Patchguard 3.0 ? :)

Posted by Matthieu Suiche on August 14, 2007 · Leave a Comment 

http://www.microsoft.com/technet/security/advisory/932596.mspx

Microsoft Security Advisory (932596)
Update to Improve Kernel Patch Protection
Published: August 14, 2007

An update is available for Kernel Patch Protection included with x64-based Windows operating systems. Kernel Patch Protection protects code and critical structures in the Windows kernel from modification by unknown code or data. This update adds additional checks to this protection for increased reliability, performance, and resiliency of Windows. For more information about this release, see Microsoft Knowledge Base Article 932596. We encourage customers running x64-based Windows operating systems to install this update. For more information about Kernel Patch Protection, see the following Microsoft Web Site. For more information about the updates included in this release, see Microsoft Knowledge Base Article 932596.


Related Software

Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Vista x64 Edition


To be continued…

Filed under Windows · Tagged with

Waldo!!

Posted by Matthieu Suiche on August 14, 2007 · 1 Comment 

As I explained in a previous post (Here). There are some funny programmers in Redmond who like to put some hidden strings.

The following sample is from Windows 2000 Kernel.

.text:004054A0 94 7F 00 C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric
.text:004054B0 46 2E 4E 65 6C 73 6F 6E DE B0 FE 50 6A 59 D2 11 F.Nelson

But who is Eric. F. Nelson? :)

Moreover, in NtSetVolumeInformationFile() a guy named Jess put his fingerprint too :p

PAGE:004D71BD                 mov     esi, offset KernelConspiration
PAGE:004D71C2                 lea     edi, [ebp+UnusedString]
PAGE:004D71C5                 movsd
PAGE:004D71C6                 movsd
PAGE:004D71C7                 movsd
PAGE:004D71C8                 movsd

As we guess, the four bytes are the name of the person, but what means the three additional dwords?

.text:00405338 KernelConspiration db 'Jess'
.text:0040533C                          dd 11D0812Ah
.text:00405340                          dd 8C7BEh
.text:00405344                          dd 2F09E22Bh


typedef struct _KERNEL_CONSPIRATION {
BYTE    szName[4];
DWORD HarryKilledVoldemort;
DWORD HarryGetMarriedWithGinny;
DWORD AndRonWithHermione;
} KERNEL_CONSPIRATION, *PKERNEL_CONSPIRATION;

Oops! I’m not a spoiler !! hahaha

Save the trees, stop Harry Potter’s publication!

Filed under Windows · Tagged with