loaded drivers and didn't get any BSOD, so i assume some "important" drivers are protected only, but not sure which drivers, if any.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,109

    @John_Smith .... Good. Then, instead of asking “ Does patchguard protect against modification of DRIVER_OBJECT->MajorFunction function pointer array?” — a question to which you already k ow the answer — it might have been more interesting/useful/effective for you to share the result of your experience and ask your actual question... since you already know the answers to most of the questions you asked.

    At least demonstrate to those who you are asking to take time to help you that you’ve put some effort into this on your own. Do your own engineering. The. You’ll know for sure, and you won’t be relying on some guy you’ve never met (and who might be posting under some alias) for your engineering knowledge.

    Now... go try what your hooking on several key drivers in the OS... and post the results of your experiment here. After investing that extra 30 minutes, then ask us if your results are consistent with what other folks have observed.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 84

    From development of my IRPMon tool, I can tell that IRP handlers of selected drivers (e.g. file system drivers) are protected by Patchguard. I don't know about the DriverUnload routine since I always got BSOD informing about IRP handlers first :-).

    Martin Dráb

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE