Only allowing "signed by Microsoft" drivers is not the only problem which we will have to face on Windows Vista. Even when only debugging your own Ring3 applications, a Ring0 Debugger has some advanced features which are not available in Ring3.
Quote from Microsoft on the topic "patch protection" (implemented in Win2003 x64 and Vista x86/x64):
Quote:
Q. What happens if an application or driver attempts to patch the kernel on a system that supports patch protection?
A. If the operating system detects an application or driver that patches the kernel, it generates a bug check and shuts down the system. Modifications that trigger this behavior are:
- Modifying system service tables
- Modifying the interrupt descriptor table (IDT)
- Modifying the global descriptor table (GDT)
- Using kernel stacks that are not allocated by the kernel
- Patching any part of the kernel (detected on AMD64-based systems only)
Over time, patch protection will be extended to protect additional kernel resources.
|
An IDT protection for example prevents anybody from using hardware breakpoints. (since INT 01 can't be "hooked" any more)