Skip to content

MicrosoftARMAssembler/PatchGuard-Blocker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
pph
pph
 
 
README.md
README.md
 
 
exception.asm
exception.asm
 
 
exception.hxx
exception.hxx
 
 

Repository files navigation

PatchGuard-Blocker

PatchGuard-Blocker intercepts exceptions created from PatchGuards analysis of protected memory.
PatchGuard triggers the exception when validating protected memory and executes a mov cr0 to clear CR0.WP.
We hook the kernel exception path using a shadow-mapped physical page hook, so the original routine stays clean for integrity checks.

What makes PatchGuard-Blocker work?

PatchGuard-Blocker was designed around the exception path PatchGuard hits while checking and repairing protected kernel memory.
Instead of trying to emulate PatchGuard or patch every routine it uses, it hooks the kernel debug exception path and catches the exact moment PatchGuard faults.
This makes the blocker much smaller than most PatchGuard blockers, because it does not need to hook every worker thread and routine.
The same exception is used across all PatchGuard checks, so we can freeze the thread before it finishes or bugchecks the system.

image

Physical Page Hook

PatchGuard-Blocker uses a physical page hook so the original executable page stays clean during integrity checks.
The hook creates a shadow-mapped copy of the target page and places the modified code inside the shadow page.
When PatchGuard or an anti-cheat reads the routine, it sees the original bytes, but execution is redirected through the hooked shadow page. 

auto kdp_state = paging::pph::create_hook( kernel::m_pdb.m_kdp_report );
if ( !kdp_state )
    return false;

if ( !paging::pph::enable_hook( kdp_state, kdp_report ) )
    return false;

Thread Freezing

PatchGuard-Blocker freezes the current PatchGuard thread by restoring the call stack to the thread's initial kernel stack.
It redirects execution into sleep_forever, which calls KeDelayExecutionThread with a large delay.
The sleep routine keeps the thread frozen instead of returning to PatchGuard. 

restore_call_stack(
    reinterpret_cast< std::uint64_t >( stack_top ) - 8,
    sleep_forever,
    nullptr );

Conclusion

PatchGuard-Blocker is a compact PatchGuard blocking method built around exception interception instead of routine-by-routine patching.
By combining KdpReport interception, thread freezing, and shadow-mapped physical page hooks, it stops PatchGuard checks while keeping the original code pages clean.
The result is a smaller blocker that targets the system-wide PatchGuard exception pattern instead of chasing every worker thread or validation routine.

About

Blocks PatchGuard routines by intercepting their exceptions through shadow-mapped physical page hooks.

Topics

driver kernel-driver pg bypass kernel-bypass patchguard kpp kernel-patch-protection patchguard-safe-dse-bypass patchguard-bypass patchguard-emulation

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages