This session will look at a critical flaw in the design of Windows Kernel Patch Protection (PatchGuard), a system used to prevent modification to kernel code and other critical structure. The design of PatchGuard will be discussed, along with the design of an attack which uses the flaw in PatchGuard to disable the PatchGuard response entirely. In the end, a set of mitigations will be proposed.

RSA® Conference, the world’s leading information security conferences and expositions, concluded its 30th annual event, which took place as a fully virtual experience this week. This year’s theme was Resilience, and in honor of all that the cybersecurity industry has accomplished over the past three decades, offered a must-attend celebration of thought leadership and education.


More than 20,000 people registered to view 449 sessions including, keynotes, track sessions, interactive programs, tutorials, seminars, and many special digital-first programs that focused on best practices and innovation. The content covered many of the industry’s most pressing topics, including privacy, machine learning and artificial intelligence, analytics, anti-fraud, policy and government, and risk management and governance.

Windows Kernel Patch Protection - Achilles Heel: PatchGuard

Conference: RSA Conference 2021

Abstract

Post a comment

Related work

Defeating Windows Anti-Exploit & Security Features with WHQL Kernel Drivers

PPLdump Is Dead. Long Live PPLdump!

Eternal War in XNU Kernel Objects

Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

Get off the Kernel if you can’t Drive