Questions - Githubissues

hfiref0x / TDL

Driver loader for bypassing Windows x64 Driver Signature Enforcement

BSD 2-Clause "Simplified" License

1.05k stars 332 forks source link

Questions #8

Closed TheAifam5 closed 8 years ago

TheAifam5 commented 8 years ago

Hey, i have 2 questions about this TDL.

There is way to "manually" implement SEH to work with driverless drivers ? It is possible to do that? If yes, can u provide some good documentations?
It's possible to bypass PsSetCreateProcessNotifyRoutine (needs /INTEGRITYCHECK)

Regards, TheAifam5

hfiref0x commented 8 years ago

Nothing from this are TDL issues. 1) No 2) PsSetCreateProcessNotifyRoutine does not need integrity check.

TheAifam5 commented 8 years ago

so, maybe u know why on TDL PsSetCreateProcessNotifyRoutine returns 0xC0000022? Looks like needs /INTEGRITYCHECK flag :/ Any way to bypass it?

I found in IDA that "PsSetCreateProcessNotifyRoutine" and "PsSetCreateProcessNotifyRoutineEx" are redirected to "PsSetCreateProcessNotifyRoutineEx2"... "PsSetCreateProcessNotifyRoutineEx" needs integrity checks. I think now on Windows 10 "PsSetCreateProcessNotifyRoutine" also needed.