hfiref0x
commented
7 years ago Closed Wack0 closed 7 years ago
hfiref0x
commented
7 years ago 
Wack0
commented
7 years ago I read this linked issue, as far as I understand it, the TDL driver loader is incompatible with RS2, and so using another driver bug (for example, the backdoor in Chinese drivers that deobfuscates IOCTL buffer contents, loads as PE resolving all imports then calls IoCreateDriver passing part of IOCTL buffer as name and loaded PE entrypoint as function ptr) should work?
With the method I described above, I guess I would need to compile a "signed" version of the driver myself (but not actually sign it), or at the very least patch the driver to have entry point as DriverInitialize() and fix PE checksum?
hfiref0x
commented
7 years ago This driver uses image notify callback and it can't be dropped. In Windows 10 MS improved patchguard and it will now bsod if found some callbacks outside visible registered modules. This why tdl and whole code mapping idea is useless. And in case of dsefix it can't be used too because ci.dll protected as generic data region. In other words - you either play in ms game (buy certificate, sign driver) or destroy patchguard entirely. No other options except not using windows 10 at all.
Followed all instructions exactly, after loading and setting up the driver I get a PatchGuard bugcheck after some hours.