Skip navigation.

Ideas Microsoft has Stolen from Malware

One of the many features of Vista that Microsoft has included is PatchGuard v2. Skywing has posted a great article on Uninformed about subverting PatchGuard v2. The protection mechanisms that Microsoft employs are some of the exact same ones that malware authors have been using for years.

There are some startling techniques that Microsoft is using to protect itself from reverse engineering and modification. One of them is to do a standard IsDebuggerPresent (or KdDebuggerNotPresent) to validate that PatchGuard isn't being debugged. The next protection mechanism is to use self-decrypting and self-modifying code inside of the Integrity Check Routine. Skywing has done a great job of outlining the defenses that are taken, as well as methods for subverting the system.

PatchGuard is meant to protect against unauthorized modifications of the Vista kernel. In essence, Microsoft does not want you to modify their kernel with your bad code. While these mechanisms are useful for preventing rootkits, as Skywing has pointed out they can be modified.

"stolen" is always a hard

"stolen" is always a hard word. let's say, microsoft was "inspired" by malware-code. ;)

as you might know, this is not the first time microsoft uses malware typically tricks. just remember their hot-patching strategy since windows xp (inline-hooking).

nevertheless i agree with you, reading the patchguard v2 integrity check code is quite funny.

but as skywing demonstrated very impressive, even crypting/self-modifying code is not really a stumbling block for an experienced reverse-engineer. ;)

frank boldewin

Can we agree on "blatantly

Can we agree on "blatantly copied"? :)

It's good to see that someone is implementing rolling encryption of an executable. Maybe someone can enlighten me about a modern piece of malware that implements this packing method. I can't think of one off-hand.