Kernel patch protection for x64-based operating systems

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Kernel patch protection for x64-based operating systems

Viewing 0 reply threads
  • Author
    • #2212

      Applies To:Windows Server 2003 with SP1
      What does kernel patch protection do?
      Kernel patch protection prohibits kernel-mode drivers thatextend or replacekernel services through undocumented means.
      This feature describes changes in policy related to patching thekernel for Microsoft Windows Server 2003 Service Pack 1 x64-
      based operating systems.
      Who does this feature apply to?
      This feature primarily applies to driver developers, but IT professionals may also find this information useful.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      Patching policy for x64-based systems
      Detailed description
      Microsoft Windows Server 2003 SP1 and later versions of Windows for x64-based systems do notallow thekernel to be
      patched except through authorized Microsoft-originated hotfixes.
      Why is this change important?
      Kernel-mode drivers thatextend or replacekernel services through undocumented means (such as hooking thesystem service
      tables) can interfere with other softwareand affect thestability of the operating system.For x86-based systems, Microsoft
      discourages such practices but does not prevent them programmatically, because doing so would break compatibility for a
      significantamount of released software. A similar base of released software does notexist for x64-based systems, so it is
      possibleto add this level of protection to thekernel without breaking compatibility.
      What works differently?
      Many system structures are protected on x64-based systems, including thesystem service dispatch tables, theinterrupt
      descriptor table(IDT),and the global descriptor table(GDT).The operating system also does notallow third-party softwareto
      allocate memory “on theside”and useitas a kernel stack. If the operating system detects one of these modifications or any
      other unauthorized patch, it will generatea bug check with thestop code 0x109 and shut down thesystem.
      How do I fix these issues?
      For compatibility with Windows for x64-based systems, drivers cannot modify thekernel.Thefollowing actions are blocked in
      Windows Server 2003 SP1 for x64-based systems:
      Modify system services tables, for example, by hooking the KeServiceDescriptor table
      Modify theIDT
      Modify the GDT
      Usekernel stacks thatare notallocated by thekernel
      Patch any part of thekernel (detected on AMD64-based systems only)
      Kernel patch protection might beextended in futuresystem updates to protectagainstadditional malicious patching
      techniques as new vulnerabilities are detected.To avoid compatibility issues with these updates, drivers should notattempt to
      updatethekernel using other mechanisms.
      Drivers for other platforms should also avoid patching thekernel to help ensurestability and reliability of the operating system
      and a better experiencefor users.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Windows Server 2003 SP1 for x64-based systems is a new platform that requires new drivers.These new drivers must
      conform to x64 patch policy documented on the Microsoft Web siteat
      For additional information seeThe Microsoft Windows Driver Development Kit (DDK) on the Microsoft Web siteat

Viewing 0 reply threads
  • You must be logged in to reply to this topic.