Antivirus software must protect itself from being shut down by malicious programs. Due to PatchGuard, operations such as kernel hook are forbidden after 64-bit Windows XP and Windows Server 2003. Instead, there are mechanisms such as ObRegisterCallbacks provided by Microsoft, which can detect and block programs operating on processes and threads.

Attackers also need to avoid malware detection by antivirus software. If the attacker successfully obtains the execution right of the kernel, in addition to trying to bypass it, it can also paralyze the function of the antivirus software. To keep malicious programs more stealthy, instead of turning off antivirus software, we disable it or even let the antivirus software itself execute the malicious program.

This talk will introduce how antivirus software implements self-protection and how attackers can break this layer of protection without being detected by PatchGuard. With the Ring0 backdoor, the track of malicious programs is more challenging to detect.