Kernel patch protection for x64-based operating systems

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Kernel patch protection for x64-based operating systems

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 1 year, 11 months ago.

  • Author
  • #2212


    Applies To:Windows Server 2003 with SP1
    What does kernel patch protection do?
    Kernel patch protection prohibits kernel-mode drivers thatextend or replacekernel services through undocumented means.
    This feature describes changes in policy related to patching thekernel for Microsoft Windows Server 2003 Service Pack 1 x64-
    based operating systems.
    Who does this feature apply to?
    This feature primarily applies to driver developers, but IT professionals may also find this information useful.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Patching policy for x64-based systems
    Detailed description
    Microsoft Windows Server 2003 SP1 and later versions of Windows for x64-based systems do notallow thekernel to be
    patched except through authorized Microsoft-originated hotfixes.
    Why is this change important?
    Kernel-mode drivers thatextend or replacekernel services through undocumented means (such as hooking thesystem service
    tables) can interfere with other softwareand affect thestability of the operating system.For x86-based systems, Microsoft
    discourages such practices but does not prevent them programmatically, because doing so would break compatibility for a
    significantamount of released software. A similar base of released software does notexist for x64-based systems, so it is
    possibleto add this level of protection to thekernel without breaking compatibility.
    What works differently?
    Many system structures are protected on x64-based systems, including thesystem service dispatch tables, theinterrupt
    descriptor table(IDT),and the global descriptor table(GDT).The operating system also does notallow third-party softwareto
    allocate memory “on theside”and useitas a kernel stack. If the operating system detects one of these modifications or any
    other unauthorized patch, it will generatea bug check with thestop code 0x109 and shut down thesystem.
    How do I fix these issues?
    For compatibility with Windows for x64-based systems, drivers cannot modify thekernel.Thefollowing actions are blocked in
    Windows Server 2003 SP1 for x64-based systems:
    Modify system services tables, for example, by hooking the KeServiceDescriptor table
    Modify theIDT
    Modify the GDT
    Usekernel stacks thatare notallocated by thekernel
    Patch any part of thekernel (detected on AMD64-based systems only)
    Kernel patch protection might beextended in futuresystem updates to protectagainstadditional malicious patching
    techniques as new vulnerabilities are detected.To avoid compatibility issues with these updates, drivers should notattempt to
    updatethekernel using other mechanisms.
    Drivers for other platforms should also avoid patching thekernel to help ensurestability and reliability of the operating system
    and a better experiencefor users.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Windows Server 2003 SP1 for x64-based systems is a new platform that requires new drivers.These new drivers must
    conform to x64 patch policy documented on the Microsoft Web siteat
    For additional information seeThe Microsoft Windows Driver Development Kit (DDK) on the Microsoft Web siteat

You must be logged in to reply to this topic.