PatchGuard bypass at runtime
Learn more: https://hexderef.com/patchguard-bypass
The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,499 USD ("Software work") non-exclusive. The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.
Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) CI!g_CiOptions+0 CI.dll 0x109_0_CI!g_CiOptions PatchGuard bug check.
[+] Windows 10 (22H2) | Windows 11 (22H2/23H2/24H2) compatible
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
[-] HVCI
To summarize what is included in the source code:
The loader driver (a manually mapped) that disables DSE at run time
Driver with the driver object (PG bypass driver)
Telegram: https://t.me/WhiteByte01
The loader driver unloads the PG bypass driver (making it undetectable on every kernel-level anti-cheats)
On Windows 11 24H2: "Device Security->App & browser control->Check apps and files" must be turned off
1391:648
The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.
The compiled version of the driver comes with nt!_DRIVER_OBJECT, costs $279 USD one time, will be obfuscated, therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver unloads itself before the anti-cheat is initialized. AFAIK: There is no kernel anti-cheat that detects the bypass at runtime.
Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.
If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.
The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.
Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.
The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.
If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.
A proof of uptime:
454:457
Terms for the source code:
The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com
The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.
No author or distributor accepts responsibility to anyone for the consequences of using the source code.
The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,499 USD ("Software work") non-exclusive. The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.
Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) CI!g_CiOptions+0 CI.dll 0x109_0_CI!g_CiOptions PatchGuard bug check.
[+] Windows 10 (22H2) | Windows 11 (22H2/23H2/24H2) compatible
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
[-] HVCI
To summarize what is included in the source code:
The loader driver (a manually mapped) that disables DSE at run time
Driver with the driver object (PG bypass driver)
Telegram: https://t.me/WhiteByte01
The loader driver unloads the PG bypass driver (making it undetectable on every kernel-level anti-cheats)
On Windows 11 24H2: "Device Security->App & browser control->Check apps and files" must be turned off
1391:648
The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.
The compiled version of the driver comes with nt!_DRIVER_OBJECT, costs $279 USD one time, will be obfuscated, therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver unloads itself before the anti-cheat is initialized. AFAIK: There is no kernel anti-cheat that detects the bypass at runtime.
Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.
If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.
The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.
Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.
The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.
If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.
A proof of uptime:
454:457
Bypassing PatchGuard enables the classic process DKOM's
The most popular mainstream kernel level anti-cheat EAC, that is also considered to be the most advanced, checks for running and hidden processes. EAC refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. In other words. If an AV, kernel anti-cheat or malware does not want want to be analyzed. DKOM'ing a process is the only way, and the bypass makes this possible without a BSDO.Terms for the source code:
The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com
The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.
No author or distributor accepts responsibility to anyone for the consequences of using the source code.
| #992 Title: Administrator |
07/25/2023 01:33 - 675 days 22 hours 7 minutes #992 |
The recent windows kernel update broke the DSE bypass on Windows 10 22H2 Build: 19045.3208. I've adapted the update and it works in the latest version at the time of this post.
| #1010 Title: Administrator |
01/17/2024 20:29 - 499 days 2 hours 10 minutes #1010 |
I've just verified both DSE and PatchGuard bypass at runtime on:
Windows 10 Pro 22H2 19045.3208
Windows 11 Pro 22H2 22621.3007
Windows 10 Pro 22H2 19045.3208
Windows 11 Pro 22H2 22621.3007
| #1014 Title: Administrator |
04/07/2024 18:19 - 418 days 5 hours 20 minutes #1014 |
The bypass has been verified on Windows 11 Pro 23H2 (Build: 22631)
| #1018 Title: diegobt wrote: |
09/09/2024 20:07 - 263 days 3 hours 32 minutes #1018 |
Hi I am interested in the PatchGuard bypass source code. I would like more information
Thank you
/diego
Thank you
/diego
| #1025 Title: jwahirtibbles5 wrote: |
10/21/2024 11:59 - 221 days 11 hours 40 minutes #1025 |
Hi I am interested in the PatchGuard bypass source code.
Thanks you
Thanks you
| #1026 Title: PatchGuard 0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function Administrator |
11/01/2024 12:32 - 210 days 10 hours 7 minutes #1026 |
If you need a SEH in your manually mapped driver. You'll need to use below undocumented kernel API's.
Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.
RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);
PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.
If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.
Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.
RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);
PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.
If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.
| #1032 Title: Recent Windows OS compatibility A visitor wrote: |
02/19/2025 18:25 - 100 days 4 hours 15 minutes #1032 |
Does this bypass work on Windows 11 24H2?
| #1033 Title: Administrator |
02/26/2025 21:11 - 93 days 1 hours 28 minutes #1033 |
#1032 Originally posted by A visitor : https://overlayhack.com/patchguard-bypass#1032
Yes. I've just adapted the bypass. There were many changes. Also DSE bypass works as described in the first post. To summarize what's included:
- A manually mapped loader driver with DSE bypass at runtime that loads a PatchGuard bypass driver directly from the kernel
- A shared memory communication between the two drivers
- The code itself is very informative in terms of learning Windows internals
Post your Telegram in a comment and I'll add you if you're interested to purchase the source code. 2,499 USD in BTC. Thanks.
Yes. I've just adapted the bypass. There were many changes. Also DSE bypass works as described in the first post. To summarize what's included:
- A manually mapped loader driver with DSE bypass at runtime that loads a PatchGuard bypass driver directly from the kernel
- A shared memory communication between the two drivers
- The code itself is very informative in terms of learning Windows internals
Post your Telegram in a comment and I'll add you if you're interested to purchase the source code. 2,499 USD in BTC. Thanks.
