本帖最后由 GoldJune 于 2012-12-17 01:53 编辑
独孤无语 发表于 2012-12-16 22:02 
PG,什么东西我也不懂,就连百度百科也语焉不详。
这样吧,咱们把“硬件层”列为“层1”吧;
PatchGuard也是与CPU Ring0共同运行的Windows内核上的另一段代码——只是作为其他内核驱动程序运行。
PatchGuard 被用来阻断对内核和关键结构,比如SSDT,IDT,GDT,内核对象的修改。这个会在内核初始化早期就被激活并在一定时间内扫描内核结构是否被修改。如果发现结构被修改,系统就会故意崩溃阻止修改(CRITICAL_STRUCTURE_CORRUPTION)。该机制主要用来防止内核rootkit,并没有考虑到许多安全产品也使用内核层面的中断来监视系统,这些中断的目的是合法的(与恶意程序相比)有区别的。P
原文很长,上面只是介绍,后面的想看就看吧。
What about PatchGuard?
Earlier, I mentioned a protection mechanism integrated into the kernel of the 64-bit Windows operating system. PatchGuard was created to prevent modifications to the kernel of the operating system and its critical structures, such as various service tables (SSDT, IDT, GDT), kernel objects and so on. The protection mechanism activates at an early stage of kernel initialization and scans the above structures over certain periods of time for the introduction of modifications. Should any modifications be identified, the system is deliberately crashed. This mechanism was primarily designed to protect against kernel-mode rootkits. However, there is a downside: many antivirus and security products use kernel-level intercepts for different, legitimate purposes, including pro-active protection modules.
Arguments over this matter still persist between antivirus vendors and Microsoft. Some maintain that antivirus companies should not use undocumented hooks within the system kernel, so other methods must be used to stop the penetration of malicious code into the kernel. Others think that Microsoft is failing to deliver the required security level, and these hooks are essential to enhance the security of the OS. A further group argues that the system cannot be trusted once malicious code penetrates into its kernel, and there is no use in treating such systems. All of these points of view have some merit, so I will not dwell further on the issue.
Any protection tool can be hacked or bypassed one way or another. PatchGuard is no exception. This mechanism was closely examined by both third-party researchers and cybercriminals, and several bypass methods were invented. For instance, TDL-4(感染MBR) uses a conceptual method, in which the rootkit’s hook spot is simply ignored by the protection mechanism. Other methods also exist, including those based on modifying the loader and the file of the operating system’s kernel; all these are designed to disable the initialization of PatchGuard. Yet another method is based on modifying an initialized kernel; it disables the launch of the scan mechanism. Also, PatchGuard will not initialize if the kernel debugger is enabled while the operating system is booting – this feature was built in so the developers could use breakpoints to test and debug their drivers.
Bypassing PatchGuard on Windows x64,这个有点年代了 |
楼主: 独孤无语
[复制链接]
发表于 2012-12-16 23:37:20
木有看懂LZ的意思......
整天混吃等死,知识的确实是落后太多鸟~介个“深入底层”到底是神马意思呢?是说国内的安软不能访问windons的内核程序么.......按照俺灰常笨蛋的理解,那个神马加驱不就是进入底层鸟了么......介个还有深浅之分?个安软动不动said它可以在某某程度上保护“底层”,俺就想不通了:乃木有事跑到系统底层加一堆驱动想特么搞神马?乃就可以打着保护用户安全的由头,从而不受到限制的约束?这特么不是强盗逻辑么?还有,乃甚至还号称可以保护硬件的底层代码,想自己搞操作系统?那直接嫁给Inter八就好了?八就是权限的问题么,偶还是觉得遵守规则比较靠谱,尤其对于安全软件来说。
