SkQuerySafePolicy does only check if it's possible for a CiPolicy containing custom kernel signers to be loaded, not that it has been

[Wack0]

This also means it would cause false positive on any EnterpriseG installation (where that value is set to True).

There are NtQuerySystemInformation SystemInformationClass values which do call into ci.dll to dump the loaded CiPolicies which can then be parsed and checked for any odd certificate (by hash, known good certs will need to be allowlisted here). SystemCodeIntegrityPolicyFullInformation does return the raw cipolicy data (although prioritises skusipolicy first, so could be worked around), and SystemCodeIntegrityPoliciesFullInformation (added in rs2) can return all loaded cipolicies, the return data is undocumented but returns a header including a count followed by an array of cipolicies that each start with a header containing a byte length, followed by the raw data.

This also does nothing to detect a custom secure boot policy being loaded (by use of <=th2 bootmgr and signing it by PK; or a bootkit), which can also be obtained by NtQuerySystemInformation(SystemSecureBootPolicyFullInformation). See my toolchain: https://github.com/Wack0/SecureBootPolicyTools

[hfiref0x]

That is by design. EnterpriseG system, okay, get detect - unless Microsoft now suggest everyone install it.

[hfiref0x]

To elaborate further as it looks like I wasn't clear (including this function name).

The goal of this is to detect license presence not less not more. Normally you should not have EnterpriseG and we all know that existence of this backdoored Windows version is only to satisfy China "we want out rootkits work" requirements which market MSFT is not ready yet to lose. It does not aimed to detect custom bootloaders, injected policies or whatsoever. So in general it should be named SkQueryUnsafeLicensePresence or something like that. That is my fault which brings some misunderstanding here.

Yeah I know about bootkits like for example EFIGuard but it is something that out of the scope of this benchmark initial purpose. Tons of the similar stuff exist on unknowncheats for example, most of them are garbage code that cannot properly work outside authors machines, but. Debugging all these trash code and setting up test environments just for a single detection vector is where my entusiasm ends.

However I acknowledge this as having promising detection potential, so if you want you can always implement what you desire and do a PR, and I would gladly merge it.