Skip to content

sapdragon/efiguard-detected

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 

Repository files navigation

efiguard-detect

dumbest possible way to check if EfiGuard killed your patchguard or not.

how it works

efiguard leaves a SetVariable backdoor at runtime - we just poke it from usermode asking to read 2 bytes at ntoskrnl base. if we get back MZ - the backdoor is alive, efiguard did its thing, pg is dead.

limitations

only works if the user picked the default dse bypass method (DSE_DISABLE_SETVARIABLE_HOOK) — which is the default. if DSE_DISABLE_AT_BOOT was chosen instead, the hook gets removed at ExitBootServices and there's nothing to detect from usermode.

requires admin + SeSystemEnvironmentPrivilege.

build

cl /EHsc src/main.cpp /link ntdll.lib psapi.lib

source

src/main.cpp

About

the dumbest way to detect efiguard

Resources

Readme
Activity

Stars

10 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages