PatchGuard bypass at runtime
Learn more: https://hexderef.com/patchguard-bypass
The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,499 USD ("Software work") non-exclusive. The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.
Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) CI!g_CiOptions+0 CI.dll 0x109_0_CI!g_CiOptions PatchGuard bug check.
[+] Windows 10 (22H2) | Windows 11 (22H2/23H2) compatible
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
[-] HVCI
1391:648
The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.
The compiled version of the driver comes with nt!_DRIVER_OBJECT, costs $279 USD one time, will be obfuscated, therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver unloads itself before the anti-cheat is initialized. AFAIK: There is no kernel anti-cheat that detects the bypass at runtime.
Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.
If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.
The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.
Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.
The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.
If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.
A proof of uptime:
454:457
Terms for the source code:
The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com
The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.
No author or distributor accepts responsibility to anyone for the consequences of using the source code.
The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,499 USD ("Software work") non-exclusive. The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.
Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) CI!g_CiOptions+0 CI.dll 0x109_0_CI!g_CiOptions PatchGuard bug check.
[+] Windows 10 (22H2) | Windows 11 (22H2/23H2) compatible
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
[-] HVCI
1391:648
The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.
The compiled version of the driver comes with nt!_DRIVER_OBJECT, costs $279 USD one time, will be obfuscated, therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver unloads itself before the anti-cheat is initialized. AFAIK: There is no kernel anti-cheat that detects the bypass at runtime.
Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.
If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.
The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.
Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.
The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.
If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.
A proof of uptime:
454:457
Bypassing PatchGuard enables the classic process DKOM's
The most popular mainstream kernel level anti-cheat EAC, that is also considered to be the most advanced, checks for running and hidden processes. EAC refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. In other words. If an AV, kernel anti-cheat or malware does not want want to be analyzed. DKOM'ing a process is the only way, and the bypass makes this possible without a BSDO.Terms for the source code:
The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com
The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.
No author or distributor accepts responsibility to anyone for the consequences of using the source code.
| #992 Title: Administrator |
07/25/2023 01:33 - 485 days 7 hours 57 minutes #992 |
The recent windows kernel update broke the DSE bypass on Windows 10 22H2 Build: 19045.3208. I've adapted the update and it works in the latest version at the time of this post.
| #1010 Title: Administrator |
01/17/2024 20:29 - 308 days 12 hours 1 minutes #1010 |
I've just verified both DSE and PatchGuard bypass at runtime on:
Windows 10 Pro 22H2 19045.3208
Windows 11 Pro 22H2 22621.3007
Windows 10 Pro 22H2 19045.3208
Windows 11 Pro 22H2 22621.3007
| #1014 Title: Administrator |
04/07/2024 18:19 - 227 days 15 hours 11 minutes #1014 |
The bypass has been verified on Windows 11 Pro 23H2 (Build: 22631)
| #1018 Title: diegobt wrote: |
09/09/2024 20:07 - 72 days 13 hours 23 minutes #1018 |
Hi I am interested in the PatchGuard bypass source code. I would like more information
Thank you
/diego
Thank you
/diego
| #1026 Title: PatchGuard 0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function Administrator |
11/01/2024 12:32 - 19 days 19 hours 58 minutes #1026 |
If you need a SEH in your manually mapped driver. You'll need to use below undocumented kernel API's.
Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.
RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);
PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.
If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.
Finding the base address of a manually mapped driver requires a bit more effort, but by iterating backwards from the driver's entry point and trying to locate the first valid PE header, you are pretty much at the base address. You can get the size of the image from the found PE header.
RtlInsertInvertedFunctionTable(imageBase, szImage);
RemoveInvertedFunctionTableEntry(imageBase, szImage);
PatchGuard will trigger a BSDO: 19 : Loaded module list modification
0x109_19_ANALYSIS_INCONCLUSIVE!unknown_function
Aforementioned 0x109 will not trigger after the bypass described in the first post has been applied.
If you're a malware analyst. It's worth noting that RtlInsertInvertedFunctionTable routine will insert an entry in "db nt!PsInvertedFunctionTable". If you iterate all entries and check if an entry points to a valid module. You'll find every manually mapped kernel drivers that uses SEH.
