A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #26660  by EP_X0FF
 Fri Sep 04, 2015 3:29 am
breaker09 wrote:Is this still working in Windows 10? I seem to be getting PatchGuarded a lot... :(
Yes it works. Do not want to trigger PatchGuard? Turn it off. Do not want to turn it off? Rewrite dsefix to map your target driver to the kernel memory using vbox loader task (basically doing windows loader job) and launch it execution via kernel mode shellcode that will be triggered by same SUP_IOCTL_FAST_DO_NOP. This will not trigger Patchguard as nothing will be patched and your driver will be loaded without touching MmLoadSystemImage so no digital signature checks will be performed. However you will be unable to unload your "loaded" driver normally as it will be not in list of loaded drivers. Everything else - creating devices, sending/receiving IOCTLs should be working.
 #26666  by breaker09
 Fri Sep 04, 2015 7:44 pm
EP_X0FF wrote:
breaker09 wrote:Is this still working in Windows 10? I seem to be getting PatchGuarded a lot... :(
Yes it works. Do not want to trigger PatchGuard? Turn it off. Do not want to turn it off? Rewrite dsefix to map your target driver to the kernel memory using vbox loader task (basically doing windows loader job) and launch it execution via kernel mode shellcode that will be triggered by same SUP_IOCTL_FAST_DO_NOP. This will not trigger Patchguard as nothing will be patched and your driver will be loaded without touching MmLoadSystemImage so no digital signature checks will be performed. However you will be unable to unload your "loaded" driver normally as it will be not in list of loaded drivers. Everything else - creating devices, sending/receiving IOCTLs should be working.
Thanks, somehow I had not realized the exploit could be used that way as well. I'd prefer not to disable PatchGuard if I don't have to, so that sounds perfect! :)

And also, my question was poorly worded. The DSEfix works well and I'm able to load my driver. But even when I have a program that first disables DSE, loads my driver and then immediately re-enables it, I'm still getting PatchGuarded. I'm just wondering if they have added some new checks in Windows 10 or something, because I never had any problems in Windows 8.1 ?
 #26667  by EP_X0FF
 Sat Sep 05, 2015 4:02 am
Have no idea. As for me it is pure random. Maybe they tweaked scanning priority. PatchGuard since beginning was a mainly heavily masqueraded DRM feature so each release they improve it.
 #27005  by Thomas717
 Mon Oct 19, 2015 12:50 am
Unfortunately, it seems latest DSEFix doesn't work on Windows 7 x64 with latest updates. I've tested on my different computers which are virtualized, unvirtualized, with AV, without AV. I haven't figure out which update cause this. I think M$...
 #27007  by EP_X0FF
 Mon Oct 19, 2015 6:32 am
1) Boot with bcdedit -debug ON, disable user mode exceptions with noumex option.
Win.

2) On windows 8+ turn off marketing DRM feature mistakenly named "SecureBoot", after do the same as (1)
 #27194  by EP_X0FF
 Sun Nov 08, 2015 4:45 am
These two links cover most of problems you may expirience with DSEFix.

https://github.com/hfiref0x/DSEFix/issues/1
https://github.com/hfiref0x/DSEFix/issues/2

^ these links for people who can in logic and knows how things works.

As there are no plans for updating of DSEFix, this topic now closed.
Last edited by EP_X0FF on Tue Feb 02, 2016 3:38 pm, edited 1 time in total. Reason: thread reopened
 #29326  by EP_X0FF
 Mon Oct 03, 2016 11:45 am
kmd wrote:Hello, are you goinh to use doing capcom.sys for similar loader?
There are no plans to do so. This driver is way too shitty and incompatible with modern OS.
 #30262  by EP_X0FF
 Sun Apr 23, 2017 4:31 am
This thread is no longer maintained on this forum.
If you have bugreports/suggestions etc - use project github page https://github.com/hfiref0x/DSEFix/issues or https://github.com/hfiref0x/TDL/issues to report them.
For the news and updates about TDL/DSEFix - see projects github pages.

Closed.