@@ -21,18 +21,23 @@ static void DisablePatchGuard(void* ImageBase, uint64_t ImageSize)
2121 auto TextSize = TextSection->Misc .VirtualSize ;
2222
2323 /*
24- nt!KeInitAmd64SpecificState
25- INIT:0000000140A4F601 8B C2 mov eax, edx
26- INIT:0000000140A4F603 99 cdq
27- INIT:0000000140A4F604 41 F7 F8 idiv r8d
28- INIT:0000000140A4F607 89 44 24 30 mov [rsp+28h+arg_0], eax
29- INIT:0000000140A4F60B EB 00 jmp short $+2
24+ nt!KiInitPGContextCaller
25+ INIT:0000000140A359E0 40 53 push rbx
26+ INIT:0000000140A359E2 48 83 EC 30 sub rsp, 30h
27+ INIT:0000000140A359E6 8B 41 18 mov eax, [rcx+18h]
28+ INIT:0000000140A359E9 48 8B D9 mov rbx, rcx
29+ INIT:0000000140A359EC 4C 8B 49 10 mov r9, [rcx+10h]
30+ INIT:0000000140A359F0 44 8B 41 08 mov r8d, [rcx+8]
31+ INIT:0000000140A359F4 8B 51 04 mov edx, [rcx+4]
32+ INIT:0000000140A359F7 8B 09 mov ecx, [rcx]
33+ INIT:0000000140A359F9 89 44 24 20 mov [rsp+38h+var_18], eax
34+ INIT:0000000140A359FD E8 E2 54 FE FF call KiInitPGContext
3035 */
31- auto KeInitAmd64SpecificStateJmp = FIND_PATTERN (InitBase, InitSize, " \x8B\xC2\x99\x41\xF7\xF8 "
32- ASSERT (KeInitAmd64SpecificStateJmp != nullptr );
36+ auto KiInitPGContextCaller = FIND_PATTERN (InitBase, InitSize, " \x40\x53\x48\x83\xEC\x30\x8B\x41\x18 "
37+ ASSERT (KiInitPGContextCaller != nullptr );
3338
34- // Prevent the mov from modifying the return address
35- memset (RVA<void *>(KeInitAmd64SpecificStateJmp, 6 ), 0x90 , 4 ); // nop x4
39+ // Force KiInitPGContext to return successful (this is the new patch)
40+ memcpy (RVA<void *>(KiInitPGContextCaller, 29 ), " \xB0\x01\x90\x90\x90 " , 5 ); // mov al, 1; nop x3
3641
3742 /*
3843 nt!KiSwInterrupt
@@ -47,30 +52,6 @@ static void DisablePatchGuard(void* ImageBase, uint64_t ImageSize)
4752 // Prevent KiSwInterruptDispatch from being executed
4853 memset (KiSwInterruptDispatchCall, 0x90 , 11 ); // nop x11
4954
50- /*
51- nt!KiVerifyScopesExecute
52- INIT:0000000140A16060 48 8B C4 mov rax, rsp
53- INIT:0000000140A16063 48 89 58 08 mov [rax+8], rbx
54- INIT:0000000140A16067 48 89 70 10 mov [rax+10h], rsi
55- INIT:0000000140A1606B 48 89 78 18 mov [rax+18h], rdi
56- INIT:0000000140A1606F 4C 89 78 20 mov [rax+20h], r15
57- INIT:0000000140A16073 55 push rbp
58- INIT:0000000140A16074 48 8B EC mov rbp, rsp
59- INIT:0000000140A16077 48 83 EC 60 sub rsp, 60h
60- INIT:0000000140A1607B 83 65 F4 00 and [rbp+var_C], 0
61- INIT:0000000140A1607F 0F 57 C0 xorps xmm0, xmm0
62- We try to find this:
63- INIT:0000000140A16082 48 83 65 E8 00 and [rbp+var_18], 0
64- INIT:0000000140A16087 48 B8 FF FF FF FF FF FF FF FE mov rax, 0FEFFFFFFFFFFFFFFh
65- */
66- auto KiVerifyScopesExecuteMid = FIND_PATTERN (InitBase, InitSize, " \x48\x83\xCC\xCC\x00\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE "
67- ASSERT (KiVerifyScopesExecuteMid != nullptr );
68-
69- auto KiVerifyScopesExecute = FindFunctionStart (ImageBase, KiVerifyScopesExecuteMid);
70- ASSERT (KiVerifyScopesExecute != nullptr );
71-
72- PatchReturn0 (KiVerifyScopesExecute);
73-
7455 /*
