Content deleted Content added
→References: fix test/vandalism edit |
Rescuing 14 sources and tagging 0 as dead.) #IABot (v2.0 |
||
Line 24:
|date=September 2007
|accessdate=20 September 2007
|archive-url=https://web.archive.org/web/20160303171005/http://uninformed.org/index.cgi?v=8&a=5&p=2
|archive-date=3 March 2016
|url-status=dead
}}</ref> Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> However in [[x86]] editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and [[antivirus]] programs, were designed to perform needed tasks through loading drivers that modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web
|url=https://www.theguardian.com/technology/2006/sep/28/viruses.security
Line 52 ⟶ 55:
|author=skape
|author2=Skywing
|date=December 2005
|accessdate=21 September 2007
|archive-url=https://web.archive.org/web/20160817074740/http://uninformed.org/index.cgi?v=3&a=3&p=7
|archive-date=17 August 2016
|url-status=dead
}}</ref>
Line 65 ⟶ 71:
|date=January 2007
|accessdate=21 September 2007
|archive-url=https://web.archive.org/web/20160304025651/http://uninformed.org/index.cgi?v=6&a=1&p=25
|archive-date=4 March 2016
|url-status=dead
}}</ref>
Line 73 ⟶ 82:
|author=skape
|author2=Skywing
|date=December 2005
|accessdate=20 September 2007
|archive-url=https://web.archive.org/web/20160817134554/http://uninformed.org/index.cgi?v=3&a=3&p=3
|archive-date=17 August 2016
|url-status=dead
}}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web
|url=http://uninformed.org/index.cgi?v=6&a=1&p=10
Line 84 ⟶ 96:
|date=December 2006
|accessdate=20 September 2007
|archive-url=https://web.archive.org/web/20160303171036/http://uninformed.org/index.cgi?v=6&a=1&p=10
|archive-date=3 March 2016
|url-status=dead
}}</ref> Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.<ref name="Introduction"/><ref name="Microsoft Security Advisory (914784)">{{cite web
|url=http://www.microsoft.com/technet/security/advisory/914784.mspx
Line 141 ⟶ 156:
|date=June 2006
|accessdate=21 September 2007
}}</ref> This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.<ref>{{cite news
|first=Elizabeth
|last=Montalbano
Line 149 ⟶ 164:
|date=6 October 2006
|accessdate=30 November 2006
|archive-url=https://web.archive.org/web/20070405234445/http://www.pcworld.in/news/index.jsp/artId=4587538
|archive-date=5 April 2007
|url-status=dead
}}</ref> Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by "trusted companies" such as themselves.<ref name="Samenuk">{{cite web
|url=http://news.softpedia.com/news/Microsoft-Increasing-Security-Risk-with-Vista-37014.shtml
Line 165 ⟶ 183:
|year=2006
|publisher=[[NortonLifeLock|Symantec]]
|archive-url=https://web.archive.org/web/20070515200615/http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1
|archive-date=15 May 2007
|url-status=dead
}}</ref> and Norton 2010 range and beyond<ref>{{cite web
|url=http://us.norton.com/internet-security
Line 228 ⟶ 249:
|year=2006
|accessdate=8 July 2013
|archive-url=https://web.archive.org/web/20130201170559/http://zatz.com/outlookpower/article/the-great-windows-vista-antivirus-war/
|archive-date=1 February 2013
|url-status=dead
}} "The system's already vulnerable. People have already hacked into PatchGuard. System is already vulnerable no matter what. PatchGuard has a chilling effect on innovation. The bad guys are always going to innovate. Microsoft should not tie the hands of the security industry so they can't innovate. We're concerned about out-innovating the bad guys out there." —Cris Paden, Manager on the Corporate Communication Team at Symantec</ref>
Line 235 ⟶ 259:
|author=skape
|author2=Skywing
|date=1 December 2005
|accessdate=2 June 2008
|archive-url=https://web.archive.org/web/20170801092238/http://www.uninformed.org/?v=3&a=3
|archive-date=1 August 2017
|url-status=dead
}}</ref> Skywing went on to publish a second report in January 2007 on bypassing KPP version 2,<ref>{{cite web
|url=http://uninformed.org/index.cgi?v=6&a=1
Line 284 ⟶ 311:
|date=25 October 2006
|accessdate=30 November 2006
|archive-url=https://web.archive.org/web/20070202190644/http://software.silicon.com/os/0,39024651,39163525,00.htm
|archive-date=2 February 2007
|url-status=dead
}}</ref> However, Microsoft's own antivirus product, [[Windows Live OneCare]], had no special exception to KPP. Instead, Windows Live OneCare used (and had always used) methods other than patching the kernel to provide virus protection services.<ref>{{cite web
|url=https://blogs.technet.com/security/archive/2006/08/12/446104.aspx
Line 318 ⟶ 348:
'''Uninformed.org articles:'''
*[https://web.archive.org/web/20170801092238/http://www.uninformed.org/?v=3&a=3 Bypassing PatchGuard on Windows x64]
*[https://web.archive.org/web/20160602175644/http://www.uninformed.org/?v=6&a=1 Subverting PatchGuard Version 2]
*[https://web.archive.org/web/20160603002558/http://www.uninformed.org/?v=8&a=5 PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3]
'''Working bypass approaches'''
*[http://forum.cheatengine.org/viewtopic.php?t=573311 KPP Destroyer (including source code) - 2015]
*[http://www.codeproject.com/KB/vista-security/bypassing-patchguard.aspx A working driver to bypass PatchGuard 3 (including source code) - 2008]
*[https://web.archive.org/web/20180502231259/http://fyyre.ru/vault/bootloader.txt Bypassing PatchGuard with a hex editor - 2009]
'''Microsoft security advisories:'''
| |||