Bypass Patchguard to Load Driver on Windows 10

He’s right tho, half way anyway. If you do it fast enough and don’t use SC controller it won’t insta bsod, and there’s a “chance” it won’t bsod later on. (Tbh stupid to have any chance though.)

ex. snippets from my 2014 arma adventures, which used DriveCrypt to run the DSEFix shellcode. Not going to repeat it since everything has been said, but it’s certainly not old and I’m 100% certain people did it before I did..

wchar_t Buffer[128];
wchar_t* ServiceName = (wchar_t*)GetWC(ThisComputer);
swprintf_s(Buffer, L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%Ls", ServiceName);
delete[] ServiceName;
RtlInitUnicodeString(usDriverName, Buffer);
DoExploit(true, OS); // set
NTSTATUS ntStatus = NtLoadDriver(usDriverName);
//STATUS_OBJECT_NAME_COLLISION 0xC0000035
//STATUS_OBJECT_NAME_EXISTS 0x40000000
//STATUS_IMAGE_ALREADY_LOADED 0xC000010E
if (ntStatus == 0x40000000 || ntStatus == 0xC0000035 || ntStatus == 0xC000010E)
{
printf("Driver already running.\n");
}
DoExploit(false, OS); // restore

My main thing is everyone said disabling signing didn’t work on win 8.1+ (causes BSOD), but I found out that it actually does (doesn’t cause BSOD). It might be because I use an official windows driver to do the writes, but I really doubt it. From my testing, you can avoid literally any type of PG detection by doing your work in <15ms. This applies to protected processes, registry locks, etc. So I spent weeks and weeks developing a win10 driver loading method and found out recently I could have just done this. BTW that research paper is really a good thing to save. You'll never get detected if you do DKOM/kernel modification with an official Microsoft WHQL signed driver.