7556 nt!KiMcaDeferredRecoveryService
7657 .text:00000001401CCA30 33 C0 xor eax, eax
@@ -108,51 +89,6 @@ static void DisablePatchGuard(void* ImageBase, uint64_t ImageSize)
10889 }
10990 }
11091 ASSERT (CallerCount == 2 );
111-
112- /*
113- nt!CcInitializeBcbProfiler
114- INIT:0000000140A19354 40 55 push rbp
115- INIT:0000000140A19356 53 push rbx
116- INIT:0000000140A19357 56 push rsi
117- INIT:0000000140A19358 57 push rdi
118- INIT:0000000140A19359 41 54 push r12
119- INIT:0000000140A1935B 41 55 push r13
120- INIT:0000000140A1935D 41 56 push r14
121- INIT:0000000140A1935F 41 57 push r15
122- INIT:0000000140A19361 48 8D 6C 24 E1 lea rbp, [rsp-1Fh]
123- INIT:0000000140A19366 48 81 EC B8 00 00 00 sub rsp, 0B8h
124- INIT:0000000140A1936D 48 B8 D4 02 00 00 80 F7 FF FF mov rax, offset SharedUserData.KdDebuggerEnabled
125- */
126- auto CcInitializeBcbProfilerMid = FIND_PATTERN (InitBase, InitSize, " \x48\xB8\xD4\x02\x00\x00\x80\xF7\xFF\xFF "
127- ASSERT (CcInitializeBcbProfilerMid != nullptr );
128-
129- auto CcInitializeBcbProfiler = FindFunctionStart (ImageBase, CcInitializeBcbProfilerMid);
130- ASSERT (CcInitializeBcbProfiler != nullptr );
131-
132- memcpy (CcInitializeBcbProfiler, " \xB0\x01\xC3 " 3 ); // mov al, 1; ret
133-
134- /*
135- nt!ExpLicenseWatchInitWorker
136- INIT:0000000140A44DF0 48 89 5C 24 08 mov [rsp+arg_0], rbx
137- INIT:0000000140A44DF5 48 89 6C 24 10 mov [rsp+arg_8], rbp
138- INIT:0000000140A44DFA 48 89 74 24 18 mov [rsp+arg_10], rsi
139- INIT:0000000140A44DFF 57 push rdi
140- INIT:0000000140A44E00 48 83 EC 30 sub rsp, 30h
141- INIT:0000000140A44E04 0F AE E8 lfence
142- INIT:0000000140A44E07 48 8B 05 B2 8E 2B 00 mov rax, cs:KiProcessorBlock
143- INIT:0000000140A44E0E 48 8B 70 78 mov rsi, [rax+78h]
144- INIT:0000000140A44E12 48 8B 68 70 mov rbp, [rax+70h]
145- INIT:0000000140A44E16 48 83 60 78 00 and qword ptr [rax+78h], 0
146- INIT:0000000140A44E1B 48 83 60 70 00 and qword ptr [rax+70h], 0
147- INIT:0000000140A44E20 A0 D4 02 00 00 80 F7 FF FF mov al, ds:SharedUserData.KdDebuggerEnabled
148- */
149- auto ExpLicenseWatchInitWorkerMid = FIND_PATTERN (InitBase, InitSize, " \x48\xB8\xD4\x02\x00\x00\x80\xF7\xFF\xFF "
150- ASSERT (ExpLicenseWatchInitWorkerMid != nullptr );
151-
152- auto ExpLicenseWatchInitWorker = FindFunctionStart (ImageBase, ExpLicenseWatchInitWorkerMid);
153- ASSERT (ExpLicenseWatchInitWorker != nullptr );
154-
155- PatchReturn0 (ExpLicenseWatchInitWorker);
15692}
15793
15894static void DisableDSE (void * ImageBase, uint64_t ImageSize)
@@ -214,7 +150,7 @@ static void DisableDSE(void* ImageBase, uint64_t ImageSize)
214150
215151void PatchNtoskrnl (void * ImageBase, uint64_t ImageSize)
216152{
217- // These patch locations are the same as EfiGuard:
153+ // Many of these patches come from EfiGuard:
218154 // https://github.com/Mattiwatti/EfiGuard/blob/25bb182026d24944713e36f129a93d08397de913/EfiGuardDxe/PatchNtoskrnl.c
219155 DisablePatchGuard (ImageBase, ImageSize);
220156 DisableDSE (ImageBase, ImageSize);
0 commit comments