DSE Bypass
Disable Driver Signature Enforcement (DSE) at boot time by patchingg_CiOptions in winload.efi.
Security Implications
Disabling DSE allows loading of unsigned kernel drivers. This significantly reduces system security and should only be used on test systems.
What is DSE?
Driver Signature Enforcement (DSE) is a Windows security feature that requires all kernel-mode drivers to be digitally signed by Microsoft or a trusted certificate authority. Without a valid signature, Windows refuses to load the driver.
Bypass Strategy
The EFI driver scans winload.efi's .text section for theMOV [rip+imm32], ecx instruction that initializes g_CiOptions, then NOPs out the 6-byte instruction to leave g_CiOptions at 0.
; Original instruction in winload.efi
mov [rip+0x12345], ecx ; Sets g_CiOptions
; After patching (6 bytes of NOP)
nop
nop
nop
nop
nop
nop ; g_CiOptions remains 0How It Works
- EFI driver hooks
gBS->ExitBootServices - When hook fires, read
DioProcessDseBypassNVRAM variable - If enabled, scan winload.efi .text section for target pattern
- Pattern:
89 0D ?? ?? ?? ??(MOV [rip+imm32], ecx) - Replace 6 bytes with NOPs (
90 90 90 90 90 90) - Restore original
ExitBootServicesand continue boot
Usage
- Install the EFI driver via title bar "Install EFI" button
- Navigate to UEFI Bootkit tab
- In Boot Patches section, toggle DSE Bypass ON
- Click Save to NVRAM
- Reboot — DSE will be disabled
NVRAM Variable
- • GUID:
{D10PR0C5-1337-4242-BEEF-CAFEBABE0001} - • Name:
DioProcessDseBypass - • Value: 0 (disabled) or 1 (enabled)
Implementation
| Item | Location |
|---|---|
| EFI implementation | efi/DioProcessEfi/PatchDse.c |
| Rust bindings | crates/uefi/src/nvram.rs |