DSE bypass not working on 20H2 after KB5003173 update

Question

DSE bypass not working on 20H2 after KB5003173 update

mihaly044 opened this issue 4 years ago · 9 comments

The latest Windows update for 20H2 that is KB5003173, breaks the functionality of the DSE bypass.

Steps to reproduce:

Upgrade your OS to the newest version available
Run KDU as follows: kdu.exe -dse 0
Observe the unchanged code integrity options value

KDU will report success in despite of the code integrity options value hasn't been altered. Hence, NtLoadDriver will report STATUS_INVALID_IMAGE_HASH.
I have also checked it using NtQuerySystemInformation(SystemCodeIntegrityInformation... and here's the output of that:

CODEINTEGRITY_OPTION_TESTSIGN=FALSE
CODEINTEGRITY_OPTION_UMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED=FALSE
CODEINTEGRITY_OPTION_TEST_BUILD=FALSE
CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD=FALSE
CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_FLIGHT_BUILD=FALSE
CODEINTEGRITY_OPTION_FLIGHTING_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED=TRUE

CodeIntegrityOptions=0x2001

I suspect the memory location of the target variable has changed.

Answer 1 · 2021-05-13T18:34:17.000Z

Yes, CI.DLL now uses Microsoft WIL extensively. It numerous calls at CiInitialize ruins previous algorithm of CipInitialize lookup.

Answer 2 · 2021-05-13T23:57:00.000Z

Thanks, @hfiref0x !
I think I have got it working thanks to your accurate information.
I'll make a PR later today after I'm done testing.

Answer 3 · 2021-05-14T02:16:48.000Z

Thanks, but no need. I'm planning to rewrite this part completely.

Answer 4 · 2021-05-14T08:38:44.000Z

The code for DSE manipulations are from DSEFix in mostly unmodified state. It turns out it also has some very ancient bug which one I likely added when I was moving this repository to the github from kernelmode.info. This also will be fixed.

Answer 5 · 2021-05-14T19:03:49.000Z

I can confirm after the commit it still dones't work

Answer 6 · 2021-05-14T19:04:57.000Z

Narumiii commented 4 years ago

Answer 7 · 2021-05-15T01:41:18.000Z

There has been no commits in master branch. Try exe from dev111 instead (https://github.com/hfiref0x/KDU/blob/v111/Bin/kdu.exe). If it still fails to work then upload your Windows\system32\CI.DLL somewhere (not on github) and post here a link to it.

Answer 8 · 2021-05-15T15:16:43.000Z

Sorry my fault you are right these version works, anyways if needed here is my CI.dll, by the way many thanks to you for your effort and work on kernel research https://anonfiles.com/R5R9r2w3u6/ci_dll

Answer 9 · 2021-05-15T16:02:33.000Z

Thanks, I've checked your file. KDU from dev111 should work fine with it.