EXETOOLS FORUM

EXETOOLS FORUM (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   Looking for (https://forum.exetools.com/showthread.php?t=16119)

Fyyre 08-25-2014 09:37

Looking for
 
Looking for someone familiar with disable of PatchGuard without reboot of system.

I have method for loading unsigned x64 driver, without any reboot/bootkit/etc.

The two would make for a good match.

-Fyyre

SubzEro 08-25-2014 18:30

try this two




Kerlingen 08-25-2014 19:13

@Fyyre:
If you found a bug like that, please keep it either to yourself or - even better - report it in private to Microsoft and the perpetrator, so they can fix it.

Nobody wants "driver hell" coming back to production systems. I know PatchGuard and Driver Signing Enforcement made RCE work a bit harder, but they also made our systems much more stable.

@Cyber_Coder:
I don't think Fyyre needs to be reminded of documents he wrote by himself many years ago and which he is currently hosting on his own website.

Nukem 08-26-2014 01:27

There's no public way to bypass it, so I doubt anyone is going to just give it away.
http://vrt-blog.snort.org/2014/08/th...rotection.html - "Patchguard v8 - Internal architecture" is the most recent, but not very helpful.

AFAIK it can be somewhat bypassed with virtualization by spoofing the LSTAR MSR(syscall) or intercepting IDT events. There's still the cost of performance.

SubzEro 08-26-2014 01:37

@Kerlingen i was not know that hi write that paper :eek:


All times are GMT +8. The time now is 20:09.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX