In order to look at PatchGuard on Window RT 8.1, almost all I had to do was to identify PatchGuard related functions and map them with corresponding functions on x64.
Here is a table showing that mapping (ones have different names between platforms are highlighted).
| x64 | ARM |
| CcAdjustBcbDepth | CcUnmapBehindLazyReader |
| CcBcbProfiler | CcDelayedFlushTimer |
| CcInitializeBcbProfiler | CcPrepareDelayedFlushTimers |
| CmpAppendDllSection | ExpWnfAcquireNameInstanceShared |
| CmpEnableLazyFlushDpcRoutine | CmpEnableLazyFlushDpcRoutine |
| CmpLazyFlushDpcRoutine | CmpLazyFlushDpcRoutine |
| DeferredRoutine | <NoSymbol> |
| ExInitSystemPhase2 | ExInitSystemPhase2 |
| ExpCenturyDpcRoutine | ExpCenturyDpcRoutine |
| ExpTimerDpcRoutine | ExpTimerDpcRoutine |
| ExpTimeRefreshDpcRoutine | ExpTimeRefreshDpcRoutine |
| ExpTimeZoneDpcRoutine | ExpTimeZoneDpcRoutine |
| FsRtlMdlReadCompleteDevEx | RtlpExecuteHandlerForUnwind_xdata_compact |
| FsRtlUninitializeSmallMcb | ExpPrefetchPushLock |
| IopTimerDispatch | IopTimerDispatch |
| KeCompactServiceTable | KeCompactServiceTable |
| KeInitAmd64SpecificState | KeArmDiscoverCacheTopology |
| KiBalanceSetManagerDeferredRoutine | KiBalanceSetManagerDeferredRoutine |
| KiDispatchCallout | CcDelayedFlushTimer |
| KiDpcDispatch | <NoSymbol> |
| KiFastGetCallersAddress | KiFastGetCallersAddress |
| KiFatalExceptionFilter | KiFatalExceptionFilter |
| KiFilterFiberContext | KiArmDiscoverCacheTopology |
| KiGetGdtIdt | <NoSymbol> |
| KiLockExtendedServiceTable | KiLockExtendedServiceTable |
| KiLockServiceTable | KiLockServiceTable |
| KiMcaDeferredRecoveryService | KiInitializeExternalCacheController |
| KiScbQueueScanWorker | PopPdcSampleIdleTimeouts |
| KiServiceTablesLocked | KiServiceTablesLocked |
| KiTimerDispatch | <NoSymbol> |
| PopPoCoalescinCallback | PopPoCoalescinCallback |
| PopThermalZoneDpc | PopThermalZoneDpc |
| PsQueryThreadTerminationPort | PspGetReaperLink |
| RtlLookupFunctionEntryEx | CmpFlushLockedHives |
| SdbpCheckDll | PspInitDeferredResourceReservation |
| <NoSymbol> | CmpDelayFreeTMWorker |
| <NoSymbol> | FsRtlPrivateResetHighestLockOffset |
| <NoSymbol> | FsRtlReInitializeTunnelCache |
| <NoSymbol> | FsRtlRemovePerStreamContextEx |
| <NoSymbol> | KiCheckForDivideOverflow |
| <NoSymbol> | KiRundownScbQueue |
| <NoSymbol> | RtlInsertSmallIndex |
These functions were taken from an ntoskrnl.exe version 6.3.9600.17476 and either only used by PatchGuard or have some importance from the point of view of analysis. For example, IopTimerDispatch() is not a PatchGuard dedicated function but can be used as one of its DPC routines, while KeInitAmd64SpecificState() and KeArmDiscoverCacheTopology() are dedicated and only used to initiate PatchGuard.
It seemed that some more functions were added for PatchGuard since Windows 10, but most, if not all, of these functions still remain the same name, so though this list is unlikely to be perfect, it would help you start your own analysis on both x64 and ARM.
No comments:
Post a Comment