NoPatchGuardCallback

x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

Read: https://www.godeye.club/2021/05/22/001-bypass-patchguard-pssetcreateprocessnotifyroutine.html

What

This project is to bypass PatchGuard protection against PsSetCreateProcessNotifyRoutine by DKOM - self register arbitrary callback routine by directly manipulating kernel objects.

Why

PsSetCreateProcessNotifyRoutine is the one of powerful NT Kernel API which allows driver to receive callbacks asynchronously.
And it is protected by PatchGuard - The Kernel Patch Protection technology by Microsoft.

PatchGuard has a deep history of how it come in to the world - but not talk here.

The PatchGuard protects unsigned code to be register callbacks by PsSetCreateProcessNotifyRoutine.
PsSetCreateProcessNotifyRoutineEx, PsSetCreateThreadNotifyRoutine and PsSetLoadImageNotifyRoutine is not an exception, and many other.

When PsSetCreateProcessNotifyRoutine is called by the unsigned code, KiRaiseSecurityCheckFailure, the ISR, immediately interrupts and raises bugcheck 0x139 eventually.

Warn

This PoC does not implement callback-block deletion.
Please make sure to create fresh VM in order to try it.

License

MIT 🄫 Kento Oki <[email protected]>