|
Disable PatchGuard & Driver Signing
1 Attachment(s)
Hello,
This patch is for Windows 7 X64 RTM & Windows 7 SP1. It directly modifies ntoskrnl.exe & winload.exe to remove Microsoft's "PatchGuard" and requirement of driver signing. This is accomplished by patching 6 bytes inside ntoskrnl.exe and four bytes inside of winload.exe ... it is file patch version of my existing bootkit I originally made this for myself... wanting to again be able to hook inside of ntoskrnl like with X86 Windows. Hope that someone find this useful, -Fyyre p.s. attachment updated for SP1 -- new attachment added on 8 March, 2011 |
Tested on my Win x64. Works perfectly.
|
Seems like I got not enough permission to access the file, probably due to my different user group. Just some minor setting in the board panel I guess.
Thanks anyway, I guess I already read about it on your page. :) |
metr0:
You should be able to download the attachment to Fyyre's post. Your usergroup has permission to download from this forum. Regards, |
Same here actually JMI.. I also get a permission denied.
|
@quosego & metr0 : I have fix the problem .pls try it now .
Thanks for replay |
Thanks JMI and ahmadmansoor for the fix, it works fine now. Time to boot into 7 x64! :)
|
I can't seem to download this attachment either. Is there a certain amount of posts I'm supposed to have before I can download attachments?
|
Promotion is a manual process and does not get done on a set schedule. However, your post count qualifies you for promotion to "Trial Member", and they have upload and download privileges.
Please give it a try again. Regards, |
This is exactly what I've been looking for! Thanks for this Fyyre!
|
JMI: Works now. Thanks a bunch.
|
@Fyyre : my friend could we see some useful tut in win x64 if that possible ??!!
if u have some time ..of course . Thanks in adv |
Hi Ahmadmansoor,
A tutorial to disable the PatchGuard and Driver Signing? Or did you have something else in mind? -Fyyre Quote:
|
as u know some of guys now begin work on win 64 ...
and we still have many weakness points in dealing with win x64 . so any new inf or any new tuts r very welcome at this time ,even if it is for beginners . specially in reversing or debugging or Analyzing (PE) so if u can write some useful tuts for us about win x64 that will be very welcome and thankful, and I promise u that I will make a special sticky post at the top of this section just for ur tuts . Thanks in adv for ur nice work ....we will wait ur great work . |
Hi ahmadmansoor,
Certainly I can make some tutorials for X64 =) -Fyyre |
Whoever is using this should be aware that this breaks Windows Update.
|
Quote:
What kind of error do you get? -Fyyre |
Again, I wanted to show that Window's Update does indeed work, using this patch:
http://fyyre.l2-fashion.de/images/wu.jpg |
Quote:
|
This is a nice one.
|
nice one :-) will try it these days...
|
It works. Thanks a lot!
|
@ crabdance there is actually no need for x86 since unsigned drivers are accepted in 32bit windows
can somebody upload to rapidshare pls... |
Did you read the posting rules??? http://forum.exetools.com/showthread.php?t=6206
And if you wont be lazy you will find in one of above post authors website where is this patch guard available for download... -- Jump |
Thank Fyyre,Tested on my Windows7(64bit), perfectly!!! Not again by "dseo13b" to windows7 into test mode.
|
Does any1 have the latest offsets for x64 Sp1 ?
|
Quote:
If some other offset in question... please specify... -Fyyre |
Here's how to do it:
Hit Windows ORB in your taskbar Run CMD (Command Prompt) in elevated mode. (Right click | Run as Administrator) NOTE: If you have UAC (User Account Control) enabled, you will get a prompt message. Select YES to continue. Type the following two commands and hit Enter after each line. bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS bcdedit.exe -set TESTSIGNING ON You will receive The operation completed successfully message for both commands. Restart you computer for the changes to take effect. Now, you should be able to install unsigned drivers on Windows 7 SP1. If you're like me, you might want to revert changes that we've just made after successful installation of unsigned drivers. To do so repeat the steps above and in the Command Prompt enter the following commands: bcdedit.exe -set loadoptions DENABLE_INTEGRITY_CHECKS bcdedit.exe -set TESTSIGNING OFF |
The switch DDISABLE_INTEGRITY_CHECKS was only present on Windows Vista alpha/beta versions and has been removed in Vista RC. It was never available on any Windows 7 version.
TESTSIGNING ON does not allow you to load unsigned drivers, it only allows you to load selfsigned drivers. It has nothing to do with installing selfsigned drivers, it only allows them to be loaded. As soon as you use TESTSIGNING OFF Windows will only load drivers signed or cross-signed by Microsoft again and doesn't care if you installed selfsigned drivers in TESTSIGNING mode. Both switches do not disable PatchGuard, the thing this thread is about. Please read the topic und check your posts before you copy&paste something which is false information and does not have anything to do with the topic. |
add(1.cmd):
bcdedit -set %ENTRY_GUID% locale zh-CN or: bcdedit -set %ENTRY_GUID% locale en-US appearing to Starting: Four-color logo of Microsoft |
1 Attachment(s)
hi fyyre
I am new to win7 and 64bit os this is first time I installed it now I tried with ur tool but as I see some of the commands were not successful and I am not able to install unsigned drivers I am attaching rar file which contains the error pls chk and tell me if I am doing something wrong, or I need something else |
The one command which shows an error is not important. Everything else looks ok. Was there some error with the patch? Did you reboot?
Does your event log contain several "Service Control Manager Event-ID 7000" entries or how did you notice that the driver couldn't be loaded? Does the driver work in testsigning mode? |
I didn't chk event log but noticed that the driver which I wanted to install was not installing. further I managed to install it by DSEO method
|
tuts are always welcomed!
thanks! |
Good job fyyre,
but unfortunately not working for me! i test it on Windows 7 with no ServicePack(Version:6.17600.16385/ntkrnlmp.exe), i do everything with Administrator Permission and got Success message for each step, i restart and Boot with No PatchGuard(Windows Loading changes to Visa type :P) But when i try to load a sime DbgPrint() .sys file with OSRLoader i got Unsigned Warning Message like before !!!! Can u please help Me? How to fix it ? |
The patch is ONLY for Windows 7 x64 SP1 (v6.1.7601.17514) just like it says in the description.
|
Quote:
|
The patch is more a proof of concept than something usable for any special purpose.
The official way to load drivers without using a trusted (and expensive) code signing certificate is running Windows in TESTSIGNING mode. This works with Windows Vista and Windows 7, no matter what service packs or security fixes are installed. |
Read the rules first. Don't spam the board.
Quote:
|
Quote:
I'd also be interested to know what tools your using to reverse in x64. Thanks ! |
| All times are GMT +8. The time now is 15:26. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX