Guide [Source] Windows Secure Boot EFI Spoofing — CI.dll & HAL Pattern Scan

[byte_corvus]

Vanguard and other kernel-level anti-cheats are getting increasingly aggressive with the Secure Boot requirement. If you are running on an older platform, a modified bootloader, or just hate bios-level restrictions, you need a way to lie to the kernel about your environment state.

Standard registry 'tweaks' are child's play and usually get you flagged for inconsistency. The real work happens inside CI.dll and hal.dll. By hitting the source where these variables are cached, you can make a system without Secure Boot look like a fully compliant machine to any AC querying from Ring 3 or Ring 0.

Code Integrity (CI.dll) Logic

Instead of praying for the registry to work, we scan CiInitialize to resolve the RIP-relative displacement of g_CiOptions. By modifying this global, we can force CI to be enabled and kill the test-signing flag, which is a common check for manual mappers.

inline void SpoofSecureBoot()
{
    ULONG ciSize = 0;
    PVOID ciBase = GetKernelModule("CI.dll", &ciSize);
    if (ciBase && ciSize)
    {
        // CiInitialize references g_CiOptions via:
        // "or dword ptr [rip+disp32], imm8" -> 83 0D XX XX XX XX YY
        UCHAR pat[] = { 0x83, 0x0D };
        char msk[] = "xx";
        PUCHAR found = PatternScan(ciBase, ciSize, pat, msk, 2);
        if (found && MmIsAddressValid(found))
        {
            if (MmIsAddressValid(found + 2) && MmIsAddressValid(found + 5))
            {
                LONG disp = *(LONG*)(found + 2);
                PUCHAR target = found + 7 + disp; // RIP after 7-byte instruction
                if (MmIsAddressValid(target) && MmIsAddressValid(target + 3))
                {
                    ULONG* ciOpt = (ULONG*)target;
                    // Bit 0 = CI enabled, bit 3 = test signing
                    *ciOpt = (*ciOpt | 0x1) & ~0x8;
                }
            }
        }
    }
}

The HAL & EFI Variable Scan

The hardware abstraction layer caches the Secure Boot state. Some anti-cheats don't trust the registry and go straight for the HAL's data sections. This function iterates through hal.dll's sections, hunts for the wide string L"SecureBoot", and forces the subsequent state value to 1.

const WCHAR target[] = L"SecureBoot";
ULONG tgtBytes = sizeof(target) - sizeof(WCHAR);
for (ULONG off = 0; off + tgtBytes + 8 < secLen; off += 2)
{
    if (!MmIsAddressValid(secBase + off)) { off = (off | 0xFFF) + 1; continue; }
    BOOLEAN match = TRUE;
    for (ULONG c = 0; c < tgtBytes; c++) {
        if (secBase[off+c] != ((PUCHAR)target)[c]) { match = FALSE; break; }
    }
    if (!match) continue;
    
    // Found string, scan forward for the state value
    for (ULONG v = tgtBytes; v < tgtBytes + 128; v += 4) {
        if (!MmIsAddressValid(secBase+off+v)) break;
        ULONG val = *(ULONG*)(secBase+off+v);
        if (val == 0 || val == 1) {
            *(ULONG*)(secBase+off+v) = 1; // Force Enabled
        }
    }
}

Spoiler: Additional Registry Integration

While the kernel patches are the meat, the AC might still check the standard registry paths. It is best to sync these up:

1. Set UEFISecureBootEnabled to 1 in SecureBoot\State.
2. Set Licensed to 1 in CI\Protected.
3. Set UMCIAuditMode to 0 in CI.

Technical Notes & Prevention

1. Ensure Secure Boot is actually DISABLED in your BIOS before running this, or you might end up with a boot loop or a bricked EFI state if your driver misbehaves.
2. The HAL scan is effective, but if the AC performs a clean read from disk and compares it to memory, they will catch the patch.
3. Always use a proper kernel manual mapper to load your driver; don't rely on basic service loading with test signing enabled.

This is a solid base for anyone building a private spoofer or bypass. Anyone tested this on the latest 24H2 builds yet?