PatchGuard bypass
Read the article: https://hexderef.com/patchguard-bypass
The source code of the driver (C/C++) that disables kernel patch protection at runtime is available for $2,999 USD ("Software work" basis). The source code also includes a DSE bypass (a manually mappable driver) what with you can load your unsigned driver with DRIVER_OBJECT. Notice that there is no need to bypass kernel patch protection if you just need a DSE bypass to load your unsigned driver.
[+] Windows 10/11 compatible (22H2)
[+] Secure boot supported
[+] No reboot required
[+] Intel/AMD CPU supported
[+] Undetected (UD) in EAC/BattlEye/VanGuard
The compiled version of the driver will be locked to your SSD serial number and therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver includes advanced kernel level spoofing techniques effectively bypassing EAC's checks. In other words the method used in the driver is undetected (UD).
The PatchGuard bypass supports the following versions:
Windows 10 22H2 Build: 19045
Support for Windows 11 22H2 Build: 22621 is to be added soon...
The DSE bypass which comes with the source code mentioned above has been verified without the need to disable PatchGuard on the following Windows versions:
Windows 10 Pro 22H2 Build: 19045
Windows 11 Pro 22H2 Build: 22621
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
Source code terms:
[+] The origin of the source code must not be misrepresented. The original author of the source code is White Byte at hexderef.com
[+] No author or distributor accepts responsibility to anyone for the consequences of using the source code
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you're interested. Please register and post your needs in this thread. I'll contact you by email you registered with.
If you require any custom software work and want to use PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver is either manually mappable or comes with DRIVER_OBJECT depending on your needs. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support.
The PatchGuard initializes in many different ways and new methods are likely to be added in the future. The driver and the source code is provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO without disabling.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Thefore this solution is more convinient and easier to use.
This allows you to apply many kind of DKOM's expect patches in the kernel text section. With the bypass, you can, for example hide your driver from kernel level anti-cheats. Notice that most of kernel anti-cheats detects kernel byte patches.
The following AV's did not detected the bypass (the bypass was applied while the listed AV's real-time protection was enabled). The list is to be updated...
Windows Defender
F-Secure SAFE
Kaspersky anti-virus (KAV)
Q: Do I need a code signing certificate (EV) to load the driver?
A: If you cannot use test signing or you're unable to bypass DSE. Then yes. Alternatively, you can purchase the source code mentioned above, which comes with a DSE bypass that allows you to load an unsigned kernel driver without the need to reboot your computer or enable test mode.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, partially working or not working at all. A sophistication level in this private PatchGuard and DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats. The source code is the best solution.
If you're a malware analyst. You may want to know whether or not PatchGuard was disabled at boot time or runtime by a malware you're currently analysing. Therefore the source code of the driver is available for purchase.
A proof of uptime:
454:457
The most popular mainstream kernel level anti-cheat EAC checks for running processes and refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. The PatchGuard bypass allows you to DKOM any user mode process.
The source code of the driver (C/C++) that disables kernel patch protection at runtime is available for $2,999 USD ("Software work" basis). The source code also includes a DSE bypass (a manually mappable driver) what with you can load your unsigned driver with DRIVER_OBJECT. Notice that there is no need to bypass kernel patch protection if you just need a DSE bypass to load your unsigned driver.
[+] Windows 10/11 compatible (22H2)
[+] Secure boot supported
[+] No reboot required
[+] Intel/AMD CPU supported
[+] Undetected (UD) in EAC/BattlEye/VanGuard
The compiled version of the driver will be locked to your SSD serial number and therefore the order is subject to manual approval. The advantage of this is that each version of the driver will be unique from kernel level anti-cheat perspective. The driver includes advanced kernel level spoofing techniques effectively bypassing EAC's checks. In other words the method used in the driver is undetected (UD).
The PatchGuard bypass supports the following versions:
Windows 10 22H2 Build: 19045
Support for Windows 11 22H2 Build: 22621 is to be added soon...
The DSE bypass which comes with the source code mentioned above has been verified without the need to disable PatchGuard on the following Windows versions:
Windows 10 Pro 22H2 Build: 19045
Windows 11 Pro 22H2 Build: 22621
The source code is to be updated but no guarantee is given that the version of Windows you want will be supported.
Source code terms:
[+] The origin of the source code must not be misrepresented. The original author of the source code is White Byte at hexderef.com
[+] No author or distributor accepts responsibility to anyone for the consequences of using the source code
For individuals, Bitcoin (BTC) is the only payment method for the source code. I use coinbase.com. If you're interested. Please register and post your needs in this thread. I'll contact you by email you registered with.
If you require any custom software work and want to use PayPal. Read these notes https://overlayhack.com/hex-deref-support/984
The compiled driver is either manually mappable or comes with DRIVER_OBJECT depending on your needs. The project is a compilable VS2019+ project. The price of the source code does not include any kind of live, coding or anti-cheat bypass support.
The PatchGuard initializes in many different ways and new methods are likely to be added in the future. The driver and the source code is provided AS IS with no warranty of any kind.
The author has however tested the driver for at least 12 hours on a bare metal and Hyper-V VM by applying DKOM such as unlinking the driver from the loaded modules list (PsLoadedModuleList). This kind of direct kernel object manipulation (DKOM) is subject to PatchGuard CRITICAL_STRUCTURE_CORRUPTION 0x109 BSDO without disabling.
448:464
The driver disables PatchGuard integrity checks at runtime. Every EFI bootkit requires a reboot and secure boot to be disabled. Thefore this solution is more convinient and easier to use.
This allows you to apply many kind of DKOM's expect patches in the kernel text section. With the bypass, you can, for example hide your driver from kernel level anti-cheats. Notice that most of kernel anti-cheats detects kernel byte patches.
The following AV's did not detected the bypass (the bypass was applied while the listed AV's real-time protection was enabled). The list is to be updated...
Windows Defender
F-Secure SAFE
Kaspersky anti-virus (KAV)
Q: Do I need a code signing certificate (EV) to load the driver?
A: If you cannot use test signing or you're unable to bypass DSE. Then yes. Alternatively, you can purchase the source code mentioned above, which comes with a DSE bypass that allows you to load an unsigned kernel driver without the need to reboot your computer or enable test mode.
Q: There are free open source PatchGuard bypasses. Why would I pay for this?
A: Most of public ones are not supported, are out of date, partially working or not working at all. A sophistication level in this private PatchGuard and DSE bypass is different to the public ones. It is also worth mentioning that kernel level anti-cheats can easily detect any EFI bootkit based bypasses for the fact that there is no PatchGuard context in the kernel memory at all if you bypass kernel patch protection at boot time. If you want to stay hidden from advanced kernel anti-cheats. The source code is the best solution.
If you're a malware analyst. You may want to know whether or not PatchGuard was disabled at boot time or runtime by a malware you're currently analysing. Therefore the source code of the driver is available for purchase.
A proof of uptime:
454:457
The most popular mainstream kernel level anti-cheat EAC checks for running processes and refuses to start a game if it detects a non-allowed process (windbg.exe is one of them) running. The PatchGuard bypass allows you to DKOM any user mode process.
| #990 Title: Administrator |
02/27/2023 02:58 - 21 days 12 hours 46 minutes #990 |
The DSE bypass mentioned in the first post has been just verified on Windows 11 Pro 22H2 Build: 22621 without a PG BSDO.
You may need to disable Device security->Core isolation->Memory Integrity (HVCI). Any hypervisor (HV) based protection is as good as useless if you disable virtualization in the BIOS.
You may need to disable Device security->Core isolation->Memory Integrity (HVCI). Any hypervisor (HV) based protection is as good as useless if you disable virtualization in the BIOS.
