DSE bypass : implemented "callback swapping" method

The new default method for unsigned driver loading uses a KDP compatible technique, since it does not overwrite the protected variable g_CiOptions. Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
2026-06-10 17:31:23 +00:00 · 2023-11-03 14:38:01 +01:00
parent 15c3b706f1
commit f15471d12c
12 changed files with 1408 additions and 1015 deletions
@@ -13,14 +13,15 @@

 enum CiOffsetType {
    g_CiOptions = 0,
+    CiValidateImageHeader,
    _SUPPORTED_CI_OFFSETS_END
 };

 union CiOffsets {
    // structure version of Ci.dll's offsets
    struct {
-        // Ci.dll's g_CiOptions
        DWORD64 g_CiOptions;
+        DWORD64 CiValidateImageHeader;
    } st;

    // array version (usefull for code factoring)
@@ -30,8 +31,10 @@ union CiOffsets {
 union CiOffsets g_ciOffsets;

 // Return the offsets of CI!g_CiOptions for the specific Windows version in use.
-void LoadCiOffsetsFromFile(TCHAR* CiOffsetFilename);
+BOOL LoadCiOffsets(_In_opt_ TCHAR* ciOffsetFilename, BOOL canUseInternet);
+BOOL CiOffsetsAreLoaded();
+BOOL LoadCiOffsetsFromFile(TCHAR* CiOffsetFilename);
 void SaveCiOffsetsToFile(TCHAR* CiOffsetFilename);
-void LoadCiOffsetsFromInternet(BOOL delete_pdb);
+BOOL LoadCiOffsetsFromInternet(BOOL delete_pdb);
 LPTSTR GetCiVersion();
 LPTSTR GetCiPath();
@@ -1,5 +1,7 @@
 #pragma once

+#include <Windows.h>
+
 PBYTE ReadFullFileW(LPCWSTR fileName);

 BOOL FileExistsA(LPCSTR szPath);
@@ -8,6 +8,21 @@
 #define PRINT_ERROR_AUTO(func) _tprintf_or_not(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())
 #endif

+
+enum dseDisablingMethods_e {
+    G_CIOPTIONS_PATCHING,
+    CALLBACK_SWAPPING,
+};
+
 BOOLEAN IsCiEnabled();
 DWORD64  FindCIBaseAddress();
 BOOL patch_gCiOptions(DWORD64 CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue);
+
+BOOL disableDSE(enum dseDisablingMethods_e method, BOOL verbose);
+BOOL reenableDSE(enum dseDisablingMethods_e method, BOOL verbose);
+
+
+BOOL disableDSEbyCallbackSwapping(DWORD64* oldCiValidateImageHeaderEntryAddr);
+BOOL reenableDSEbyCallbackSwapping(DWORD64 ciValidateImageHeaderEntryAddr);
+BOOL disableDSEbyPatchingCiOptions(BOOL verbose, _Out_ ULONG* OldCiOptionsValue);
+BOOL reenableDSEbyPatchingCiOptions(ULONG OldCiOptionsValue);
@@ -11,7 +11,7 @@


 enum NtoskrnlOffsetType {
-    CREATE_PROCESS_ROUTINE,
+    CREATE_PROCESS_ROUTINE = 0,
    CREATE_THREAD_ROUTINE,
    LOAD_IMAGE_ROUTINE,
    PROTECTION_LEVEL,
@@ -21,6 +21,7 @@ enum NtoskrnlOffsetType {
    PSPROCESSTYPE,
    PSTHREADTYPE,
    OBJECT_TYPE_CALLBACKLIST,
+    SECICALLBACKS,
    _SUPPORTED_NTOSKRNL_OFFSETS_END
 };

@@ -47,6 +48,8 @@ union NtoskrnlOffsets {
        DWORD64 psThreadType;
        // ntoskrnl _OBJECT_TYPE's CallbackList symbol offset
        DWORD64 object_type_callbacklist;
+        // ntoskrnl SeCiCallbacks array
+        DWORD64 seCiCallbacks;
    } st;

    // array version (usefull for code factoring)
@@ -70,4 +73,6 @@ BOOL NtoskrnlOffsetsAreAllPresent();
 BOOL NtoskrnlAllKernelCallbacksOffsetsArePresent();
 BOOL NtoskrnlNotifyRoutinesOffsetsArePresent();
 BOOL NtoskrnlEtwtiOffsetsArePresent();
-BOOL NtoskrnlObjectCallbackOffsetsArePresent();
+BOOL NtoskrnlObjectCallbackOffsetsArePresent();
+
+LPTSTR GetNtoskrnlPath();