KPP Bypass

What is PatchGuard?

Kernel Patch Protection (KPP), commonly known as PatchGuard, is a Windows security feature that monitors critical kernel structures and code for unauthorized modifications. If tampering is detected, Windows triggers a BSOD (CRITICAL_STRUCTURE_CORRUPTION).

Bypass Strategy

The EFI driver scans ntoskrnl.exe's .text section for PatchGuard initialization function prologues and patches them with RET (0xC3) to prevent initialization.

; Original function prologue
push rbp
mov rbp, rsp
sub rsp, 0x40
...

; After patching
ret                ; Immediately returns, skipping initialization

How It Works

1. EFI driver hooks gBS->ExitBootServices
2. When hook fires, read DioProcessKppBypass NVRAM variable
3. If enabled, scan ntoskrnl.exe .text section for target patterns
4. Locate KiFilterFiberContext and ExpLicenseWatchInitWorker
5. Replace first byte with 0xC3 (RET instruction)
6. Restore original ExitBootServices and continue boot

Usage

1. Install the EFI driver via title bar "Install EFI" button
2. Navigate to UEFI Bootkit tab
3. In Boot Patches section, toggle PatchGuard Bypass ON
4. Click Save to NVRAM
5. Reboot — PatchGuard will be disabled

NVRAM Variable

What You Can Do Without PatchGuard

• • Modify SSDT (System Service Descriptor Table)
• • Hook kernel functions directly
• • Modify IDT (Interrupt Descriptor Table)
• • Patch kernel code without triggering BSOD
• • Implement custom kernel-level monitoring

Implementation