Download BootBypass.7z   Password: github.com

BootBypass — Native Boot-Phase DSE/HVCI Bypass utility


Boot-phase DSE patching · HVCI hive bypass · BYOVD IOCTL primitive · Secure Boot independent

Native-subsystem application (SUBSYSTEM:NATIVE) registered in BootExecute — executes at SMSS phase, before any antivirus or EDR component initializes.

Patches SeCiCallbacks+0x20 in the live kernel using a BYOVD IOCTL read/write primitive, loads the target unsigned driver, then restores the original callback — all in a single atomic boot sequence.

HVCI (Memory Integrity) bypass walks the SYSTEM registry hive on disk at raw NK/VK cell level — no registry API — and clears HypervisorEnforcedCodeIntegrity before the next boot. Works on both Windows 10 and Windows 11.

Requires Administrator privileges. For security research and driver development in controlled environments only.

📚 Table of Contents

Overview

BootBypass is a Windows native-subsystem application (/SUBSYSTEM:NATIVE) that executes as a SMSS boot-phase program — before services.exe, before winlogon.exe, and before any antivirus or EDR user-mode component initializes. It delivers a complete, automated pipeline for:

  • DSE bypass — patching SeCiCallbacks in the live kernel to disable Code Integrity validation, loading an unsigned target driver, then restoring the original callback — all within a single atomic boot-phase sequence.
  • HVCI (Memory Integrity) bypass — directly modifying the SYSTEM registry hive on disk, without using any registry API, to clear the HypervisorEnforcedCodeIntegrity\Enabled flag before the next boot.
  • INI-driven operation — all actions declared in C:\Windows\drivers.ini (UTF-16 LE). Supports LOAD, UNLOAD, RENAME, and DELETE operations, executed sequentially.

Secure Boot independence. Secure Boot validates the pre-OS chain — UEFI firmware → boot manager → Windows kernel. That chain is complete and sealed before SMSS launches its first process. bb.exe executes inside an already-running, already-validated kernel session; Secure Boot has no mechanism to inspect or constrain native applications registered in BootExecute. The relevant enforcement boundary at this stage is DSE — which this utility addresses directly.

Demonstrated outcome — unsigned kernel driver loaded and running:

sc query omnidriver

SERVICE_NAME: omnidriver
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)

Architecture

The project is a single native executable compiled from seven C translation units, one MASM module, a shared header, and embedded binary resources.

src/
├── BootBypass.h             Global type definitions, NT API imports, constants
├── BootManager.c/.h         Entry point (NtProcessStartup), privilege setup, main dispatch
├── SecurityPatcher.c/.h     IOCTL read/write primitives, DSE patch/restore, AutoPatch sequence
├── OffsetFinder.c/.h        PE parser, SeCiCallbacks heuristic scanner
├── SetupManager.c/.h        Resource extraction (IDR_DRV), HVCI detect/patch, hive NK/VK walker
├── DriverManager.c/.h       NtLoadDriver, NtUnloadDriver, IsDriverLoaded
├── FileManager.c/.h         NtSetInformationFile rename/delete, recursive directory delete
├── SystemUtils.c/.h         memset/wcslen/wcscpy safe ops, NtDisplayString, alloc/free
├── MmPoolTelemetry.asm      Runtime service name decoder (MASM, obfuscated)
└── IDR_DRV                  Embedded driver blob (LZNT1-compressed + XOR-encrypted)

High-Level Execution Flow

flowchart TD A([NtProcessStartup]) --> B[Acquire privileges\nSE_LOAD_DRIVER · SE_BACKUP\nSE_RESTORE · SE_SHUTDOWN] B --> C[ReadIniFile + ParseIniFile] C --> D{Offsets in INI?} D -- No --> E[FindKernelOffsetsLocally\nScan ntoskrnl.exe on disk] D -- Yes --> F E --> F{HVCI enabled?} F -- Yes --> G[PatchSystemHiveHVCI\nDirect NK/VK hive write\nReboot] F -- No --> H[For each INI entry] H --> I{Action} I -- LOAD + AutoPatch --> J[ExecuteAutoPatchLoad] I -- LOAD --> K[LoadDriver] I -- UNLOAD --> L[UnloadDriver] I -- RENAME --> M[NtSetInformationFile] I -- DELETE --> N[NtSetInformationFile\nrecursive if set] J --> O[Extract driver from IDR_DRV\nXOR decrypt + LZNT1 decompress\nWrite to Sam.evtx] O --> P[LoadDriver under obfuscated name] P --> Q[OpenDriverDevice] Q --> R[GetNtoskrnlBase\nNtQuerySystemInformation] R --> S[ReadMemory64 → save callback\nWriteMemory64 → patch SeCiCallbacks+0x20] S --> T[LoadDriver — target unsigned driver] T --> U[WriteMemory64 → restore callback] U --> V[UnloadDriver + Cleanup\nDelete Sam.evtx + registry key] V --> W([SUCCESS])

Boot-Phase Execution Context

BootBypass runs as a native application registered in:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute

The default value is autocheck autochk *. deploy.ps1 appends bb to this multi-string, causing SMSS to launch bb.exe from %SystemRoot%\System32 on the next boot — before any Win32 subsystem process starts.

