Security software executing on a computer needs to intercept various events, such as file system activity, registry activity, process/thread creation module loads/unloads, and the like. An operating system (OS) typically provides application programming interfaces (APIs) and/or frameworks that can be used to intercept some events. However, it may be desirable for the security software to intercept events that do not have legitimate interception mechanisms provided by the OS. The security software can address this issue by patching the kernel code of the OS to intercept the events of interest.
The advent of kernel patch protection (KPP) in some OS'es, however, defeats this scheme. KPP is introduced to prevent privileged software from patching kernel code and/or critical kernel data structures. KPP typically takes a snapshot of the kernel code (and other critical code), as well as critical data structures, and then periodically executes and matches checksums to verify that the protected code/data remains unchanged. KPP also updates checksums when there are legitimate modifications to data structures. KPP detects any modifications to the protected code/data, considers such modifications malicious, and immediately shuts down the OS. While KPP is designed to protect against malicious software, KPP also affects operation of legitimate security software that needs to patch kernel code to operate as designed.
To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures. It is contemplated that elements disclosed in one embodiment may be beneficially utilized on other embodiments without specific recitation.