Tiza Posted November 30, 2016 Report Posted November 30, 2016 (edited) I'm not Romanian. Forgive me. I speak English. I been reading about bypassing patch guard (KPP) quite sure a lot of you here would have played around stuff like this including nytro so hence I wanted to ask something here. I know C programming and some assembly,just started driver development and I have ventured into kernel level coding,I wanted to look into KPP bypass, how it works and other things, hence I decided to ask here. Read somewhere that to bypass patch guard we need to hook kebugcheckEx() and then disable the driver signing verification on windows 8.1 and windows 10, i read and only how to bypass kebugcheckEx and write jmp to it, but what of bypassing the driver signing verification and how do I run a dll to user mode from kernel mode? Do I have to call CreateProcessAsUser() from kernel mode Edited November 30, 2016 by Tiza Quote
Technetium Posted November 30, 2016 Report Posted November 30, 2016 (edited) @Tiza Hello! Welcome and enjoy your stay here! Maybe this will help you. Good starting point here. @Nytro Could you help us out with additional info? Thx. Edited November 30, 2016 by Technetium Quote
Nytro Posted November 30, 2016 Report Posted November 30, 2016 Last useful stuff I saw on this subject was this one: http://blog.ptsecurity.com/2014/09/microsoft-windows-81-kernel-patch.html And you should also check this: https://github.com/hfiref0x/TDL However, I think they are working from time to time on this, so even if some bypasses are found, they are "probably" fixed. Also, you should take in consideration from here: https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/driver-signing Note Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 kernel-mode drivers must be signed by the Windows Hardware Dev Center Dashboard, which requires an EV certificate. For details, see Driver Signing Changes in Windows 10. Also, check this: https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- Tools: https://github.com/tandasat/PgResarch and https://github.com/tandasat/findpg 1 Quote
Tiza Posted December 1, 2016 Author Report Posted December 1, 2016 I been studying this. In order words I just compile 32 bit code and make it into 64 bit and load into the system. I'm testing on vbox Quote
