... error "System cannot move files to a different drive" when trying to find pattern
in winload - (ntoskrnl portion completes w/no fail)

ex.: If system is "C:\Windows" and %TEMP% is "D:\Temp" it will fail.

Hi, hFireF0X.
Thanks for your sharing.
I have tested this patch with a simple NTFS FSD hook driver, but it seems that PatchGuard is not successfully disabled, while DSE seemed to be indeed disabled, since the driver which was only self-signed successfully loaded into the kernel, with testsigning disabled.
I did nothing in the FSD hook, except DbgPrint and calling original MajorFunction. Dbgview shows that FSD hook successfully intercepted IRPs.

The Bugcheck codes match following pattern:
Bugcheck 109 (0xa39f****, 0xb3b6****, 0xffff****, 0x1c)

Original comment:
I'm testing on a freshly installed Win10 15063 x64 in VBox.
Simply launched patch.exe, and then pressed ENTER to continue.
but the program just showed the following line:
Patch: Press any key to exit
Then, window just disappeared after I pressed ENTER.

After that, it seems that neither ntoskrnl.exe nor MBR was modified.

Windows 10 has been ported to ARM64, and there are now devices shipping with it (e.g. Asus TP370QL).

Unfortunately ARM64 is encumbered with the same PatchGuard rules as X64. Support is therefore needed for disabling PatchGuard on ARM64.

Hi Fyyre,

I am using your tool to disable patch guard on windows 10 build version 1709, after running the tool, I checked bcdedit and it is updated with patch guard disable and booted my PC using disable patchguard boot option, it seems that all is good, so to confirm it further I used https://gist.github.com/andronoob/d5882c5e6d21f3dea534a68434abe040 andronoob NTFS FSD hook filter and starting this service using following tool:

sc create FsFilter binPath= C:\temp\FsFilter1.sys type= kernel
sc start FsFilter
But I am getting blue screen and windows crashing, means patch guard is not disabled.

Can you please help me, what I am doing wrong? your quick response will be highly appreciated.

Thanks

BR,
Adeel

I have Windows 10 Version 1709 Build 16299.248

Computer freeze randomly, maybe after 4 hours startup or after 3 days windows started

Windows freeze, mouse freeze, only way to get machine work back is turn off PC on button

Maybe this fault of UPGDSED ?

Hi, do you plan to support this version ?
thanks

Since this is popular question here is a summary.

We do not updated this since RS3 as we see no point in it. For a more than two years - almost no one contributed and we are not going to feed the leachers who use this free project for own monetization profit.

Microsoft made several improvements to the PatchGuard - and they doing this on a regular basis with each Windows 10 "whatever update". PatchGuard is double edged sword - from one side it is sort of security feature and barrier that effectively stops most of script-kiddies with their "hooking, dkom, dkoh whatever" trash from making yet another WindowsXP hell everywhere. From the other side it is guardian for DRM related trash and complicated some other things. Unfortunately it is here and won't be likely removed anytime soon.

For the current state of PatchGuard you can read from this wonderful paper
https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.00.pdf

From it you can learn PatchGuard now implemented not only as a rootkit component but also as independent integrity checks smashed within multiple various kernel routines, reference to page 28. So in general this mean full PatchGuard disable need more work and more investigations to find all of the hidden checks.

So far consider this repository as for historical purposes only if it comes to Windows 10 PatchGuard.

You are still welcome to contribute, fork and do whatever you want. We are leaving this for you 😃

src/bcd.c

Ln:555
_strcat(szCommand, TEXT(" systemroot \\Windows"));

Ln:570
_strcat(szCommand, TEXT(" path \\Windows\\system32\\"));

It is assumed, that Windows is located in the "Windows"-Folder.
If it isn't (Customized/Personalized or WhateverReason),
it'll fail (invalid path).

consider:
%windir% or %systemroot%
-> Trim %systemdrive%

UPGDSED current not working with this build ntkrnlmp for Windows 10 (released today). This is due to 404 error attempt to fetch pdb from the Microsoft Symbol Server.

Microsoft Windows 10 x64 [Version 10.0.16299.309]

Any idea if this version will be supported by UPGDSED?

ReadMe -> "Workaround for KB KB4088875"
-> "Workaround for KB KB4088875 & KB4100480"

Windows 7
KB4088875 -> Kernel 6.1.7601.24059 (introduced vuln. -> revoked)
KB4100480 -> Kernel 6.1.7601.24093

v1.2.1 Patterns valid for 6.1.7601.24093

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4100480
https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038

Can you make a 'riskier' version which supports all Windows 10 builds, but at your own risk. I would love to use this but run the Insider loop.

For Windows 7 -> 7601_24059
KB4088875 (Monthly Rollup - March, 18th 2018)

// it's a 'jmp short' now 0xE9->0xEB
0xB8, 0x28, 0x04, 0x00, 0xC0, 0xEB

ntoskrnl.exe
OFFSET 2C6100 - VA 207F700

48 83 EC 28          sub rsp,28                   
33 C0                xor eax,eax                  
38 05 6C 13 ED FF    cmp byte ptr ds:[1F50A78],al 
74 16                je 207F724 <- (1)                  
4C 8B 0D 53 13 ED FF mov r9,qword ptr ds:[1F50A68]
4C 3B C8             cmp r9,rax                   
75 07                jne 207F721                  
B8 28 04 00 C0       mov eax,C0000428 <- (2)           
EB 03                jmp 207F724                  
41 FF D1             call r9
//  VA  207F724                   
48 83 C4 28          add rsp,28                 
C3                   ret

(1)
This version cleaned up all sub-routines,
it actually looks tidy :)
I suggest patching (1) 'je->jmp' because EAX is 0
at this point and a jmp would do just fine. 

.. Unless you implement nibble_level search,
you have to add a new pattern starting with this version
anyway.

// tested the above and works fine w7x64

(2)
Old location

2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4020102)

Microsoft not yet release public symbol files for ntoskrnl version 10.0.15063.332

Same as situation: #3

https://imgur.com/a/3KrAb

Getting this error when applying it. Any suggestions?

will u update this for last windows update? tks.

Since the GUID (bcd_identifier) is unique to each system, maybe either:

• add it to the BcdPatchEntryAlreadyExist Output
  -> "removal: "bcdedit /delete " + bcd_identifier
  or
• add command-line option "-remove"

Hi,

This version is RS2 right ? I'm wondering why I said that it's not supported.
Is it a bug or it's a minor revision of the RS2 update ?

So I am using DIfferentSLIAuto and it works great!
It uses modified drivers (which are unsigned to run non SLI cards in SLI mode).

But with new games the problem is that their anti cheats do not allow games to be run when Windows is in test mode.
Even with full UPGDSED, anti cheats detect that testing mode is on.

So,
tl;dr, is it possible to load just one driver (nvlddmkm.sys) using UPGDSED while rejecting all others?

Will this be updated for 10.0.17134?

Create rule does not work :(( v1.1.3
I can create one, but it does not change HWID

Any chance this can be updated for Windows Version 10.0.17134?
Tks in advance.

Hi,
Windows Version: 10.0.16299
Please update
THX!!!

Hello hfiref0x

To achieve that I assume kernel is patched and the user needs to reboot, so I have a couple of questions

can you provide a readme.md with more details on how it works?
you have plans to release a tool to disable patchguard in runtime?
It is possible to enable VMX in runtime in windows?(AMD and INTEL)(by changing MSR register)

thank you for releasing this tool, very useful

It seems some signature is changed. It no longer works by simply update the version number in the source code.

Patch: Windows Version: 10.0.17763, LegacyBIOS

Patch: Symbol dlls extracted successfully.
Patch: Dbghelp initialized.
Patch: Copy files to %TEMP%.
Patch: Copy success.
Patch: Scanning ntoskrnl for patterns.

Patch: Ntoskrnl version: 10.0.17763.107

-> SeValidateImageData          004EA2E3
-> CcInitializeBcbProfiler      00875D24
-> KeInitAmd64SpecificState     008B4D28
-> ExpLicenseWatchInitWorker    00892FF0

Patch: Cannot query SepInitializeCodeIntegrity offset: Cannot complete this function.

First off @Fyyre and @hfiref0x you do realize when you started this project you posted about it on the biggest game cheating forum in the world right? So i'm perplexed why you'd be surprised some people use it for game cheating?? I'm even more perplexed why you care. If it's a "not given enough credit" issue, i'm pretty sure everyone knows when it comes to disabling patchguard + they see a new boot entry who's project they're using. Also as others have stated this brilliant project you've created is used for many many applications, so it'd be a real shame if you abandon it. This project represents freedom and flexibility while using Windows, a freedom that Microsoft is increasingly trying to strip away, so please don't give up, you're doing great work here.

Also to everyone else, it appears to me in testing that UPGDSED seems to work fine with all current windows 10 versions(granted i've only tested up to 1803 but i'll test 1809 soon). You just need to modify the source a little using common sense changes. For instance in scan.c there's code that says
"switch (BuildNumber)" and lists the OS version number, just add to that. Then go through the source and add anywhere it checks for os. Use the last windows 10 pattern for each new build, and so far, good.
In terms of non-windows builds i've had a few users not be able to use this project unless they switch to english. Easy ¯_(ツ)_/¯

Microsoft Windows 10 x64 [Version 10.0.16299.309]
the exe run fin, and second boot chose is show.
when I setup my driver, setup show success, but....

a while later, the message box show my driver been forbidden because not sign

why

Hi, I am having troubles hiding a process on windows 10. Maybe (most likely, but maybe you can suggest an other utility rootkit which works on win10) this question is totally unrelated and UPGDSED works as expected. I am not familiar with this whole process

Note: I got no issues on win 7 sp1 7601. However I can only install remote desktop protocol version 8.1 on win7. My friend told me on win7 he experience lot slower rdp speed than on win10. This is the reason I want to get it working on win 10. Cause win10 has rdp 10.2 which is lot faster with streaming online games.

I created a Win 10 1511 (TH2) x64 fresh install. Cloned the repo, ran Patch v1.1.3 as an admin. See the log:

WARNING: Using this tool might render your PC to an unbootable state.
If you want to continue type CONTINUE (all uppercase) and press Enter

CONTINUE
Patch: Windows Version: 10.0.10586, EFI

Patch: Symbol dlls extracted successfully.
Patch: Dbghelp initialized.
Patch: Copy files to %TEMP%
Patch: Copy success
Patch: Scanning ntoskrnl for patterns

Patch: Ntoskrnl version: 10.0.10586.0

-> SeValidateImageData          003F48C0
-> CcInitializeBcbProfiler      00681094
-> KeInitAmd64SpecificState     006B2EF8
-> ExpLicenseWatchInitWorker    006BB9D0
-> SepInitializeCodeIntegrity   0049C8B8

Patch: Ntoskrnl scan complete
Patch: Scanning winload for patterns

Patch: Winload version: 10.0.10586.0

-> ImgpValidateImageHash        00054A5C

Patch: Winload scan complete

Patch: ModifyFilesAndMove succeed
Patch: Executing BCDEDIT commands
bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Patch Guard Disabled" -application OSLOADER
The entry {71a3c7fc-f751-4982-aec1-e958357e6813} was successfully created.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.efi
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
The operation completed successfully.
bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
The operation completed successfully.
bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
The operation completed successfully.
bcdedit.exe -timeout 10
The operation completed successfully.
bcdedit.exe -set bootmenupolicy legacy
The operation completed successfully.
Patch: Setting PeAuth service to manual start
Patch: PeAuth service set to manual start

Patch: BcdCreatePatchEntry succeed
Patch: Press Enter to exit

All seems to work. Restarted computer, booted into Patch Guard Disabled mode.

Now, I found a tool called hidecon. I think Fyyre created it, specifically for win7 x64. I used it to hide process on win7 by hidecon -ld; hidecon -ph <PID>, when I execute hidecon -ld on win10 I get:

When I press "close" and proceed with hidecon -ph <PID> I get BSOD.

Any ideas?

I get 0xc0000001 upon startup with patchguard disabled regular windows boots fine.
I am using latest version from dev build.
W10 Pro Version 1709 16299.461

If im Trying to load a Driver it shows it has to be signed!

But i booted in Patch Guard Disabled and SecureBoot is off!!

Hello,

Would it be possible only disabling patchguard and not DSE?