Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Can we monitor/stop writes to cr0 register that clear the WP bit?

henrik_meidahenrik_meida Member Posts: 117
edited January 12 in NTDEV

As you all probably know, some attackers clear the WP bit in cr0 in order to patch some OS kernel codes in runtime.
My question is, can we somehow monitor this change and stop it? Or at least just get notified when such change happens?

I assume the OS itself doesn't suddenly clear this bit, and changing this bit is most likely only done by malicious actors, right?

The reason i need this is because i am given a sandbox development project where i need to write a driver that monitors a specific driver and records any malicious activity, and this includes clearing the WP bit.
So if the solution to this is hacky, is fine by me, considering that this is just for a sandbox.

And obviously one simple solution is to read cr0 in a loop, but this is not efficient and can be bypassed as well. Note that i mostly want to record the change to this register, but if there is also a way to block this change as well, i am interested to know.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online