DSEFix - Defeating x64 Driver Signature Enforcement

Forum for announcements and questions about tools and software.

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Fri Sep 04, 2015 3:29 am

breaker09 wrote:Is this still working in Windows 10? I seem to be getting PatchGuarded a lot... :(

Yes it works. Do not want to trigger PatchGuard? Turn it off. Do not want to turn it off? Rewrite dsefix to map your target driver to the kernel memory using vbox loader task (basically doing windows loader job) and launch it execution via kernel mode shellcode that will be triggered by same SUP_IOCTL_FAST_DO_NOP. This will not trigger Patchguard as nothing will be patched and your driver will be loaded without touching MmLoadSystemImage so no digital signature checks will be performed. However you will be unable to unload your "loaded" driver normally as it will be not in list of loaded drivers. Everything else - creating devices, sending/receiving IOCTLs should be working.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby breaker09 » Fri Sep 04, 2015 7:44 pm

EP_X0FF wrote:
breaker09 wrote:Is this still working in Windows 10? I seem to be getting PatchGuarded a lot... :(

Yes it works. Do not want to trigger PatchGuard? Turn it off. Do not want to turn it off? Rewrite dsefix to map your target driver to the kernel memory using vbox loader task (basically doing windows loader job) and launch it execution via kernel mode shellcode that will be triggered by same SUP_IOCTL_FAST_DO_NOP. This will not trigger Patchguard as nothing will be patched and your driver will be loaded without touching MmLoadSystemImage so no digital signature checks will be performed. However you will be unable to unload your "loaded" driver normally as it will be not in list of loaded drivers. Everything else - creating devices, sending/receiving IOCTLs should be working.

Thanks, somehow I had not realized the exploit could be used that way as well. I'd prefer not to disable PatchGuard if I don't have to, so that sounds perfect! :)

And also, my question was poorly worded. The DSEfix works well and I'm able to load my driver. But even when I have a program that first disables DSE, loads my driver and then immediately re-enables it, I'm still getting PatchGuarded. I'm just wondering if they have added some new checks in Windows 10 or something, because I never had any problems in Windows 8.1 ?
breaker09
 
Posts: 6
Joined: Mon Jun 09, 2014 6:15 pm
Reputation point: 0

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Sat Sep 05, 2015 4:02 am

Have no idea. As for me it is pure random. Maybe they tweaked scanning priority. PatchGuard since beginning was a mainly heavily masqueraded DRM feature so each release they improve it.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby Thomas717 » Mon Oct 19, 2015 12:50 am

Unfortunately, it seems latest DSEFix doesn't work on Windows 7 x64 with latest updates. I've tested on my different computers which are virtualized, unvirtualized, with AV, without AV. I haven't figure out which update cause this. I think M$...
Thomas717
 
Posts: 1
Joined: Mon Oct 19, 2015 12:40 am
Reputation point: 0

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Mon Oct 19, 2015 6:32 am

1) Boot with bcdedit -debug ON, disable user mode exceptions with noumex option.
Win.

2) On windows 8+ turn off marketing DRM feature mistakenly named "SecureBoot", after do the same as (1)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Sun Nov 08, 2015 4:45 am

These two links cover most of problems you may expirience with DSEFix.

https://github.com/hfiref0x/DSEFix/issues/1
https://github.com/hfiref0x/DSEFix/issues/2

^ these links for people who can in logic and knows how things works.

As there are no plans for updating of DSEFix, this topic now closed.
Last edited by EP_X0FF on Tue Feb 02, 2016 3:38 pm, edited 1 time in total.
Reason: thread reopened
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Thu Feb 04, 2016 4:45 am

Superseded by TDL - Turla Driver Loader. See readme for more info.
https://github.com/hfiref0x/TDL
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby kmd » Mon Oct 03, 2016 9:27 am

Hello, are you goinh to use doing capcom.sys for similar loader?
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Mon Oct 03, 2016 11:45 am

kmd wrote:Hello, are you goinh to use doing capcom.sys for similar loader?

There are no plans to do so. This driver is way too shitty and incompatible with modern OS.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Sun Apr 23, 2017 4:31 am

This thread is no longer maintained on this forum.
If you have bugreports/suggestions etc - use project github page https://github.com/hfiref0x/DSEFix/issues or https://github.com/hfiref0x/TDL/issues to report them.
For the news and updates about TDL/DSEFix - see projects github pages.

Closed.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Previous

Return to Tools/Software

Who is online

Users browsing this forum: No registered users and 2 guests