Ken Johnson, a Windows kernel mode and debugging guru, analyzes the Windows x64 Kernel Patch prevention system on his blog. From his perspective, PatchGuard is neither a security scheme nor a DRM measure due to the limited scope of the structures it protects. Instead, it is a tool to prevent vendors from destroying system security and stability. Johnson also forecasts a hypervisor-based PatchGuard mechanism for future revisions to this technology. Check out other posts on Nynaeve for a wealth of technical details on Windows mechanisms of interest to reverse-engineers.
Thoughts on PatchGuard
Submitted by PlatformAgnostic 2007-01-30 Privacy, Security 7 Comments
I thought this whole arguement from MS was bunk until I installed McAfee V8.0i Enterprise edition on a new Dell M65 laptop running XP Pro. I can’t even begin to detail the multiple levels of hell that this program caused in conflicts. Apparently, according to a small obscure thread found after dredging the pits of google, McAfee’s buffer overflow protection created some sort of panic attack with the TPM software that Dell uses. This basically created an unbootable situation…..at least one that closely resembled the Blaster worm of a couple years ago.
Any-who, after disabling that bugger overflow (and upgrading to McAfee 8.5) everything was hunky-dory.
I believe MS has a right to be concerned when it comes to these security software devs poking sticks in their kernel…..no matter how swiss-cheese it may be.