Tiza Posted November 30, 2016 Report Share Posted November 30, 2016 (edited) I'm not Romanian. Forgive me. I speak English. I been reading about bypassing patch guard (KPP) quite sure a lot of you here would have played around stuff like this including nytro so hence I wanted to ask something here. I know C programming and some assembly,just started driver development and I have ventured into kernel level coding,I wanted to look into KPP bypass, how it works and other things, hence I decided to ask here. Read somewhere that to bypass patch guard we need to hook kebugcheckEx() and then disable the driver signing verification on windows 8.1 and windows 10, i read and only how to bypass kebugcheckEx and write jmp to it, but what of bypassing the driver signing verification and how do I run a dll to user mode from kernel mode? Do I have to call CreateProcessAsUser() from kernel mode Edited November 30, 2016 by Tiza Quote Link to comment Share on other sites More sharing options...
Technetium Posted November 30, 2016 Report Share Posted November 30, 2016 (edited) @Tiza Hello! Welcome and enjoy your stay here! Maybe this will help you. Good starting point here. @Nytro Could you help us out with additional info? Thx. Edited November 30, 2016 by Technetium Quote Link to comment Share on other sites More sharing options...
Nytro Posted November 30, 2016 Report Share Posted November 30, 2016 Last useful stuff I saw on this subject was this one: http://blog.ptsecurity.com/2014/09/microsoft-windows-81-kernel-patch.html And you should also check this: https://github.com/hfiref0x/TDL However, I think they are working from time to time on this, so even if some bypasses are found, they are "probably" fixed. Also, you should take in consideration from here: https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/driver-signing Note Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 kernel-mode drivers must be signed by the Windows Hardware Dev Center Dashboard, which requires an EV certificate. For details, see Driver Signing Changes in Windows 10. Also, check this: https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- Tools: https://github.com/tandasat/PgResarch and https://github.com/tandasat/findpg 1 Quote Link to comment Share on other sites More sharing options...
Tiza Posted December 1, 2016 Author Report Share Posted December 1, 2016 I been studying this. In order words I just compile 32 bit code and make it into 64 bit and load into the system. I'm testing on vbox Quote Link to comment Share on other sites More sharing options...