Kernel Patch Protection - Technical Overview

Technical Overview

The Windows kernel is designed so that device drivers have the same privilege level as the kernel itself. In turn, device drivers are expected to not modify or patch core system structures within the kernel. In x86 editions of Windows, Windows does not enforce this expectation that drivers not patch the kernel. But because the expectation is not enforced on x86 systems, some programs, notably certain security and antivirus programs, were designed to perform needed tasks through loading drivers that modified core kernel structures.

In x64 editions of Windows, Microsoft chose to begin to enforce the restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that actually enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a bug check and shut down the system, with a blue screen and/or reboot. The corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include:

• Modifying system service tables
• Modifying the interrupt descriptor table
• Modifying the global descriptor table
• Using kernel stacks not allocated by the kernel
• Modifying or patching code contained within the kernel itself, or the HAL or NDIS kernel libraries

It should be noted that Kernel Patch Protection only defends against device drivers modifying the kernel. It does not offer any protection against one device driver patching another.

Ultimately, since device drivers have the same privilege level as the kernel itself, it is impossible to completely prevent drivers from bypassing Kernel Patch Protection and then patching the kernel. KPP does however present a significant obstacle to successful kernel patching. With highly obfuscated code and misleading symbol names, KPP employs security through obscurity to hinder attempts to bypass it. Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.