x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code
This project is to bypass PatchGuard protection against
PsSetCreateProcessNotifyRoutine by DKOM - self register arbitrary callback routine by directly manipulating kernel objects.
PsSetCreateProcessNotifyRoutine is the one of powerful NT Kernel API which allows driver to receive callbacks asynchronously.
And it is protected by PatchGuard - The Kernel Patch Protection technology by Microsoft.
PatchGuard has a deep history of how it come in to the world - but not talk here.
The PatchGuard protects unsigned code to be register callbacks by
PsSetLoadImageNotifyRoutine is not an exception, and many other.
PsSetCreateProcessNotifyRoutine is called by the unsigned code,
KiRaiseSecurityCheckFailure, the ISR, immediately interrupts and raises bugcheck
This PoC does not implement callback-block deletion.
Please make sure to create fresh VM in order to try it.
MIT 🄫 Kento Oki <[email protected]>