Contents

Cheeking the SSDT 549

Checking IRP Handlers 550

Checking for User-Mode Hooks 552

Parsing the PEB: Part 1 555

Parsing the PEB: Part II 558

11.9 CoLinter-CountermeasLires 558

Assuming the Worst Case 559

Worst-Case Countermeasure #1 559

Worst-Case Countermeasure #2 559

Chapter 12 Modifying Code ......... .... . . ... ,561

Types of Patching 562

In-Place Patching 562

Detour Patching 563

Prologue and Epilogue Detours 565

Detour Jumps 566

12.1 Tracing Calls 567

Detour Implementation 572

Acquire the Address of the NtSetVal ueKey () 575

Initialize the Patch Metadata Structure 576

Verify the Original Machine Code Against a Known Signature ..577

Save the Original Prologue and Epilogue Code 578

Update the Patch Metadata Structure 578

Lock Access and Disable Write-Protection 579

Inject the Detours 579

Tlie Prologue Detour 580

The Epilogue Detour 582

Postgame Wrap-Up 586

12.2 Subverting Group Policy 586

Detour Implementation 588

Initializing the Patch Metadata Structure 588

The Epilogue Detour 589

Mapping Registry Values to Group Policies 593

12.3 Bypassing Kernel-Mode API Loggers 595

Fail-Safe Evasion 596

Kicking It Up a Notch 600

12.4 Instruction Patching Countenneasures 600

XV