can1357/ByePg

Stars
822
Rank 55,485 (Top 2 %)
Language
C++
Created about 5 years ago
Updated almost 5 years ago

can1357/ByePg

can1357

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI.

ByePg: Defeating Patchguard using Exception-hooking

ByePg hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler.

A variety of kernel hooks can be implemented using this method completely bypassing PatchGuard and HVCI as it creates an entirely new attack surface, exception-based hooking, which was previously not possible in Windows kernel.

Writeup:

https://blog.can.ac/2019/10/19/byepg-defeating-patchguard-using-exception-hooking/

Project Structure:

\ByePgLib contains the base library
\ExHook contains a standalone SYSCALL hooking example using ByePg
\ExceptionHookingDemo demonstrates the exception handler
\InfinityHookFix contains a sample rendering the recent InfinityHook patch by Microsoft useless
\FreeSeh contains a SEH-via-ByePg module letting you use SEH in manual mapped images bypassing PatchGuard's inverted function table checks

Result:

P.S.

There are many other things that can be done using the base library and many things can be improved, be SEH handling or BugCheck parsing, so I would really appreciate any form of contribution to this repo.

NoVmp

A static devirtualizer for VMProtect x64 3.x. powered by VTIL.

ThePerfectInjector

Literally, the perfect injector.

NtRays

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

CVE-2018-8897

Arbitrary code execution with kernel privileges using CVE-2018-8897.

NtLua

Lua in kernel-mode because why not.

haruspex

Exploration of x86-64 ISA using speculative execution.

linux-pe

COFF and Portable Executable format described using standard C++ with no dependencies.

simple_cnn

Simple Convolutional Neural Network Library

HexSuite

Header only wrapper around Hex-Rays API in C++20.

physical_mem_controller

A library to read physical memory and system-wide virtual memory.

vmware-rpc

Header-only VMWare Backdoor API Implementation & Effortless VMX Patcher for Custom Guest-to-Host RPCs

IdaThemer

🎨 Seamlessly convert your favorite Visual Studio Code themes to IDA Pro themes.

safe_capcom

Capcom wrapper with safety in mind.

xstd

A portable header only library extending the C++20 STL.

hvdetecc

Collection of hypervisor detections

llvm-patches

Personal curation of Clang/LLVM patches.

selene

Kernel-mode Paravirtualization in Ring 2, LLVM based linker, and some other things!

troto

TypeScript to Protobuf transpiler.

gengo

Generate Go bindings for shared C libraries.

retro

Experimental static analysis framework.

Myelin

Header-only CUDA accelerated DNN library

turing-incomplete

xedpp

Tiny wrapper around xed API.