PointerGuard is a proof-of-concept tool used to create 'guarded' pointers which disguise pointer addresses, monitor reads/writes, and prevent access from external processes.
PointerGuard is implemented using a Vectored Exception Handler (VEH).
When a guarded pointer is created, it is assigned an invalid (disguised) address. Once the invalid pointer is dereferenced, an access violation is thrown to be caught by our VEH. If the exception handler determines that the access violation was caused from a guarded pointer, the register containing the invalid pointer will be replaced with the real pointer and execution will continue.
PointerGuard can be used to determine when and where a guarded pointer is dereferenced from. In the provided code, this is done by printing the instruction pointer (RIP) each time a guarded pointer is dereferenced.
When an external process tries to read our guarded pointer (e.g. using ReadProcessMemory), the VEH will not be triggered and the address will be recognized as invalid.
Real pointer: 0x00000067FBD9F834
Fake pointer: 0x0000000001000001
Guarded pointer 0x0000000001000001 accessed from 0x00007FF790B114E0
Dereferenced real pointer (0x00000067FBD9F834): 50
Dereferenced fake pointer (0x0000000001000001): 50
Writing to the fake pointer...
Guarded pointer 0x0000000001000001 accessed from 0x00007FF790B11550
Guarded pointer 0x0000000001000001 accessed from 0x00007FF790B11563
Dereferenced real pointer (0x00000067FBD9F834): 60
Dereferenced fake pointer (0x0000000001000001): 60
Build as an x64 executable using Visual Studio 2022.
The binaries were only tested on Windows 10 21H1.
Code Optimization must be disabled (/Od).