Kernel Patch Protection (AKA Patch Guard)

kppIn order to preserve the stability of window OS, Microsoft came up with an idea of protecting critical kernel structures from being modified outside of the context of approved modifications (example windows patching). The intention here was to prevent both malicious software and third party vendors from modifying certain critical operating system structures.

KPP was implemented shortly after the release of 64bit systems in the year 2005. KPP protects a bunch of system critical files, tables, registers and structures. Some of the major ones are

– Ntoskrnl.dll, HAL.dll, ci.dll, kdcom.dll, pshed.dll, clfs.sys,ndis.sys, tcpip.sys

– GDT (Global Descriptor Table)

– IDT (Interrupt Descriptor table)

– SSDT (System Service Descriptor table)

– MSR and machine state registers

When KPP detects an unintended change in any of the protected structures it crashes the system with code 0x0019 CRITICAL_STRUCTURE_CORRUPTION.

Although the feature is intended to ensure kernel stability by preventing un-condoned behavior which can cause BSOD, API hooking or rootkits compromises, it also has a side effect of preventing legitimate products from functioning properly. Adding to the misery, there is no mechanism for the system to distinguish between known good components and a potential malicious component. This impacted the third party software vendors particularly AV and other security providers as they were blocked from kernel patching. The only way they can interact with these critical file structures is by following the usage of MS approved APIs which would allow their products to interact with the kernel in an authorized manner. This led a lot of vendors to rethink about the approach in creating more workable tools for the operating system which in turn added more time and cost.

Conclusion – Patch guard greatly reduces the risk of security compromise on a system and improves the overall reliability and stability of the system. Although KPP would not protect the whole system, it still does a fantastic job of protecting the heart and soul of the operating system.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s