Revision as of 12:35, 27 March 2023 edit Bumm13 (talk \| contribs) Administrators 79,775 edits m removed redundant "Kernel (operating system)" wikilink; formatting fix ← Previous edit		Revision as of 12:38, 27 March 2023 edit undo Bumm13 (talk \| contribs) Administrators 79,775 edits m →Technical overview: capitalization and formatting fixes Next edit →
Line 27: \|archive-date=3 March 2016 \|url-status=dead }}</ref> Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> However in [[x86]] editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and [[antivirus software\|antivirus]] programs, were designed to perform needed tasks through loading drivers that modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web \|url=https://www.theguardian.com/technology/2006/sep/28/viruses.security \|title=Antivirus vendors raise threats over Vista in Europe Line 37: }} "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit</ref> In [[x86-64\|x64]] editions of Windows, Microsoft began to enforce restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a [[Fatal system error\|bug check]] and shut down the system,<ref name="Introduction"/><ref name="Patching Policy">{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx \|title=Patching Policy for x64-Based Systems Line 43: \|date=22 January 2007 \|access-date=20 September 2007 }}</ref> with a [[Blue ~~Screen~~screen of ~~Death~~death\|blue screen]] and/or reboot. The corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include:<ref name="Patching Policy"/> * Modifying [[System call\|system service]] descriptor tables * Modifying the [[interrupt descriptor table]] * Modifying the [[Global Descriptor Table\|global descriptor table]] * Using kernel [[Stack (abstract data ~~structure~~type)\|~~stack~~stacks]]s not allocated by the kernel * Modifying or patching code contained within the kernel itself,<ref name="Patching Policy"/> or the [[Hardware abstraction layer\|HAL]] or [[Network Driver Interface Specification\|NDIS]] kernel libraries<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=3&a=3&p=7 Line 88: \|archive-date=17 August 2016 \|url-status=dead }}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscation (software)\|obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web \|url=http://uninformed.org/index.cgi?v=6&a=1&p=10 \|title=Misleading Symbol Names

Kernel Patch Protection: Difference between revisions