http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx ("http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx")

Wow, nobody has succeeded in this task up to now. Maybe M$ will teach us something interesting?
Regards, bilbo

Discussion on Matt Pietrek's blog: http://blogs.msdn.com/matt_pietrek/archive/2004/10/21/245750.aspx ("http://blogs.msdn.com/matt_pietrek/archive/2004/10/21/245750.aspx")

did i get this right that only "authorized Microsoft-originated hot patches" will be allowed to modify things like the idt ? what would be the point of this? if hot patches can get the rights to modify e.g. the idt what prevents a normal driver to get these rights ?

The system will probably check IDT periodically or via some data-write-breakpoint (?).

Digital signing?

Digital signing will of course most likely be in the "first layer of protection", but we are talking lower levels here. Just like with any protection, the signature check has to be done somewhere, and we can patch it away. Depending on exactly how messy and super-entangled this protection will be, I can't see why e.g. the Softice guys (or rootkit makers) couldn't just patch it and then modify whatever system table they want. Sadly, I think that the only people who will suffer here are the makers and users of all the nice smaller scale analysis tools and other useful ring 0 hacks.

i totally agree. only problem is that then driverstudio's softice etc. drivers can't be microsoft certified, if i understand this all correctly