[lorddoskias]

I recently read the 3 papers regarding PatchGuard on uninformed and I have the ambition to try and reverse the current incarnation myself. One details escapes me though - how to people manage to hook into the boot process of windows that early using windbg? I mean in my installation I use virtualkd and when I start the VM and choose the debug mode only then can windbg attach and by reading I was left with the impression it is necessary to hook into the boot process much earlier so as patchguard won't disable itself? E.g. before KiFilterFiberContext etc? SHould something like Bosch be used?

[EreTIk]

You can use WinDbg before kernel is loaded: bootmgr debugging. Unfortunately third-party debug transport is not supported (can not be loaded kdvm.dll from VirtualKD). But you can use VMWare or VBox: COM-port <-> pipe.
For configure debugging of bootmgr: http://l0werring.wordpress.com/2009/08/ ... 93-part-1/

The following commands allow you to debug the bootmgr and break in very early pretty much as early as the hand off from the BIOS is done to the bootmgr.
For serial the settings should look like:

bcdedit /bootdebug {bootmgr} on
bcdedit /debug {bootmgr} on
bcdedit /set {bootmgr} debugtype serial
bcdedit /set {bootmgr} baudrate 115200
bcdedit /set {bootmgr} debugport 1

....

After you enable the above settings in BCDEdit and reboot the machine, and the appropriate boot binary(in our case bootmgr) should break into the debugger.
There is one very important step to remember and that is to make sure you have set initial breakpoint using the Windbg before you restart

Kd> sxe ibp

I have also found it helps to do this in case it is the bootmgr you are interested in:

Kd> sxe ld:bootmgr

[everdox]

if you have a fully patched windows i believe they removed KiFilterFiberContext from pdb symbols.. i could be wrong. analysis at KiSystemStartup would be your best bet ;)