Skip to content
forked from can1357/ByePg

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI

Notifications You must be signed in to change notification settings

yourapple/ByePg

 
 

Repository files navigation

ByePg: Defeating Patchguard using Exception-hooking

ByePg hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler.

A variety of kernel hooks can be implemented using this method completely bypassing PatchGuard and HVCI as it creates an entirely new attack surface, exception-based hooking, which was previously not possible in Windows kernel.

Writeup:

https://blog.can.ac/2019/10/19/byepg-defeating-patchguard-using-exception-hooking/

Project Structure:

  • \ByePgLib contains the base library
  • \ExHook contains a standalone SYSCALL hooking example using ByePg
  • \ExceptionHookingDemo demonstrates the exception handler
  • \InfinityHookFix contains a sample rendering the recent InfinityHook patch by Microsoft useless
  • \FreeSeh contains a SEH-via-ByePg module letting you use SEH in manual mapped images bypassing PatchGuard's inverted function table checks

Result:

ExHook

P.S.

There are many other things that can be done using the base library and many things can be improved, be SEH handling or BugCheck parsing, so I would really appreciate any form of contribution to this repo.

About

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 88.8%
  • C 11.2%