Hello,
I had following questions around Patch-guard.
Any pointers will be greatly appreciated.
Thanks.
A fun discussion is up ahead:) AFAIK PatchGuard protects against modifications of IRP dispatchers of specific drivers like ntfs. This is considered an undocumented detail. You should not modify the IRP dispatchers of drivers that do not belong to you for 3 reasons: 1 - Even if PatchGuard doesn’t protect this driver now, it may do it in the future. 2 - You cannot assume anything about the structure of the IRP that is passed to an internal driver because it may change. 3 - You cannot unload safely when you do that because there’s no “rundown protection” to protect you (like in process callbacks for example) so you have to keep the driver loaded until reboot. Because of these reasons and probably others I’m not aware of, this approach is not recommended and supported. You can change IRP dispatchers of a DRIVER_OBJECT that you created though, this sometimes happens in scenarios where you have multiple drivers. About the DriverUnload I’m not sure if Patch Guard protects it, but this is not something you would want to do in your driver for similar reasons to the ones discussed above… Is there any specific reason you ask this question? Maybe there are alternative approaches to achieve your goal.
Why don’t you just try it. Then you’ll know.
Seriously. That’s an actual question for the OP. Why post here when it will take you less than 5 minutes to try for yourself?
One of my mentors, early in my engineering career taught me not to believe engineering “facts” just cuz somebody tells them to you. If you don’t see for yourself, it’s only really conjecture. He had a habit of repeating as true many things people told him, some of which turned out to be incorrect, and at one point it seriously damaged his credibility as an engineer. Just sayin’…
Peter
@“Peter_Viscarola_(OSR)” said:
Why don’t you just try it. Then you’ll know.Seriously. That’s an actual question for the OP. Why post here when it will take you less than 5 minutes to try for yourself?
One of my mentors, early in my engineering career taught me not to believe engineering “facts” just cuz somebody tells them to you. If you don’t see for yourself, it’s only really conjecture. He had a habit of repeating as true many things people told him, some of which turned out to be incorrect, and at one point it seriously damaged his credibility as an engineer. Just sayin’…
Peter
I actually did try this on some of the loaded drivers and didn’t get any BSOD, so i assume some “important” drivers are protected only, but not sure which drivers, if any.
@John_Smith … Good. Then, instead of asking “ Does patchguard protect against modification of DRIVER_OBJECT->MajorFunction function pointer array?” — a question to which you already k ow the answer — it might have been more interesting/useful/effective for you to share the result of your experience and ask your actual question… since you already know the answers to most of the questions you asked.
At least demonstrate to those who you are asking to take time to help you that you’ve put some effort into this on your own. Do your own engineering. The. You’ll know for sure, and you won’t be relying on some guy you’ve never met (and who might be posting under some alias) for your engineering knowledge.
Now… go try what your hooking on several key drivers in the OS… and post the results of your experiment here. After investing that extra 30 minutes, then ask us if your results are consistent with what other folks have observed.
Peter
From development of my IRPMon tool, I can tell that IRP handlers of selected drivers (e.g. file system drivers) are protected by Patchguard. I don’t know about the DriverUnload routine since I always got BSOD informing about IRP handlers first :-).