PatchGuard bypass at runtime

Learn more: https://hexderef.com/patchguard-bypass

The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,499 USD ("Software work") non-exclusive. The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.

Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a 0x109_20_CI!g_CiOptions PatchGuard bug check if you're not doing it properly.

[+] Windows 10/11 compatible (22H2)
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
[-] HVCI

1391:648

The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.

The compiled version of the driver comes with nt!_DRIVER_OBJECT, costs $279 USD one time, will be obfuscated, therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver unloads itself before the anti-cheat is initialized. AFAIK: There is no kernel anti-cheat that detects the bypass at runtime.

Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.

The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.

For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.

If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984

The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.

The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.

The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.

448:464


The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.

Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.

Q: There are free open source PatchGuard bypasses. Why would I pay for this?

A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.

The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.

If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.

A proof of uptime:

454:457


Bypassing PatchGuard enables the classic process DKOM's

The most popular mainstream kernel level anti-cheat EAC, that is also considered to be the most advanced, checks for running and hidden processes. EAC refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. In other words. If an AV, kernel anti-cheat or malware does not want want to be analyzed. DKOM'ing a process is the only way, and the bypass makes this possible without a BSDO.

Terms for the source code:

The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com

The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.

No author or distributor accepts responsibility to anyone for the consequences of using the source code.

#992
Title:
Administrator
07/25/2023 01:33 - 223 days 1 hours 5 minutes
#992
The recent windows kernel update broke the DSE bypass on Windows 10 22H2 Build: 19045.3208. I've adapted the update and it works in the latest version at the time of this post.
#998
Title: i want buy
sospsi wrote:
12/08/2023 15:58 - 86 days 9 hours 40 minutes
#998
I'm interested in this and I want to buy it.
But I also want to hide the process through kernel
#999
Title: Hide the process from kernel anti-cheats
Administrator
12/09/2023 16:24 - 85 days 9 hours 14 minutes
#999
A quote. #998 Originally posted by sospsi

I'm interested in this and I want to buy it.
But I also want to hide the process through kernel


Hi.

I just noticed your comment that you're interested in purchasing a bypass. Are you able to get yourself as PayPal verified? That was the reason your payment got rejected. If you're not able to. Then Bitcoin (BTC) is the only payment method.

If you want to properly hide a process, you'll also need to hide the threads of the process. This kind of direct kernel object modification (DKOM) is subject to a process list modification bug check.

I do have the codes to hide the process even from an advanced kernel anti-cheat but these codes are not included in PG bypass. These codes are subject to a software work.

Anyways. One AV attacks directly to my software, despite I selected the option that "I handle manually all threats". This is exactly where a malware or cybersecurity analysts needs DKOM functionality.

The fact is that even though your anti-cheat, or whatever else security product got analyzed by an independent 3rd party. It's not very believable when you didn't even bother to mention how it was analyzed and which security company did the analysis...

Add to this that the anti-cheat in question will not start the game if it detects even one analysis program running. This is where my bypasses and DKOM's come into play.
#1000
Title: i want to buy processhide
sospsi wrote:
12/10/2023 01:36 - 85 days 0 hours 2 minutes
#1000
I want the perfect process hide with patchguard bypass do you sell it ? Let me know how much it is
#1001
Title:
Administrator
12/10/2023 02:20 - 84 days 23 hours 18 minutes
#1001
A quote. #1000 Originally posted by sospsi

I want the perfect process hide with patchguard bypass do you sell it ? Let me know how much it is


You need to provide the exact details. Do you need the source code or not? I currently only support Win10/11 22H2 (x64). What's the purpose of your custom process hide? If it's about hiding a process from an anti-cheat, I need to know the name. Which process or processes needs to be hidden? I assume you realize the project will be customized according to your preference. I need the exact specs before I can tell the price. The good thing is that I do have a working codes already (as I implemented something similar a long time ago). As I already wrote. A kernel anti-cheat or an AV does not want to be monitored and I need the same functionality for my tools anti-malware functionality, so that I can monitor any kernel anti-cheat or anti-virus whatever cybersecurity product.

If your hidden process is creating new threads occasionally. I assume you realize this requires quite advanced bypass, especially then if there is kernel anti-cheat thread notify callbacks running (today's advanced anti-cheats got self-integrity checks in place so they'll notice if you stripped their callbacks off, this requires a deep windows internals knowledge to bypass without getting detected). I hope you realize that a bypass needs to know when your hidden process creates a new thread. That may otherwise result in a ban or detection.

The ideal solution is this: A process starts before anything else and creates it's threads. PatchGuard bypasses have nothing to do with process hiding. But you'll need to disable PatchGuard before you can hide any user mode process.

Do you plan to sell your process hider or is it just for your personal private use? I need to know all that... Yes, I can do it. But the project will be delivered "AS IS" without warranty of any kind even though I'll test the project properly, of course.
#1004
Title: Unlink PsActiveProcessList DKOM
Administrator
12/10/2023 16:35 - 84 days 9 hours 2 minutes
#1004
When you unlink a process from the PsActiveProcessList. It's a classic DKOM which is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) Type 1 process list corruption BSDO.

Anyways you can test the bypass with it so you'll know for sure that it worked and bypass is as described in the first post. And there is a documented way in the source code to intentionally trigger a PG BSDO faster so you'll not have to necessarily wait hours for a bug check.
#1010
Title:
Administrator
01/17/2024 20:29 - 46 days 5 hours 9 minutes
#1010
I've just verified both DSE and PatchGuard bypass at runtime on:

Windows 10 Pro 22H2 19045.3208
Windows 11 Pro 22H2 22621.3007

Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. When you report an issue: Always mention which version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Title
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y