Hello,
I had following questions around Patch-guard.
- Does patchguard protect against modification of DRIVER_OBJECT->MajorFunction function pointer array?
- Does patchguard protect against modification of DRIVER_OBJECT->DriverUnload?
- Are protections (1) and (2) provided only for select drivers or for all drivers?
- Is there a deterministic way to tell the system to run all the patchguard checks? Something like “run patchguard checks now”?
Any pointers will be greatly appreciated.
Thanks.
-Prasad
Hi,
Take a look at a post called “What are Little PatchGuards Made Of?” here:
http://www.alex-ionescu.com/?p=290
Eugenio Barahona Marciel
Hello,
Thanks! However, I have read that article before and it doesn’t answer some of the questions that I have raised.
It does say “Driver Object corruption”, however, not which parts of Driver object. I got some references which say that MajorFunction is covered. However, what about other routines like unload? Some references say that it protects Driver Object for “certain drivers”. Which drivers are those? That’s where my first three questions came from.
While doing some experiments around it, I had to wait till PatchGuard checks kick in at indeterministic time. That’s where my question 4 came from.
Thanks.
-Prasad