Go Back   EXETOOLS FORUM > General > x64 OS


Thread Tools Display Modes
Old 08-25-2014, 09:37
Fyyre's Avatar
Fyyre Fyyre is offline
Join Date: Dec 2009
Location: 0xfffffffe
Posts: 134
Rept. Given: 39
Rept. Rcvd 58 Times in 26 Posts
Thanks Given: 19
Thanks Rcvd at 82 Times in 19 Posts
Fyyre Reputation: 58
Looking for

Looking for someone familiar with disable of PatchGuard without reboot of system.

I have method for loading unsigned x64 driver, without any reboot/bootkit/etc.

The two would make for a good match.

Reply With Quote
Old 08-25-2014, 18:30
Posts: n/a
try this two

Reply With Quote
Old 08-25-2014, 19:13
Kerlingen Kerlingen is offline
Join Date: Feb 2011
Posts: 294
Rept. Given: 0
Rept. Rcvd 271 Times in 96 Posts
Thanks Given: 0
Thanks Rcvd at 198 Times in 54 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
If you found a bug like that, please keep it either to yourself or - even better - report it in private to Microsoft and the perpetrator, so they can fix it.

Nobody wants "driver hell" coming back to production systems. I know PatchGuard and Driver Signing Enforcement made RCE work a bit harder, but they also made our systems much more stable.

I don't think Fyyre needs to be reminded of documents he wrote by himself many years ago and which he is currently hosting on his own website.
Reply With Quote
Old 08-26-2014, 01:27
Nukem Nukem is offline
Join Date: Aug 2014
Posts: 8
Rept. Given: 8
Rept. Rcvd 67 Times in 6 Posts
Thanks Given: 2
Thanks Rcvd at 8 Times in 4 Posts
Nukem Reputation: 67
There's no public way to bypass it, so I doubt anyone is going to just give it away.
http://vrt-blog.snort.org/2014/08/th...rotection.html - "Patchguard v8 - Internal architecture" is the most recent, but not very helpful.

AFAIK it can be somewhat bypassed with virtualization by spoofing the LSTAR MSR(syscall) or intercepting IDT events. There's still the cost of performance.
Reply With Quote
The Following User Gave Reputation+1 to Nukem For This Useful Post:
bolzano_1989 (08-26-2014)
Old 08-26-2014, 01:37
Posts: n/a
@Kerlingen i was not know that hi write that paper
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT +8. The time now is 01:14.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX