{"id":19060262,"url":"https://github.com/4l3x777/dse_pg_bypass","last_synced_at":"2025-09-07T08:31:52.187Z","repository":{"id":231731471,"uuid":"782569287","full_name":"4l3x777/dse_pg_bypass","owner":"4l3x777","description":"DSE \u0026 PG bypass via BYOVD attack","archived":false,"fork":false,"pushed_at":"2025-07-12T08:25:37.000Z","size":8735,"stargazers_count":52,"open_issues_count":1,"forks_count":11,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-07-12T09:12:02.995Z","etag":null,"topics":["byovd","dse","patchguard","poc","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/4l3x777.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-04-05T15:04:38.000Z","updated_at":"2025-07-12T08:25:40.000Z","dependencies_parsed_at":"2024-04-05T16:29:18.579Z","dependency_job_id":"8a375359-e62a-45a3-8a69-24fc33e5fa2e","html_url":"https://github.com/4l3x777/dse_pg_bypass","commit_stats":null,"previous_names":["4l3x777/dse_pg_bypass"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/4l3x777/dse_pg_bypass","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4l3x777%2Fdse_pg_bypass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4l3x777%2Fdse_pg_bypass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4l3x777%2Fdse_pg_bypass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4l3x777%2Fdse_pg_bypass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/4l3x777","download_url":"https://codeload.github.com/4l3x777/dse_pg_bypass/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4l3x777%2Fdse_pg_bypass/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274011573,"owners_count":25207091,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-07T02:00:09.463Z","response_time":67,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["byovd","dse","patchguard","poc","reverse-engineering"],"created_at":"2024-11-09T00:14:10.100Z","updated_at":"2025-09-07T08:31:52.172Z","avatar_url":"https://github.com/4l3x777.png","language":"C++","funding_links":[],"categories":["***Windows Kernel***"],"sub_categories":["***Protection Mechanisms***"],"readme":"# DSE \u0026 PG bypass via BYOVD attack\n\n## Если понравился проект, жмякни стар (if you like the project, click star) ^_^\n\n+ Обход Driver Signature Enforcement и Patch Guard через BYOVD атаку\n+ Данный подход предствлен в образовательных целях (For Educational Purpose)\n\n## WriteUP Reversing Signature Validation\n\n+ Функции ядра Windows, участвующие в валидации image (driver) PE\n+ Интересущие методы, приведенные указатели функций, возвращающие NTSTATUS\n+ `qword_140C375A0` и `qword_140C375С8`\n### SeValidateImageHeader для ядер WIN 11 24H2 и более \"древних\"\n```C++\n__int64 __fastcall SeValidateImageHeader(\n __int64 a1,\n __int64 a2,\n __int64 a3,\n __int64 a4,\n int a5,\n __int64 a6,\n __int64 a7,\n __int64 a8,\n __int64 a9,\n char a10)\n{\n if ( qword_140C375A0 )\n {\n if ( (a10 \u0026 1) != 0 )\n _InterlockedCompareExchange(\u0026dword_140D0C720, 0, 0);\n return (unsigned int)((__int64 (__fastcall *)(__int64, __int64))qword_140C375A0)(a1, a2);\n }\n else\n {\n return (unsigned int)-1073740760; //0x0C0000428 STATUS_INVALID_IMAGE_HASH\n }\n}\n\n// Представление SeValidateImageHeader в WinDBG \nnt!SeValidateImageHeader:\nfffff801`170f2b98 488bc4 mov rax,rsp\nfffff801`170f2b9b 48895808 mov qword ptr [rax+8],rbx\nfffff801`170f2b9f 48897010 mov qword ptr [rax+10h],rsi\nfffff801`170f2ba3 57 push rdi\nfffff801`170f2ba4 4881eca0000000 sub rsp,0A0h\nfffff801`170f2bab 33f6 xor esi,esi\nfffff801`170f2bad 488bda mov rbx,rdx\n// нас интересует данный callback\nfffff801`170f2bb0 483935e9495400 cmp qword ptr [nt!SeCiCallbacks+0x20 (fffff801`17a375a0)],rsi // адресация на qword_140C375A0 -\u003e RVA 0xc375a0\n```\n\n### CiValidateImageHeader для ядера WIN 11 24H2 (возможно и новее)\n\n```C++\n- удалена проверка SeValidateImageHeader из ядра\n- логика проверки вынесена в отдельный модуль CI!CiValidateImageHeader (code integrity module)\n```\n\n#### статический анализ MiValidateSectionCreate\n\n```C++\n__int64 __fastcall MiValidateSectionCreate(\n ULONG_PTR a1,\n __int64 *a2,\n unsigned int a3,\n __int64 a4,\n int a5,\n char a6,\n char a7)\n{\n...\n\tv67 = 0;\n if ( qword_140F04080 )\n {\n...\n```\n\n#### динамический анализ nt!MiValidateSectionCreate\n\n```C++\n nt!MiValidateSectionCreate: CFG\n\tfffff804`df93c494 4053 push rbx\n\t...\n\tfffff804`df93cac4 488b05b5755c00 mov rax, qword ptr [ntkrnlmp!SeCiCallbacks+0x20 (fffff804dff04080)] // адресация на qword_140F04080 -\u003e RVA 0x5c7686\n\tfffff804`df93cacb e8b03c2700 call ntkrnlmp!KscpCfgDispatchUserCallTargetEsSmep (fffff804dfbb0780)\n\tfffff804`df93cad0 8bf0 mov esi, eax\n\t\nfffff804dff04080 80 54 35 71 04 F8 FF FF -\u003e fffff804`71355480 -\u003e CI!CiValidateImageHeader\n\nfffff804dff04080 -\u003e qword_140F04080 =\u003e хранит CI!CiValidateImageHeader callback\n```\n\n#### выводы\n\n```C++\nпосле вызова (from code integrity module) CI!CiValidateImageHeader возвращает результат проверки подписи\n\nинтересующий порядок вызовов : nt!MiValidateSectionCreate -\u003e CI!CiValidateImageHeader\n\n__int64 __fastcall CiValidateImageHeader(\n struct _FILE_OBJECT *a1,\n void *a2,\n unsigned int a3,\n __int64 a4,\n int a5,\n int *a6,\n _BYTE *a7,\n __int64 a8,\n __int64 a9,\n unsigned int a10,\n _QWORD *a11,\n char a12,\n char a13,\n _BYTE *a14,\n int *a15,\n __int64 a16,\n __int64 a17)\n{\n...\n}\n```\n\n### SeValidateImageData для всех версий\n```C++\n__int64 __fastcall SeValidateImageData(__int64 a1)\n{\n if ( qword_140C375С8 )\n return qword_140C375С8(a1);\n else\n return 3221226536i64; //0x0C0000428 STATUS_INVALID_IMAGE_HASH\n}\n\n// Представление SeValidateImageData в WinDBG \nnt!SeValidateImageData:\nfffff802`17086b0c 4883ec48 sub rsp,48h\n// нас интересует данный callback\nfffff802`17086b10 488b05b10a5b00 mov rax,qword ptr [nt!SeCiCallbacks+0x28 (fffff802`176375c8)] // адресация на qword_140C375C8 -\u003e RVA 0xc375c8\nfffff802`17086b17 4c8bd1 mov r10,rcx\nfffff802`17086b1a 4885c0 test rax,rax\nfffff802`17086b1d 7420 je nt!SeValidateImageData+0x33 (fffff802`17086b3f)\n```\n\n## WriteUP Reversing PatchGuard\n\n+ PatchGuard работает на контекстах\n\n```C++\nnt!KiFilterFiberContext+0x1b00:\nfffff802`17517730 4c894c2420 mov qword ptr [rsp+20h],r9\nfffff802`17517735 4489442418 mov dword ptr [rsp+18h],r8d\nfffff802`1751773a 894c2408 mov dword ptr [rsp+8],ecx\nfffff802`1751773e 53 push rbx\nfffff802`1751773f 56 push rsi\nfffff802`17517740 57 push rdi\nfffff802`17517741 4154 push r12\nfffff802`17517743 4155 push r13\nfffff802`17517745 4156 push r14\nfffff802`17517747 4157 push r15\nfffff802`17517749 4881ec60220000 sub rsp,2260h\nfffff802`17517750 498bc1 mov rax,r9\nfffff802`17517753 8bf2 mov esi,edx\nfffff802`17517755 fa cli\nfffff802`17517756 33c9 xor ecx,ecx\n\n// Нас интересует данная проверка на наличие отладчика\nfffff802`17517758 380d2b341400 cmp byte ptr [nt!KdDebuggerNotPresent (fffff802`1765ab89)],cl\n\n// Если отладчика нет - поток выполняется далее\nfffff802`1751775e 7502 jne nt!KiFilterFiberContext+0x1b32 (fffff802`17517762)\n\n// Если отладчик есть - в бесконечный цикл\nnt!KiFilterFiberContext+0x1b30:\nfffff802`17517760 ebfe jmp nt!KiFilterFiberContext+0x1b30 (fffff802`17517760)\n\n...................................................