EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-25-2014, 09:37
Fyyre's Avatar
Fyyre Fyyre is offline
VIP
 
Join Date: Dec 2009
Location: 0xfffffffe
Posts: 115
Rept. Given: 38
Rept. Rcvd 58 Times in 26 Posts
Thanks Given: 9
Thanks Rcvd at 54 Times in 11 Posts
Fyyre Reputation: 58
Looking for

Looking for someone familiar with disable of PatchGuard without reboot of system.

I have method for loading unsigned x64 driver, without any reboot/bootkit/etc.

The two would make for a good match.

-Fyyre
Reply With Quote
  #2  
Old 08-25-2014, 18:30
SubzEro
 
Posts: n/a
try this two



Reply With Quote
  #3  
Old 08-25-2014, 19:13
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 246
Rept. Given: 0
Rept. Rcvd 253 Times in 90 Posts
Thanks Given: 0
Thanks Rcvd at 61 Times in 29 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
@Fyyre:
If you found a bug like that, please keep it either to yourself or - even better - report it in private to Microsoft and the perpetrator, so they can fix it.

Nobody wants "driver hell" coming back to production systems. I know PatchGuard and Driver Signing Enforcement made RCE work a bit harder, but they also made our systems much more stable.

@Cyber_Coder:
I don't think Fyyre needs to be reminded of documents he wrote by himself many years ago and which he is currently hosting on his own website.
Reply With Quote
  #4  
Old 08-26-2014, 01:27
Nukem Nukem is offline
Family
 
Join Date: Aug 2014
Posts: 8
Rept. Given: 8
Rept. Rcvd 67 Times in 6 Posts
Thanks Given: 2
Thanks Rcvd at 8 Times in 4 Posts
Nukem Reputation: 67
There's no public way to bypass it, so I doubt anyone is going to just give it away.
http://vrt-blog.snort.org/2014/08/th...rotection.html - "Patchguard v8 - Internal architecture" is the most recent, but not very helpful.

AFAIK it can be somewhat bypassed with virtualization by spoofing the LSTAR MSR(syscall) or intercepting IDT events. There's still the cost of performance.
Reply With Quote
The Following User Gave Reputation+1 to Nukem For This Useful Post:
bolzano_1989 (08-26-2014)
  #5  
Old 08-26-2014, 01:37
SubzEro
 
Posts: n/a
@Kerlingen i was not know that hi write that paper
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT +8. The time now is 12:54.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX