KernelMode.info

breaker09 wrote:Is this still working in Windows 10? I seem to be getting PatchGuarded a lot... :(

Yes it works. Do not want to trigger PatchGuard? Turn it off. Do not want to turn it off? Rewrite dsefix to map your target driver to the kernel memory using vbox loader task (basically doing windows loader job) and launch it execution via kernel mode shellcode that will be triggered by same SUP_IOCTL_FAST_DO_NOP. This will not trigger Patchguard as nothing will be patched and your driver will be loaded without touching MmLoadSystemImage so no digital signature checks will be performed. However you will be unable to unload your "loaded" driver normally as it will be not in list of loaded drivers. Everything else - creating devices, sending/receiving IOCTLs should be working.

EP_X0FF wrote:

breaker09 wrote:Is this still working in Windows 10? I seem to be getting PatchGuarded a lot... :(

Yes it works. Do not want to trigger PatchGuard? Turn it off. Do not want to turn it off? Rewrite dsefix to map your target driver to the kernel memory using vbox loader task (basically doing windows loader job) and launch it execution via kernel mode shellcode that will be triggered by same SUP_IOCTL_FAST_DO_NOP. This will not trigger Patchguard as nothing will be patched and your driver will be loaded without touching MmLoadSystemImage so no digital signature checks will be performed. However you will be unable to unload your "loaded" driver normally as it will be not in list of loaded drivers. Everything else - creating devices, sending/receiving IOCTLs should be working.

Thanks, somehow I had not realized the exploit could be used that way as well. I'd prefer not to disable PatchGuard if I don't have to, so that sounds perfect! :)

And also, my question was poorly worded. The DSEfix works well and I'm able to load my driver. But even when I have a program that first disables DSE, loads my driver and then immediately re-enables it, I'm still getting PatchGuarded. I'm just wondering if they have added some new checks in Windows 10 or something, because I never had any problems in Windows 8.1 ?

Have no idea. As for me it is pure random. Maybe they tweaked scanning priority. PatchGuard since beginning was a mainly heavily masqueraded DRM feature so each release they improve it.

Unfortunately, it seems latest DSEFix doesn't work on Windows 7 x64 with latest updates. I've tested on my different computers which are virtualized, unvirtualized, with AV, without AV. I haven't figure out which update cause this. I think M$...

1) Boot with bcdedit -debug ON, disable user mode exceptions with noumex option.
Win.

2) On windows 8+ turn off marketing DRM feature mistakenly named "SecureBoot", after do the same as (1)

These two links cover most of problems you may expirience with DSEFix.

https://github.com/hfiref0x/DSEFix/issues/1
https://github.com/hfiref0x/DSEFix/issues/2

^ these links for people who can in logic and knows how things works.

As there are no plans for updating of DSEFix, this topic now closed.

Superseded by TDL - Turla Driver Loader. See readme for more info.
https://github.com/hfiref0x/TDL

Hello, are you goinh to use doing capcom.sys for similar loader?

kmd wrote:Hello, are you goinh to use doing capcom.sys for similar loader?

There are no plans to do so. This driver is way too shitty and incompatible with modern OS.

This thread is no longer maintained on this forum.
If you have bugreports/suggestions etc - use project github page https://github.com/hfiref0x/DSEFix/issues or https://github.com/hfiref0x/TDL/issues to report them.
For the news and updates about TDL/DSEFix - see projects github pages.

Closed.