Home

Awesome

dse_hook

this project abuses a vulnerable driver called "winio64.sys"

we patch SeValidateImageData & SeValidateImageHeader to return zero.
those functions are being used by ntoskrnl.exe when NtLoadDriver is called.
by patching those functions we bypass the signature enforcement.

but what about patchguard?

since patchguard only scans the system in random intervals,
we have a small time-window to place a patch and remove it again.
in that time we load our driver.

perks

tested on