PatchGuard bypass
Learn more: https://hexderef.com/patchguard-bypass
The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,999 USD ("Software work"). The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.
Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a 0x109_20_CI!g_CiOptions PatchGuard bug check but this is adapted in the bypass.
[+] Windows 10/11 compatible (22H2)
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.
The compiled version of the driver that costs $479 USD will be HWID locked to your computer and therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. There is no kernel anti-cheat that detects the bypass at runtime.
Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.
If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.
The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.
Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.
The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.
If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.
A proof of uptime:
454:457
Terms for the source code:
The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com
The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.
No author or distributor accepts responsibility to anyone for the consequences of using the source code.
The source code of the driver (C/C++) that disables kernel patch protection (KPP) at runtime is available for $2,999 USD ("Software work"). The source code also includes a DSE bypass at runtime (a manually mappable driver) what with you can load your unsigned driver with nt!_DRIVER_OBJECT.
Notice that there is no need to bypass PatchGuard (PG) if you just need a DSE bypass to load your unsigned driver. You can purchase the DSE bypass separately. Bypassing DSE is subject to a 0x109_20_CI!g_CiOptions PatchGuard bug check but this is adapted in the bypass.
[+] Windows 10/11 compatible (22H2)
[+] Secure boot supported
[+] No reboot required
[+] Undetected (UD) in every kernel anti-cheat
[+] Source code available for purchase
The DSE bypass which comes with the source code mentioned above has also been verified with aforementioned versions without the need to disable PatchGuard.
The compiled version of the driver that costs $479 USD will be HWID locked to your computer and therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. There is no kernel anti-cheat that detects the bypass at runtime.
Terms of use for the compiled driver: You may not resell or share the driver to any 3rd party.
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you are interested. Please register and post your needs in this thread. I will contact you by email you registered with.
If you want to pay via PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver comes with DRIVER_OBJECT. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support. The source code is intended for those who have previous experience in coding kernel drivers.
The PatchGuard routine initializes in many different ways and new methods may be added in the future. The driver and the source code is therefore provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO. If you byte patch the kernel text section, let's say a routine with a RETN. It is also subject BAD_STACK_0x109 bug check. The bypass enables you also to patch the kernel according to your needs.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Therefore this solution is more convenient and easier to use.
Q: Do I need a code signing certificate (EV) to load the driver?
A: No you do not. You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT. The author can also provide you with a private EFI bootkit that works on Windows 10/11 <= 22H2 if secure boot is turned off. The bootkit enables you to load a manually mapped driver that disables DSE and then in turns loads unsigned kernel driver with the PG bypass.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, are detected in anti-cheats, partially working or not working at all. A sophistication level in this private PatchGuard/DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats.
The source code is the best solution because you can alter the control flow (to make the driver unique and undetectable in anti-cheats) adapt the bypass for older or newer versions of Windows.
If PatchGuard was disabled at boot time. An anti-cheat can trigger the PatchGuard verification routine and if an exception occurs. The anti-cheat knows that PG is bypassed at boot.
A proof of uptime:
454:457
Bypassing PatchGuard enables the classic process DKOM's
The most popular mainstream kernel level anti-cheat EAC, that is also considered to be the most advanced, checks for running and hidden processes. EAC refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. In other words. If an AV, kernel anti-cheat or malware does not want want to be analyzed. DKOM'ing a process is the only way, and the bypass makes this possible without a BSDO.Terms for the source code:
The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com
The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form.
No author or distributor accepts responsibility to anyone for the consequences of using the source code.
| #992 Title: Administrator |
07/25/2023 01:33 - 69 days 7 hours 18 minutes #992 |
The recent windows kernel update broke the DSE bypass on Windows 10 22H2 Build: 19045.3208. I've adapted the update and it works in the latest version at the time of this post.
