• Stars
    star
    822
  • Rank 55,485 (Top 2 %)
  • Language
    C++
  • Created about 5 years ago
  • Updated about 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI.

ByePg: Defeating Patchguard using Exception-hooking

ByePg hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler.

A variety of kernel hooks can be implemented using this method completely bypassing PatchGuard and HVCI as it creates an entirely new attack surface, exception-based hooking, which was previously not possible in Windows kernel.

Writeup:

https://blog.can.ac/2019/10/19/byepg-defeating-patchguard-using-exception-hooking/

Project Structure:

  • \ByePgLib contains the base library
  • \ExHook contains a standalone SYSCALL hooking example using ByePg
  • \ExceptionHookingDemo demonstrates the exception handler
  • \InfinityHookFix contains a sample rendering the recent InfinityHook patch by Microsoft useless
  • \FreeSeh contains a SEH-via-ByePg module letting you use SEH in manual mapped images bypassing PatchGuard's inverted function table checks

Result:

ExHook

P.S.

There are many other things that can be done using the base library and many things can be improved, be SEH handling or BugCheck parsing, so I would really appreciate any form of contribution to this repo.

More Repositories

1

NoVmp

A static devirtualizer for VMProtect x64 3.x. powered by VTIL.
C++
1,911
star
2

ThePerfectInjector

Literally, the perfect injector.
C
836
star
3

NtRays

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.
C++
502
star
4

CVE-2018-8897

Arbitrary code execution with kernel privileges using CVE-2018-8897.
C++
408
star
5

NtLua

Lua in kernel-mode because why not.
C
304
star
6

haruspex

Exploration of x86-64 ISA using speculative execution.
C++
303
star
7

linux-pe

COFF and Portable Executable format described using standard C++ with no dependencies.
C++
250
star
8

simple_cnn

Simple Convolutional Neural Network Library
C++
181
star
9

HexSuite

Header only wrapper around Hex-Rays API in C++20.
C++
147
star
10

physical_mem_controller

A library to read physical memory and system-wide virtual memory.
C++
118
star
11

vmware-rpc

Header-only VMWare Backdoor API Implementation & Effortless VMX Patcher for Custom Guest-to-Host RPCs
C++
96
star
12

IdaThemer

🎨 Seamlessly convert your favorite Visual Studio Code themes to IDA Pro themes.
Go
81
star
13

safe_capcom

Capcom wrapper with safety in mind.
C
77
star
14

xstd

A portable header only library extending the C++20 STL.
C++
64
star
15

hvdetecc

Collection of hypervisor detections
C++
17
star
16

llvm-patches

Personal curation of Clang/LLVM patches.
12
star
17

selene

Kernel-mode Paravirtualization in Ring 2, LLVM based linker, and some other things!
C++
11
star
18

troto

TypeScript to Protobuf transpiler.
TypeScript
11
star
19

gengo

Generate Go bindings for shared C libraries.
Go
10
star
20

retro

Experimental static analysis framework.
C++
10
star
21

Myelin

Header-only CUDA accelerated DNN library
Cuda
8
star
22

turing-incomplete

TypeScript
4
star
23

xedpp

Tiny wrapper around xed API.
C++
1
star