PatchGuard bypass at runtime
| #1026 Title: PatchGuard 0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function Administrator |
11/01/2024 12:32 - 55 days 12 hours 26 minutes #1026 |
If you need a SEH in your manually mapped driver. You'll need to use below undocumented kernel API's.
Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.
RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);
PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.
If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.
Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.
RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);
PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.
If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.
