Log in

View Full Version : Changes in policy related to patching kernel for MS Windows Server 2003 SP1


disavowed
November 2nd, 2004, 00:37
http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx ("http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx")

bilbo
November 2nd, 2004, 02:33
Quote:
[Originally Posted by M$]Many system structures are protected on x64-based systems, including the system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT).

Wow, nobody has succeeded in this task up to now. Maybe M$ will teach us something interesting?
Regards, bilbo

disavowed
November 4th, 2004, 11:24
Discussion on Matt Pietrek's blog: http://blogs.msdn.com/matt_pietrek/archive/2004/10/21/245750.aspx ("http://blogs.msdn.com/matt_pietrek/archive/2004/10/21/245750.aspx")

sHice
November 4th, 2004, 15:21
did i get this right that only "authorized Microsoft-originated hot patches" will be allowed to modify things like the idt ? what would be the point of this? if hot patches can get the rights to modify e.g. the idt what prevents a normal driver to get these rights ?

omega_red
November 4th, 2004, 15:30
The system will probably check IDT periodically or via some data-write-breakpoint (?).

reverser
November 4th, 2004, 15:30
Quote:
[Originally Posted by sHice]did i get this right that only "authorized Microsoft-originated hot patches" will be allowed to modify things like the idt ? what would be the point of this? if hot patches can get the rights to modify e.g. the idt what prevents a normal driver to get these rights ?

Digital signing?

dELTA
November 4th, 2004, 19:06
Digital signing will of course most likely be in the "first layer of protection", but we are talking lower levels here. Just like with any protection, the signature check has to be done somewhere, and we can patch it away. Depending on exactly how messy and super-entangled this protection will be, I can't see why e.g. the Softice guys (or rootkit makers) couldn't just patch it and then modify whatever system table they want. Sadly, I think that the only people who will suffer here are the makers and users of all the nice smaller scale analysis tools and other useful ring 0 hacks.

disavowed
November 5th, 2004, 02:18
Quote:
[Originally Posted by dELTA]Digital signing will of course most likely be in the "first layer of protection", but we are talking lower levels here. Just like with any protection, the signature check has to be done somewhere, and we can patch it away. Depending on exactly how messy and super-entangled this protection will be, I can't see why e.g. the Softice guys (or rootkit makers) couldn't just patch it and then modify whatever system table they want.

i totally agree. only problem is that then driverstudio's softice etc. drivers can't be microsoft certified, if i understand this all correctly