PatchGuard bypass at runtime

Article
#1004
Title: Unlink PsActiveProcessList DKOM
Administrator
 12/10/2023 16:35 - 147 days 18 hours 11 minutes
#1004
When you unlink a process from the PsActiveProcessList. It's a classic DKOM which is subject to a CRITICAL_STRUCTURE_CORRUPTION (109) Type 1 process list corruption BSDO.

Anyways you can test the bypass with it so you'll know for sure that it worked and bypass is as described in the first post. And there is a documented way in the source code to intentionally trigger a PG BSDO faster so you'll not have to necessarily wait hours for a bug check.

Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. When you report an issue: Always mention which version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Title
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y