Hi everybody,

I am an independent security researcher, and I was wondering how the f*** do you "bypass" patch guard. Well, I know you are not really "bypassing" Patch Guard and that you use undocumented functionalities, but I dit not encounter which ones (I searched the Web quite a lot ).

As far as I know, Microsoft API allows to set callbacks when new process / threads are created, or when files are accessed (using minifilter drivers), but I can't figure how you manage to block an NtOpenProcess() incoming from the ring 3 (userland hooks can be easily bypassed). I'd suspect undocumented APIs in order to set other callbacks, or setting different access rights (since SSDT, IRP or MSR hooks cannot be set)...

Thanks a lot !

ps: forgive me about my vocabulary mistakes, I'm not a native english-speaking one .
ps²: it's amazing that you managed to perform this technique while security profesionals such as HIPS editors cannot...

I appreciate the kind words, but there is no need for profanities. Supervising processes and threads is a standard and documented part of the "PatchGuard APIs" which were introduced in Vista Service Pack 1. Check out MSDN documentation for ObRegisterCallbacks.

Hi Tzuk !

First of all, thank you for your response, and accept my apologizes for this profanity, but... well, I searched a lot .

That's what I thought, I have just found a little blog article which was dealing with these functions and explained on how it works.

Thanks again, I will try to implement this as soon as possible !