Patch Guard is a mechanism that protects kernel structures (like ==SSDT== and ==IDT====)== from being changed in memory or “patched” by an attacker.
It periodically checks each kernel structure for changes; if a change occurred, it would cause the system to BSOD with Bug Check CRITICAL_STRUCTURE_CORRUPTION (0x109) or KERNEL_SECURITY_CHECK_FAILURE (0x139).
Nowadays, before making any changes to system structures, attackers would have to find a way to disable or bypass Patch Guard or risk crashing the system.
It is also important to note that since Patch Guard works in a periodic manner, if an attacker manages to revert their changes before the next check it would not trigger a BSOD. This is useful for changing a kernel structure such as the SMEP flag, CR4’s 20th bit, when an attacker could turn off the flag, execute their malicious code and immediately turn the flag back on to avoid the bug check.
In the past, we’ve seen the following technique used by Turla/Urobrous to bypass Patch Guard. The attackers used a hook in KeBugCheckEx to resume the execution after the bug check happened, effectively suppressing the BSOD.
Then, after Microsoft patched this hole, the attackers hooked a different function, RtlCaptureContext, which is called by KeBugCheckEx to similarly resume the execution without BSOD-ing the system.
Another method to bypass Patch Guard is described in this latest article by Kento Oki from 2021. In addition, CyberArk Labs found a bypass to Patch Guard a few years ago.
CONTENT
https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p1/
https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.00.pdf
https://standa-note.blogspot.com/2015/10/some-tips-to-analyze-patchguard.html
https://www.youtube.com/watch?v=ifWdeFHXj7s
https://github.com/tandasat/PgResarch
https://github.com/fyc132/EasyAntiPatchGuard
https://standa-note.blogspot.com/2015/10/