14 DAY TRIAL // Security experts from Agnitum have warned that the recently launched Microsoft's Kernel Patch Protection, bundling together Windows OS kernel design and Microsoft security solutions, will actually cause more harm than good. The reasons for this relate to the use of such technology for malicious purposes, while kernel protection will actually block installation of third-party security software.
Agnitum claims that proactive protection starts with kernel control. Low-level system operations are possible by the use of the documented API offered by Microsoft, but this technique actually limits file and registry services control. An alternative is the modification and in some cases even replacement of code and critical fundamental structures in a process dubbed kernel patching. The last alternate approach, and the most commonly implemented, relates altering the Service Dispatch Table involved with transfer between user-mode and kernel. This last approach is the sole one that actually guaranties complete control over the kernel.
"Microsoft, however, prefers that developers not use this approach. In fact, the company has gone so far, in the x64 versions of Windows, as to prevent call redirection involving 32-bit SDT pointers. In a recent update, Microsoft removed the ability for developers to legitimately change the service number in the SDT, introducing so-called kernel patch protection for x64-based versions of Windows Server 2003 SP1, Windows XP, and later versions of Windows for x64-based systems," explained Agnitum.
The Agnitum experts claim that Kernel Patch Protection actually restricts the implementation of legitimate security solutions while being vulnerable to malicious reverse engineering.