AI Summary: ByePg is a kernel-level tool that circumvents Windows PatchGuard and HVCI by leveraging an early-bugcheck hook through the hijacking of the HalPrivateDispatchTable. Its primary use case is to facilitate the implementation of exception-based hooks, allowing for the registration of high-level system-wide exception handlers and offering capabilities for kernel manipulation previously restricted by PatchGuard. Notably, the tool includes a base library and various examples that demonstrate syscall hooking and SEH handling, showcasing its potential for creating new attack surfaces.

README

ByePg: Defeating Patchguard using Exception-hooking

ByePg hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler.

A variety of kernel hooks can be implemented using this method completely bypassing PatchGuard and HVCI as it creates an entirely new attack surface, exception-based hooking, which was previously not possible in Windows kernel.

Writeup:

https://blog.can.ac/2019/10/19/byepg-defeating-patchguard-using-exception-hooking/

Project Structure:

• \ByePgLib contains the base library
• \ExHook contains a standalone SYSCALL hooking example using ByePg
• \ExceptionHookingDemo demonstrates the exception handler
• \InfinityHookFix contains a sample rendering the recent InfinityHook patch by Microsoft useless
• \FreeSeh contains a SEH-via-ByePg module letting you use SEH in manual mapped images bypassing PatchGuard’s inverted function table checks

Result:

P.S.

There are many other things that can be done using the base library and many things can be improved, be SEH handling or BugCheck parsing, so I would really appreciate any form of contribution to this repo.