x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code
Read: https://www.godeye.club/2021/05/22/001-bypass-patchguard-pssetcreateprocessnotifyroutine.html
This project is to bypass PatchGuard protection against PsSetCreateProcessNotifyRoutine
by DKOM - self register arbitrary callback routine by directly manipulating kernel objects.
PsSetCreateProcessNotifyRoutine
is the one of powerful NT Kernel API which allows driver to receive callbacks asynchronously.
And it is protected by PatchGuard - The Kernel Patch Protection technology by Microsoft.
PatchGuard has a deep history of how it come in to the world - but not talk here.
The PatchGuard protects unsigned code to be register callbacks by PsSetCreateProcessNotifyRoutine
.
PsSetCreateProcessNotifyRoutineEx
, PsSetCreateThreadNotifyRoutine
and PsSetLoadImageNotifyRoutine
is not an exception, and many other.
When PsSetCreateProcessNotifyRoutine
is called by the unsigned code, KiRaiseSecurityCheckFailure
, the ISR, immediately interrupts and raises bugcheck 0x139
eventually.
This PoC does not implement callback-block deletion.
Please make sure to create fresh VM in order to try it.
MIT 🄫 Kento Oki <[email protected]>