Go Back   Exetools > General > x64 OS


Thread Tools Display Modes
Old 08-25-2014, 09:37
Fyyre's Avatar
Fyyre Fyyre is offline
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 173
Rept. Given: 44
Rept. Rcvd 65 Times in 29 Posts
Thanks Given: 39
Thanks Rcvd at 125 Times in 31 Posts
Fyyre Reputation: 65
Looking for

Looking for someone familiar with disable of PatchGuard without reboot of system.

I have method for loading unsigned x64 driver, without any reboot/bootkit/etc.

The two would make for a good match.

Reply With Quote
Old 08-25-2014, 18:30
Posts: n/a
try this two

Reply With Quote
Old 08-25-2014, 19:13
Kerlingen Kerlingen is offline
Join Date: Feb 2011
Posts: 295
Rept. Given: 0
Rept. Rcvd 274 Times in 97 Posts
Thanks Given: 0
Thanks Rcvd at 221 Times in 55 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
If you found a bug like that, please keep it either to yourself or - even better - report it in private to Microsoft and the perpetrator, so they can fix it.

Nobody wants "driver hell" coming back to production systems. I know PatchGuard and Driver Signing Enforcement made RCE work a bit harder, but they also made our systems much more stable.

I don't think Fyyre needs to be reminded of documents he wrote by himself many years ago and which he is currently hosting on his own website.
Reply With Quote
Old 08-26-2014, 01:27
Nukem Nukem is offline
Join Date: Aug 2014
Posts: 8
Rept. Given: 8
Rept. Rcvd 67 Times in 6 Posts
Thanks Given: 3
Thanks Rcvd at 8 Times in 4 Posts
Nukem Reputation: 67
There's no public way to bypass it, so I doubt anyone is going to just give it away.
http://vrt-blog.snort.org/2014/08/th...rotection.html - "Patchguard v8 - Internal architecture" is the most recent, but not very helpful.

AFAIK it can be somewhat bypassed with virtualization by spoofing the LSTAR MSR(syscall) or intercepting IDT events. There's still the cost of performance.
Reply With Quote
The Following User Gave Reputation+1 to Nukem For This Useful Post:
bolzano_1989 (08-26-2014)
Old 08-26-2014, 01:37
Posts: n/a
@Kerlingen i was not know that hi write that paper
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT +8. The time now is 01:02.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX