armvirus
commented
7 months ago very late response, but leaving this for people that will want to do something similar as you, my idea is, if you've gone so far to defeat most of their utility, work on a PG bypass (or use a public one), once you have a patch guard bypass, .text hook the exports in ci.dll for example CiCheckSignedFile, and manipulate it to return true. (you need efi/kernel experience for this)
Hello @netbiosX, I have an odd question but you was the only one I could think of who may have the answer. I'm creating a custom windows on virtual machine for my own, it's not a modify other's os situation, I have all access to the operating system, I removed all of the features not needed, there's no UAC and there's no Defender, I have full control to the system.
The issue I face is if we modify any critical pe file of windows like system32/wininit.exe, if the signature gets corrupted or not be valid, windows doesn't boot up and turn of the computer, Do you have any idea how to bypass this mechanism and use my own wininit instead of original one?
Note : this behaviour is only happening in windows not winpe
Update 1 : I can verify it's not hash checking and it's only certificate check, I replaced the wininit.exe of different build of windows and it works.
Update 2 : This verification is done by Trusted Boot Code Integrity Check in ci.dll at system32, still can't find a way to manipulate it.
Regards, Juan