At this execution stage:

  • No antivirus user-mode threads are alive.
  • No ETW-based kernel callbacks are armed by security software.
  • The kernel and its loaded boot drivers are running; the session manager has control.
  • NtDisplayString writes directly to the boot screen (visible when Verbose=YES).

Linker and CRT Configuration

Flag Effect
/SUBSYSTEM:NATIVE Loaded by SMSS; no Win32 initialization
/ENTRY:NtProcessStartup NT native entry point; PEB passed directly
/NODEFAULTLIB No CRT dependency; string ops re-implemented in SystemUtils.c
/STACK:0x100000,0x100000 1 MB committed stack; required for LZNT1 decompression buffers
#pragma optimize("", off) Prevents dead-code elimination of deliberate structural sequences
#pragma check_stack(off) Disables /GS stack cookies; consistent with native binary conventions

Privilege Acquisition

Privilege Purpose
SeLoadDriverPrivilege (10) NtLoadDriver / NtUnloadDriver
SeBackupPrivilege (17) Open the SYSTEM hive with backup intent
SeRestorePrivilege (18) Write to the SYSTEM hive
SeShutdownPrivilege (19) NtShutdownSystem after HVCI hive patch

Resource Embedding — IDR_DRV

The bypass driver is embedded directly into bb.exe as a RCDATA resource (type 10, ID 101). Two protection layers are applied at build time:

Input: kvc.sys (raw PE, 14024 bytes)
  ↓
RtlCompressBuffer (LZNT1 + COMPRESSION_ENGINE_MAXIMUM)
  → compressed blob (9139 bytes, ~35% reduction)
  ↓
XOR encrypt, key = { 0xA0, 0xE2, 0x80, 0x8B, 0xE2, 0x80, 0x8C } (7-byte rotating)
  → IDR_DRV (final resource blob, 9139 bytes)

No Win32 resource API is available in the native subsystem. The resource is located by walking the PE .rsrc directory manually from the image base obtained from the PEB (GS:[0x60]+0x10). The extracted blob is decrypted and decompressed into memory, written to \SystemRoot\System32\winevt\Logs\Sam.evtx, loaded under an obfuscated service name, and deleted immediately after the DSE sequence completes.

Kernel Offset Discovery — SeCiCallbacks Scanner

When no offsets are supplied in drivers.ini, FindKernelOffsetsLocally() maps ntoskrnl.exe from disk and applies a heuristic scoring scan to locate SeCiCallbacks.

Scoring rules (minimum 110 points to qualify):

Points Criterion
+50 Target address falls within .pdata RUNTIME_FUNCTION-covered range
+30 Pointer value is page-aligned (low 12 bits = 0)
+20 Pointer is in the kernel executable range
+10 Address resolves to a valid export or known symbol offset


.pdata usage is deliberate: SeCiCallbacks entries point to executable code covered by exception unwind records — every legitimate callback is within a RUNTIME_FUNCTION range. Scanning only those ranges eliminates most false positives.

IOCTL Memory Primitives — RTC_PACKET

The BYOVD driver exposes a single IOCTL that accepts a 48-byte RTC_PACKET structure:

typedef struct _RTC_PACKET {
    /* +0x00 */ ULONGLONG  TargetAddress;   // kernel VA to read from or write to
    /* +0x08 */ ULONGLONG  Value;           // write: value to store; read: ignored
    /* +0x10 */ ULONGLONG  Result;          // read: kernel value returned here
    /* +0x18 */ ULONG      Operation;       // 1 = read QWORD, 2 = write QWORD
    /* +0x1C */ ULONG      Size;            // transfer width in bytes (8 = QWORD)
    /* +0x20 */ ULONGLONG  Reserved[2];     // padding to 48 bytes total
} RTC_PACKET, *PRTC_PACKET;

ReadMemory64 and WriteMemory64 are thin wrappers over DeviceIoControl using this structure.

DSE Patch/Restore Sequence

  1. GetNtoskrnlBase()NtQuerySystemInformation(SystemModuleInformation)
  2. GetSeCiCallbacksVA() — add scanner offset to kernel base
  3. ReadMemory64() — save original CiValidateImageHeader pointer
  4. WriteMemory64() — overwrite SeCiCallbacks+0x20 with SafeFunction address
  5. ZwFlushInstructionCache() — invalidate CPU instruction cache
  6. NtLoadDriver() — load target unsigned driver
  7. WriteMemory64() — restore original CiValidateImageHeader pointer
  8. ZwFlushInstructionCache() — invalidate again

SafeFunction is a pointer to a kernel stub that always returns STATUS_SUCCESS. The restore in step 7 happens regardless of whether NtLoadDriver succeeded, preserving system integrity.

HVCI Detection and Hive Patching

HVCI is detected before any driver operations by reading:

HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Value: Enabled (DWORD)

If HVCI is active, PatchSystemHiveHVCI() performs the bypass entirely at the raw hive binary level — no registry API. It opens \SystemRoot\System32\config\SYSTEM with backup intent and walks the binary structure cell-by-cell:

1. Read hive header → BaseBlock → RootCellOffset
2. Walk NK cells: CurrentControlSet → Control → DeviceGuard →
                  Scenarios → HypervisorEnforcedCodeIntegrity
3. Iterate VK cells in the target NK — find VK where name == L"Enabled"
4. For inline DWORD (DataLength & 0x80000000): value is at VK+0x0C
5. Write 0x00000000 at that offset
6. Read back to verify → flush file → NtShutdownSystem(ShutdownReboot)

Windows 10 vs Windows 11 hive layout:

On Windows 11, compact hive allocation places NK and VK cells in adjacent blocks — a single sequential scan suffices.

On Windows 10, VK cells may be placed anywhere in the hive. The walker follows the ValuesListOffset pointer array in each NK cell and performs random-access reads for each entry.

Service Name Obfuscation — MmPoolTelemetry

MmPoolTelemetry.asm (MASM) implements a runtime name decoder that produces the bypass driver's service name and device path from an obfuscated constant table. At runtime:

  • MmGetPoolDiagnosticString() decodes and returns the service name.
  • All NtLoadDriver, NtOpenFile, and NtDeleteKey calls use the decoded string.
  • The string is never present in cleartext in the binary.

Configuration Reference — drivers.ini

drivers.ini is placed at C:\Windows\drivers.ini, UTF-16 LE encoding. Example:

[Settings]
Verbose=YES
;Offset_SeCiCallbacks=0x0
;Offset_SafeFunction=0x0

[Driver_omnidriver]
Action=LOAD
AutoPatch=YES
DriverPath=\??\C:\Windows\System32\omnidriver.sys
TargetDriverNtPath=\SystemRoot\System32\omnidriver.sys
ServiceName=omnidriver
ServiceDisplayName=OmniDriver
ServiceGroup=Boot Bus Extender

Offset_SeCiCallbacks and Offset_SafeFunction are commented out — the scanner locates both automatically. Supply numeric values (e.g. =0x14D3B20) only to override auto-detection.

Supported actions:

Action AutoPatch Effect
LOAD YES Full DSE bypass sequence: extract driver, patch, load target, restore
LOAD NO Direct NtLoadDriver (assumes DSE already disabled)
UNLOAD NtUnloadDriver
RENAME NtSetInformationFile rename
DELETE NtSetInformationFile delete; add Recursive=YES for directories

Research Notes

HVCI Hive Structure Discovery

The hive-level HVCI bypass required two separate reverse engineering sessions for Windows 10 and Windows 11 because the hive binary layout differs between them.

On Windows 11, compact hive allocation places NK and VK cells in adjacent blocks. The HypervisorEnforcedCodeIntegrity key has very few values, making a forward sequential scan reliable.

On Windows 10, the same key's VK cells are scattered across the hive at non-adjacent offsets. The correct approach is to follow the ValuesListOffset pointer in the NK cell, which points to a DWORD array of VK offsets — each must be read separately. This is what the production walker implements for both platforms.

The NK cell signature is NK at offset 0 (bytes 0x4E 0x4B). The VK signature is VK at offset 0 (bytes 0x56 0x4B). The cell's allocation header sits at offset −4 relative to the cell start: negative size = allocated, positive = free.

SeCiCallbacks — IDA Reverse Engineering and Python Prototype

SeCiCallbacks is not exported and has no debug symbol in production kernels. Its location was identified via IDA Pro by tracing the call chain from PsLoadImage through SeValidateImageHeader into ci.dll's CiValidateImageHeader export, then back-referencing to the kernel global used as the dispatch table.

A Python prototype (find_seci.py) was written to validate the scoring algorithm against known-good offsets before implementing it in C. The prototype mapped the PE file with mmap, iterated over all RUNTIME_FUNCTION entries in .pdata, and scored candidate pointers against the same criteria used by the production scanner. Once the prototype reliably identified the target offset on multiple kernel versions (22H2 and 23H2), the algorithm was ported to C.

Deployment

deploy.ps1 prepares the target system in one step:

.\deploy.ps1 -SourcePath .\data -TargetDriverNtPath \SystemRoot\System32\omnidriver.sys

What it does:

┌──────────────────────────────────────────────────────────────┐
│  deploy.ps1                                                  │
│                                                              │
│  1. Copy bb.exe         → C:\Windows\System32\               │
│  2. Copy drivers.ini    → C:\Windows\                        │
│  3. Copy target driver  → -TargetDriverNtPath                │
│  4. Append bb to BootExecute multi-string                    │
│     (HKLM\...\Session Manager\BootExecute)                   │
│  5. Print: "Reboot to execute BootBypass"                    │
└──────────────────────────────────────────────────────────────┘

After reboot, bb.exe runs at SMSS phase. On success, the target driver is loaded and running before winlogon.exe starts. bb.exe and drivers.ini remain in place for subsequent boots; remove them manually when done.

Copyright © 2026 Marek Wesołowski (WESMAR) — kvc.pl · MIT License