- First introduction of Kernel Patch Protection on x64 editions
- Simple design with fixed timer intervals
- Single XOR key encryption for the PG context
- Protected structures: SSDT, IDT, GDT, MSR LSTAR, ntoskrnl .text
- Relatively straightforward to analyze and understand
- Added protection for HalDispatchTable
- Added KdDebuggerEnabled monitoring
- Improved timer randomization (basic)
- Added work item-based check triggers as alternative to timers
- Fixed several analysis techniques that worked on Vista
- Major overhaul of the encryption scheme
- Introduced rolling key XOR (key changes per block)
- Added CI.dll (Code Integrity) to protected structures
- Added KPRCB critical field monitoring
- Multiple DPC-based trigger mechanisms
- Improved anti-debugging: timer intervals shorten with debugger attached
- Code obfuscation significantly increased
- Refined rolling key algorithm
- Added more KPRCB fields to protection
- Improved exception-based trigger mechanism
- Better integration with Secure Boot
- Multi-key XOR encryption (block-index-dependent sub-keys)
- Added Shadow SSDT (Win32k) protection
- Added MSR CSTAR and SFMASK monitoring
- ntoskrnl read-only data section protection
- Object type pointer validation
- Significantly expanded anti-analysis techniques
- Decoy PG contexts introduced
- Improved KASLR integration
- Context-dependent key derivation
- Better timer obfuscation
- VBS (Virtualization-Based Security) interaction begins
- HVCI (Hypervisor-enforced Code Integrity) integration
- Additional kernel module protection
- Improved self-integrity verification
- Enhanced pool allocation obfuscation
- Additional exception-based triggers
- Improved anti-debugging measures
- Retpoline-aware code modifications
- Kernel CFG (Control Flow Guard) integration
- Further encrypted function pointer tables
- Spectre/Meltdown mitigation interactions
- XFG (eXtended Flow Guard) awareness
- Improved performance counter monitoring
- Pool allocation pattern changes
- Additional driver object validation
- Another major overhaul
- Introduced AES-like lightweight encryption rounds
- Hypervisor-assisted verification (VMCALL-based)
- Pluton security processor integration path
- Expanded protected structure set
- New anti-analysis techniques exploiting VBS
- Context structure layout significantly changed
- Timer mechanism redesigned
- Refined hypervisor interaction
- Smart App Control integration
- Improved pool tag obfuscation
- Additional KPRCB fields monitored
- Pool tag obfuscation: PG pool tags are XORed with a per-boot random value
- Driver object table protection
- Enhanced VBS-based context protection
- Improved timing side-channel resistance
- Additional MSR monitoring
- Full hypervisor-assisted KPP mode
- VMCALL-based integrity verification
- Context stored in VBS-protected memory (VTL1)
- Hardware-backed key storage via TPM/Pluton
- Significanty harder to analyze without hypervisor access
- New timer identification heuristics needed
- Pool scanning requires VTL0/VTL1 awareness
- Increasing encryption complexity: From simple XOR to multi-key to AES-like schemes
- Hypervisor integration: Progressive movement toward VBS-protected verification
- Expanding protection scope: More structures protected with each release
- Better anti-analysis: Each version adds new obfuscation and anti-debugging
- Hardware integration: TPM, Pluton, and hardware security features leveraged
- Performance optimization: Despite more checks, PG overhead has decreased through sampling and batching
| Version | Analysis Difficulty | Key Technique |
|---|---|---|
| Vista/7 | Low | Direct memory scanning |
| 8/8.1 | Medium | Rolling key recovery |
| 10 (early) | Medium-High | Multi-key + context analysis |
| 10 (late) | High | Advanced heuristics needed |
| 11 (early) | Very High | Hypervisor awareness needed |
| 11 24H2 | Extreme | VBS/VTL1 access required |