Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-25-2014, 09:37
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
Looking for

Looking for someone familiar with disable of PatchGuard without reboot of system.

I have method for loading unsigned x64 driver, without any reboot/bootkit/etc.

The two would make for a good match.

-Fyyre
Reply With Quote
The Following User Says Thank You to Fyyre For This Useful Post:
Indigo (07-19-2019)
  #2  
Old 08-25-2014, 18:30
SubzEro
 
Posts: n/a
try this two



Reply With Quote
  #3  
Old 08-25-2014, 19:13
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 328
Rept. Given: 0
Rept. Rcvd 277 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 329 Times in 100 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
@Fyyre:
If you found a bug like that, please keep it either to yourself or - even better - report it in private to Microsoft and the perpetrator, so they can fix it.

Nobody wants "driver hell" coming back to production systems. I know PatchGuard and Driver Signing Enforcement made RCE work a bit harder, but they also made our systems much more stable.

@Cyber_Coder:
I don't think Fyyre needs to be reminded of documents he wrote by himself many years ago and which he is currently hosting on his own website.
Reply With Quote
The Following User Says Thank You to Kerlingen For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 08-26-2014, 01:27
Nukem Nukem is offline
Family
 
Join Date: Aug 2014
Posts: 8
Rept. Given: 10
Rept. Rcvd 66 Times in 6 Posts
Thanks Given: 6
Thanks Rcvd at 10 Times in 5 Posts
Nukem Reputation: 67
There's no public way to bypass it, so I doubt anyone is going to just give it away.
http://vrt-blog.snort.org/2014/08/th...rotection.html - "Patchguard v8 - Internal architecture" is the most recent, but not very helpful.

AFAIK it can be somewhat bypassed with virtualization by spoofing the LSTAR MSR(syscall) or intercepting IDT events. There's still the cost of performance.
Reply With Quote
The Following User Gave Reputation+1 to Nukem For This Useful Post:
bolzano_1989 (08-26-2014)
The Following User Says Thank You to Nukem For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 08-26-2014, 01:37
SubzEro
 
Posts: n/a
@Kerlingen i was not know that hi write that paper
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT +8. The time now is 15:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )