- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 720
- Reaction score
- 457
Anyone digging into the latest Windows 11 kernel builds has probably realized that static analysis is becoming a massive headache. If you've tried loading the 25H2 kernel into IDA Pro lately, you'll know it's basically a coin flip whether it even parses correctly. Microsoft is amping up the obfuscation, but if you're willing to do the legwork with dynamic analysis, the XREFs are still there for the taking.
I spent some time reversing the Driver Signature Enforcement (DSE) logic on the newest 24H2 and 25H2 builds. The target is CI!g_CiOptions, but they've tightened the screws. The Page Table Entry (PTE) for this is now write-protected by default. Testing on bare metal confirmed that a standard write won't cut it.
The Method
To get around the protection, the PTE has to be flipped to Read/Write (RW) manually. Once you've got access, dropping a zero in there effectively kills DSE. My program handles the dynamic analysis to grab the necessary refs and signatures despite the current state of IDA.
PatchGuard & Stability
Is it a permanent solution? Not on its own. Flipping the PTE and zeroing the options triggers PatchGuard. In my tests, the system stays stable for about six hours before the inevitable BSOD hits. I've successfully bypassed PatchGuard on these versions previously, but I haven't fully integrated and stress-tested the two together for a long-duration run yet.
This isn't just another copy-paste job for your local mapper. If you're serious about kernel development on modern Windows builds, you need to understand the internals rather than relying on old signatures. It's getting harder, but the loopholes are definitely still there.
Anyone else noticed specific offsets shifting in the latest 25H2 canary builds?
I spent some time reversing the Driver Signature Enforcement (DSE) logic on the newest 24H2 and 25H2 builds. The target is CI!g_CiOptions, but they've tightened the screws. The Page Table Entry (PTE) for this is now write-protected by default. Testing on bare metal confirmed that a standard write won't cut it.
PART #1
PART #2
PART #2
The Method
To get around the protection, the PTE has to be flipped to Read/Write (RW) manually. Once you've got access, dropping a zero in there effectively kills DSE. My program handles the dynamic analysis to grab the necessary refs and signatures despite the current state of IDA.
PatchGuard & Stability
Is it a permanent solution? Not on its own. Flipping the PTE and zeroing the options triggers PatchGuard. In my tests, the system stays stable for about six hours before the inevitable BSOD hits. I've successfully bypassed PatchGuard on these versions previously, but I haven't fully integrated and stress-tested the two together for a long-duration run yet.
This isn't just another copy-paste job for your local mapper. If you're serious about kernel development on modern Windows builds, you need to understand the internals rather than relying on old signatures. It's getting harder, but the loopholes are definitely still there.
Anyone else noticed specific offsets shifting in the latest 25H2 canary builds?