\n\n// PS: весь код данной функции сильно обфусцирован (далее фрагмент с junk кодом)\n!KiFilterFiberContext+0x1b4e:\nfffff802`1751777e 8d46fd lea eax,[rsi-3]\nfffff802`17517781 a9fdffffff test eax,0FFFFFFFDh\nfffff802`17517786 7504 jne nt!KiFilterFiberContext+0x1b5c (fffff802`1751778c) \n\nnt!KiFilterFiberContext+0x1b58:\nfffff802`17517788 33c0 xor eax,eax\nfffff802`1751778a 8bf0 mov esi,eax\n\nnt!KiFilterFiberContext+0x1b5c:\nfffff802`1751778c 8b8424c0220000 mov eax,dword ptr [rsp+22C0h]\nfffff802`17517793 eb18 jmp nt!KiFilterFiberContext+0x1b7d (fffff802`175177ad) \n\nnt!KiFilterFiberContext+0x1b65:\nfffff802`17517795 413bf7 cmp esi,r15d\nfffff802`17517798 7705 ja nt!KiFilterFiberContext+0x1b6f (fffff802`1751779f) \n\nnt!KiFilterFiberContext+0x1b6a:\nfffff802`1751779a 0fa3f2 bt edx,esi\nfffff802`1751779d 7204 jb nt!KiFilterFiberContext+0x1b73 (fffff802`175177a3) \n\nnt!KiFilterFiberContext+0x1b6f:\nfffff802`1751779f 33c0 xor eax,eax\nfffff802`175177a1 8bf0 mov esi,eax\n\nnt!KiFilterFiberContext+0x1b73:\nfffff802`175177a3 8b8424c0220000 mov eax,dword ptr [rsp+22C0h]\nfffff802`175177aa 410bc5 or eax,r13d\n\nnt!KiFilterFiberContext+0x1b7d:\nfffff802`175177ad 89842498030000 mov dword ptr [rsp+398h],eax\nfffff802`175177b4 83fe07 cmp esi,7\nfffff802`175177b7 7453 je nt!KiFilterFiberContext+0x1bdc (fffff802`1751780c) \n\nnt!KiFilterFiberContext+0x1b89:\nfffff802`175177b9 e842c30700 call nt!KiAreCodePatchesAllowed (fffff802`17593b00)\nfffff802`175177be 85c0 test eax,eax\nfffff802`175177c0 744a je nt!KiFilterFiberContext+0x1bdc (fffff802`1751780c) \n\nnt!KiFilterFiberContext+0x1b92:\nfffff802`175177c2 e821d20400 call nt!KiSwInterruptPresent (fffff802`175649e8)\nfffff802`175177c7 85c0 test eax,eax\nfffff802`175177c9 7841 js nt!KiFilterFiberContext+0x1bdc (fffff802`1751780c) \n\nnt!KiFilterFiberContext+0x1b9b:\nfffff802`175177cb e858b00100 call nt!KiFilterFiberContext+0x1cbf8 (fffff802`17532828)\nfffff802`175177d0 85c0 test eax,eax\nfffff802`175177d2 7438 je nt!KiFilterFiberContext+0x1bdc (fffff802`1751780c) \n\nnt!KiFilterFiberContext+0x1ba4:\nfffff802`175177d4 e873c30700 call nt!KiGetLoadOptions (fffff802`17593b4c)\nfffff802`175177d9 488d15c0bb0500 lea rdx,[nt! ?? ::PBOPGDP::`string' (fffff802`175733a0)]\nfffff802`175177e0 488bc8 mov rcx,rax\nfffff802`175177e3 488bd8 mov rbx,rax\nfffff802`175177e6 e875f18bff call nt!strstr (fffff802`16dd6960)\nfffff802`175177eb 4885c0 test rax,rax\nfffff802`175177ee 751c jne nt!KiFilterFiberContext+0x1bdc (fffff802`1751780c) \n...................................................\n```\n\n## BYOVD attack\n\n+ используется уязвимый драйвер AMD `PdFwKrnl`\n+ используется примитив `memcpy` from virtual to physical memory\n\n## Пример работы\n\n+ тестовая система Windows 11 версии 10.0.22631.3374 с последними обновлениями\n+ тестовая система Windows 11 версии 10.0.26100.4061 с последними обновлениями\n\n### Тестовая система Windows 11 версии 10.0.22631.3374\n![alt text](/img/dse_pg_bypass_23h2.gif)\n### Тестовая система Windows 11 версии 10.0.26100.4061\n![alt text](/img/dse_pg_bypass_24h2.gif)\n\n## Ссылки\n\n+ [LolDriver PoC](https://github.com/TakahiroHaruyama/VDR/tree/main/PoCs/firmware/eop_pdfwkrnl.py)\n+ [LolDriver Link](https://www.loldrivers.io/drivers/fded7e63-0470-40fe-97ed-aa83fd027bad/)\n+ [PatchGuard Article](https://habr.com/ru/companies/pt/articles/246841/)\n+ [PatchNtoskrnl](https://github.com/Mattiwatti/EfiGuard/blob/25bb182026d24944713e36f129a93d08397de913/EfiGuardDxe/PatchNtoskrnl.c)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4l3x777%2Fdse_pg_bypass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F4l3x777%2Fdse_pg_bypass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4l3x777%2Fdse_pg_bypass/lists"}