Flag: Tornado! Hurricane!

OpenRCE Article Comments: Microsoft Patching Internals

Article Abstract Caveat Emptor: This article was not written to read like a novel. It is a to-the-point technical dump describing the inner workings of Microsoft's cold and hot patching process. The majority of the symbolic names listed below have been derived from NTDLL and NTOSKRNL. Please post any questions you may have directly (for the benefit of others) to this article and the author will gladly respond. The article may be updated in the future to include some of these answers inline.

A companion download including examples and appropriate header files is available for download: MSPatching.zip.

Full Article ...    Printer Friendly ...

Article Comments
Opcode Posted: Thursday, April 27 2006 08:43.22 CDT
Awesome article! Thanks!!!

JxT Posted: Saturday, May 6 2006 03:38.03 CDT
This is a good write up, thanks for sharing!

r1ck Posted: Thursday, August 17 2006 16:07.29 CDT
I'm a win32 ignorant, but why not to cold-patch directly the PE code and relocate all jumps?  
What happens with loaded processes? the file will be locked and will not be editable.

EliCZ Posted: Friday, August 18 2006 01:45.52 CDT
Cold-patched image has the faulty functions redirected to PE coldpatch section, all jumps do not have to be relocated (why?). Existing processes are hot-patched.
The other thing is why not to perform specific and most used hotpatch (5x nop + mov ezz, ezz -> long + short jump) in one 7-byte hook instead in two (5-byte + 2-byte) hooks.

r1ck Posted: Friday, August 18 2006 13:49.09 CDT
Hot-patch is not persistent, is only in memory. The running processes cannot be cold-patched, isn't it?

when you are cold-patching, if you replace a 2 bytes instruction by a 4 bytes instruction all code will be moved and the non-relative jumps will need to be recalculated.

mugg Posted: Tuesday, January 23 2007 01:26.44 CST
Got an example of Microsoft using the 'hot-patch' functionality? Any kernel mode hot patches?

EliCZ Posted: Wednesday, January 24 2007 09:04.35 CST
819696, 823182, 888113, 893086, 899588, 901190 for x86. Right now none for x64, IA64; none for kernel mode.

h4x0r Posted: Monday, May 14 2007 18:44.09 CDT
heh, so microsoft actually got hot-paching done while gnu hippies just kept theoretizing about it http://www.uwsg.iu.edu/hypermail/linux/kernel/0509.2/1164.html.

i haven't yet dug much into it, just read the article and source... msdn documentation of the actual process is rather superficial, so there are few things puzzling me:

1) why is cold patching done in such a tedious way? why not  just replace entire PE binaries the usual way it's done? the only explanation seems to be in order to keep in sync with hot-patched memory image, for cases the binary gets paged out of physical memory?

2) you mention that userspace hot-patching is possible with non-driver privs - being under impression that NT is clever enough and patches the actual shared pages, wouldn't that result injecting code into privileged process sharing the same .dll? again, this is under (possibly wrong) assumption that ExApplyCodePatch verifies process, not the actual file. it may be quite possible that ntdll just OpenProcess' and does the usual stuff, but that wouldn't be microsoft..

and lastly, if this api is present in vista, together with their kernel patchguard, it'll be anecdotal couple - provided there are no signing constraints ;-)

disassembly of relevant apis is definitively in order.

ps: great to see some .cz scene oldschoolers still playing with new stuff nowadays, if you ever come over pilsen, gimme a ring ;)


lain32 Posted: Sunday, November 30 2008 04:32.20 CST

xpoy Posted: Monday, May 2 2011 10:45.37 CDT
a list of RTL_PATCH_HEADER structures in TargetModule.LDR_DATA_TABLE_ENTRY.PatchInformation is traversed and bytes at HOTPATCH_HOOK_DESCRIPTOR.CodeOffset are compared with the prepared branch instruction.

Shall this be:
a list of RTL_PATCH_HEADER structures in TargetModule.LDR_DATA_TABLE_ENTRY.PatchInformation is traversed and bytes at RTL_PATCH_HEADER.CodeInfo.CodeDescriptors[].CodeOffset are compared with the prepared branch instruction.


Add New Comment

There are 31,317 total registered users.

Recently Created Topics
[help] Unpacking VMP...
Reverse Engineering ...
let 'IDAPython' impo...
set 'IDAPython' as t...
GuessType return une...
About retrieving the...
How to find specific...
How to get data depe...
Identify RVA data in...

Recent Forum Posts
Finding the procedur...
Question about debbu...
Identify RVA data in...
let 'IDAPython' impo...
How to find specific...
Problem with ollydbg
How can I write olly...
New LoadMAP plugin v...
Intel pin in loaded ...
OOP_RE tool available?

Recent Blog Entries
Breaking IonCUBE VM

Anatomy of a code tracer

IAT Patcher - new tool for ...

CryptoShark: code tracer ba...

Build a debugger in 5 minutes

More ...

Recent Blog Comments
nieo on:
IAT Patcher - new tool for ...

djnemo on:
Kernel debugger vs user mod...

acel on:
Kernel debugger vs user mod...

pedram on:
frida.github.io: scriptable...

capadleman on:
Using NtCreateThreadEx for ...

More ...

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit