Exploiting ring0 memcpy-like functionality to disable Driver Signing Enforcement (DSE) as documented here: http://deniable.org/windows/windows-callbacks
This is exploit is released in the interest of exploring the Windows kernel for self-education. I take zero responsibility for bugchecks, and for whatever you do with this. Don't be stupid.
Is this exploit PatchGuard friendly? Please read http://deniable.org/windows/windows-callbacks. Short answer is CI.dll
variables are protected by PatchGuard
indeed (starting with Windows 8.1). However, this doesn't mean we'll get an instant PatchGuard
action (bugcheck). This will eventually lead to a bugcheck when PatchGuard
notices the change. However, if we revert the change (restore the original state) we'll be fine. There's a risk here obviously, as we don't know when is PatchGuard
going to look at our global variable. PatchGuard
runs randomly, so it can happen immediately after our change, 5 minutes later, one hour later, 24 hours later, we don't know.