PatchGuard bypass at runtime

Learn more: https://hexderef.com/patchguard-bypass

The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,499 USD ("Software work") non-exclusive. The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.

Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) CI!g_CiOptions+0 CI.dll 0x109_0_CI!g_CiOptions PatchGuard bug check.

[+] Windows 10 (22H2) | Windows 11 (22H2/23H2) compatible
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
[-] HVCI

1391:648

The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.

The compiled version of the driver comes with nt!_DRIVER_OBJECT, costs $279 USD one time, will be obfuscated, therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver unloads itself before the anti-cheat is initialized. AFAIK: There is no kernel anti-cheat that detects the bypass at runtime.

Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.

The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.

For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.

If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984

The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.

The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.

The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.

448:464


The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.

Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.

Q: There are free open source PatchGuard bypasses. Why would I pay for this?

A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.

The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.

If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.

A proof of uptime:

454:457


Bypassing PatchGuard enables the classic process DKOM's

The most popular mainstream kernel level anti-cheat EAC, that is also considered to be the most advanced, checks for running and hidden processes. EAC refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. In other words. If an AV, kernel anti-cheat or malware does not want want to be analyzed. DKOM'ing a process is the only way, and the bypass makes this possible without a BSDO.

Terms for the source code:

The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com

The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.

No author or distributor accepts responsibility to anyone for the consequences of using the source code.

#992
Title:
Administrator
07/25/2023 01:33 - 524 days 15 hours 56 minutes
#992
The recent windows kernel update broke the DSE bypass on Windows 10 22H2 Build: 19045.3208. I've adapted the update and it works in the latest version at the time of this post.
#1010
Title:
Administrator
01/17/2024 20:29 - 347 days 19 hours 59 minutes
#1010
I've just verified both DSE and PatchGuard bypass at runtime on:

Windows 10 Pro 22H2 19045.3208
Windows 11 Pro 22H2 22621.3007

#1014
Title:
Administrator
04/07/2024 18:19 - 266 days 23 hours 9 minutes
#1014
The bypass has been verified on Windows 11 Pro 23H2 (Build: 22631)
#1018
Title:
diegobt wrote:
09/09/2024 20:07 - 111 days 21 hours 21 minutes
#1018
Hi I am interested in the PatchGuard bypass source code. I would like more information

Thank you
/diego
#1026
Title: PatchGuard 0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Administrator
11/01/2024 12:32 - 59 days 3 hours 56 minutes
#1026
If you need a SEH in your manually mapped driver. You'll need to use below undocumented kernel API's.

Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.


RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);


PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function

Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.

If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.

Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. When you report an issue: Always mention which version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Title
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y