x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

Overview

NoPatchGuardCallback

x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

Read: https://www.godeye.club/2021/05/22/001-bypass-patchguard-pssetcreateprocessnotifyroutine.html

What

This project is to bypass PatchGuard protection against PsSetCreateProcessNotifyRoutine by DKOM - self register arbitrary callback routine by directly manipulating kernel objects.

Why

PsSetCreateProcessNotifyRoutine is the one of powerful NT Kernel API which allows driver to receive callbacks asynchronously.
And it is protected by PatchGuard - The Kernel Patch Protection technology by Microsoft.

PatchGuard has a deep history of how it come in to the world - but not talk here.

The PatchGuard protects unsigned code to be register callbacks by PsSetCreateProcessNotifyRoutine.
PsSetCreateProcessNotifyRoutineEx, PsSetCreateThreadNotifyRoutine and PsSetLoadImageNotifyRoutine is not an exception, and many other.

When PsSetCreateProcessNotifyRoutine is called by the unsigned code, KiRaiseSecurityCheckFailure, the ISR, immediately interrupts and raises bugcheck 0x139 eventually.

bugcheck 0x139

Warn

This PoC does not implement callback-block deletion.
Please make sure to create fresh VM in order to try it.

License

MIT 🄫 Kento Oki <[email protected]>

You might also like...
Analyze patches in a process for investigation or repairment purposes.
Analyze patches in a process for investigation or repairment purposes.

HookHunter Analyze patches in a process for investigation or repairment purposes. Details HookHunter is a multi-purpose Windows tool that can search a

CacheLib is a C++ library providing in-process high performance caching mechanism.
CacheLib is a C++ library providing in-process high performance caching mechanism.

Pluggable in-process caching engine to build and scale high performance services

Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

This is a experimental tool to hide process in FreeBSD
This is a experimental tool to hide process in FreeBSD

FreeBSD process hiding This is a experimental tool to hide process in FreeBSD. Requirements clang pkg install clang kernel modules git clone --depth=

This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

runsc loads 32/64 bit shellcode (depending on how runsc is compiled) in a way that makes it easy to load in a debugger. This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras.

runsc This code is based on the code from https://github.com/Kdr0x/Kd_Shellcode_Loader by Gary "kd" Contreras and contains additional functionality. T

the checkra1n set of tools targeting bare metal, Linux and Windows

Universal toolchain Low-effort cross-compiling for the masses. What's Universal toolchain? It's a collection of sysroots and shell scripts in such a w

Play Doh Windows ACL Tools

PDAcl 是一个支持Windows活动目录扩展权限设置、Windows活动目录常规权限设置、Windows服务权限设置的命令工具。

Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)
Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Perfusion On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) s

POCs for Shellcode Injection via Callbacks

Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks. Working APIs 1, EnumTimeFormatsA Works 2, EnumWindows Works 3, EnumD

Chaitanya Haritash 322 Jan 5, 2023
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

null 7 Jul 22, 2022
x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display

Bobby Cooke 130 Dec 24, 2022
This is another way to bypass the restriction of calling dl functions for system lib.

简介 在Android7.0以及以上的版本中,dlfcn.h头文件中dlopen, dlsym函数已经无法在系统库上使用。 比较常见的规避方法是,先通过maps文件找到so文件对应起始地址,然后通过解析elf 文件,得到函数的偏移量,起始地址加上偏移量就算出函数的真实地址。 具体实现方式是:Noug

Wind 60 Dec 13, 2022
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

wowInjector Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious

Sheng-Hao Ma 145 Nov 9, 2022
C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

Berat Çağrı Eroğlu 8 May 3, 2022
Extended Process List (Search functionality)

Extended Process List (ps with search) (64-bit only) Added search functionality for process listing. Credits to @odzhan, Alfie Champion (@ajpc500), Sy

snoom 26 May 7, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 158 Dec 28, 2022
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Outflank B.V. 247 Dec 28, 2022
fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)

fpicker fpicker is a Frida-based fuzzing suite that offers a variety of fuzzing modes for in-process fuzzing, such as an AFL++ mode or a passive traci

Dennis Heinze 184 Dec 30, 2022