Under Windows 10 DSE control variable is subject of PatchGuard protection. Which mean DSEFix is (delayed) BSOD-generator. There is NO workaround for this.

However you still can:

1. Spend your money on certificate and sign your driver with it.
2. Disable PatchGuard completely during it initialization (and turn off DSE as well) by on disk binary modifications.
3. Use alternative driver loading methods.

There MUST be a problem with DSEfix, because with WIN64AST there is no problem!!!
Please compare how WIN64AST works!

Hi thanks for posting this.

I just want to report a error
i have used this in a virtual box with windows 8.1 x64
I sometimes get a bluescreen about CRITICAL_STRUCTURE_CORRUPTION (CI.dll)

I'm not sure if its because my virtualbox windows install is corrupt or if its caused from not setting something with this.

I always make sure i re enable DSE about 30 seconds after i disable it an load up my driver.

Hi, @hfiref0x,
I am using your project, i can disable Driver Singing Enforcement, i can load driver but..
When i load my driver windows says, "Windows Requires a Digitally Signed Driver"..
Screen shot added..

C:\Users\User\Desktop\Compiled>dsefix.exe
DSEFix v1.2.0 started
(c) 2014 - 2017 DSEFix Project
Supported x64 OS : 7 and above

Ldr: Windows v6.1 build 7601
Ldr: ntoskrnl.exe loaded for pattern search
Ldr: DSE will be disabled
SCM: Vulnerable driver loaded and opened
Ldr: OpenLdr.u.Out.pvImageBase = 0xFFFFFA8003D65080
Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete
Ldr: SUP_IOCTL_FAST_DO_NOP
Ldr: Modifying value at address 0xFFFFF80002A2BEB8
Ldr: SUP_IOCTL_LDR_FREE
SCM: Unloading vulnerable driver
SCM: Vulnerable driver successfully unloaded
SCM: Driver entry removed from registry
Ldr: Driver file removed
Ldr: Exit

This is running on a x64 Win7 VMWare, but nothing shown on DebugView, also after trying to register new Driver it never shows in the services.

Well, it seems like it was fixed or smth, here is WinDbg log:

Microsoft (R) Windows Debugger Version 10.0.17763.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\dsefix.exe
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00007ff6`4c030000 00007ff6`4c04e000   image00007ff6`4c030000
ModLoad: 00007ff8`82060000 00007ff8`82241000   ntdll.dll
ModLoad: 00007ff8`812e0000 00007ff8`81392000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`7f270000 00007ff8`7f4e3000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8`81400000 00007ff8`81590000   C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ff8`7f250000 00007ff8`7f270000   C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ff8`7f960000 00007ff8`7f988000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ff8`7e430000 00007ff8`7e5c2000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ff8`7f030000 00007ff8`7f0cf000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8`7f0d0000 00007ff8`7f1ca000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`81ab0000 00007ff8`81b51000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8`818c0000 00007ff8`8195e000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`813a0000 00007ff8`813fb000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`81980000 00007ff8`81aa4000   C:\WINDOWS\System32\RPCRT4.dll
(3acc.297c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ff8`8212cdfc cc              int     3

Here is dsefix.exe log:

DSEFix v1.2.2 started
(c) 2014 - 2017 DSEFix Project
Supported x64 OS : 7 and above

Ldr: Windows v10.0 build 17134
Ldr: Warning, improved PatchGuard version present
Ldr: Modification of data region will lead to delayed BSOD
Ldr: CI.dll loaded for pattern search
Ldr: DSE will be disabled
SCM: Vulnerable driver load failure
Ldr: Exit

System:
-Intel X5570
-Windows 10 last update as of 20.11.18 (i guess)

EDIT: Checked on VM(Win 10 1607) - Works fine, though resulting BSOD after some time, but i'm working on it.

So I ran dsefix as admin as -d and everything ran smoothy but for some reason im not able to load my driver?
http://prnt.sc/dqc8ry

There is an issue with DSEFix running on systems with installed VirtualBox software. Since DSEFix uses old virtualbox driver to do it task it attempt to reload actual VBoxDrv and may fail here if the following condifitions are meet:

1. VirtualBox installed with VirtualBox Networking - thus VirtualBox Bridged Networking protocol installed for available network connections.
2. VirtualBox USBMon driver is loaded (it references VBoxDrv preventing it unload).

Solution: On systems with VirtualBox installed - disable VirtualBox networking and VBoxUsbMon before running DSEFix:

1. Temporary shutdown all network connections that uses VirtualBox network protocol, including "VirtualBox Host-Only Network" connection. Reenable them after DSEFix usage. Thus will stop VirtualBox network drivers (VBoxNetAdp, VBoxNetFlt).
2. Use "net stop vboxusbmon" from elevated command prompt to stop VirtualBox USB monitor. Restart it (if needed) after DSEFix usage, using "net start vboxusbmon" from elevated command prompt.

include <Windows.h>

include <stdio.h>

include <tchar.h>

include "ldasm.h"

include "ldasm.c"

int tmain(int argc, TCHAR* argv[])
{
ldasm_data d;
byte codebuff[17 + 5 + 3] =
{ 0x55, 0x53, 0x48, 0x83, 0xEC, 0x58, 0x48, 0x8B, 0xEC, 0x48, 0xC7, 0x45, 0x38, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x1f, 0x44, 0x00, 0x00, 0x0f, 0x1f, 0x00 };
/*
55 push rbp
53 push rbx
4883EC58 sub rsp,$58
488BEC mov rbp,rsp
48C7453800000000 mov qword ptr [rbp+$38],$0000000000000000
0F1F440000 nop dword ptr ds:[rax+rax]
0F1F00 nop dword ptr ds:[rax] |
*/
unsigned int i = 0;
i += ldasm(&codebuff[i], &d, 1); // push rbp - OK
i += ldasm(&codebuff[i], &d, 1); // push rbx - OK
i += ldasm(&codebuff[i], &d, 1); // sub rsp,$58 - OK
i += ldasm(&codebuff[i], &d, 1); // mov rbp,rsp - OK
i += ldasm(&codebuff[i], &d, 1); // mov qword ptr... - OK
// ERROR!!!!!!!!
i += ldasm(&codebuff[i], &d, 1); // expected 5 byte for "nop dword ptr ds:[rax+rax]", but actual is 2 byte
i += ldasm(&codebuff[i], &d, 1); // then garbage with REX (3 byte)
i += ldasm(&codebuff[i], &d, 1); // expected 3 byte for "nop dword ptr ds:[rax]", but actual is 2 byte
i += ldasm(&codebuff[i], &d, 1); // error - out of range (ldasm() return 2)
return 0;
}

Just a couple of questions about the intended usage of this application:

1. Does dsefix.exe need to be executed again if the PC is restarted, or is the effect removed upon restart?
2. If the PC has been restarted, does 'dsefix.exe -e' have any effect?
3. If I had previously used dsefix.exe (but now I want to completely remove it), what is the procedure?

Tried to run this on windows 10 but it doesn't work. Sorry can't provide much details on the topic. I'm creating an issue because i couldn't find your email address. Can you recheck your software for windows 10?

This part of code in RunExploit function

NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

I got an (C0000005 EXCEPRION_ACCESS_VIOLATION) here.
Used DSEFix sources for my own project and my code is similar

fNtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE);

Where fNtAllocateVirtualMemory is NtAllocateVirtualMemory function imported from ntoskernel.exe.
I am sure, function parameters are correct, except memIO. Debugger tells me: in DSEFix it equals 0x1004, in my project is 0x1006. And I use RtlZeroMemory instead RtlSecureZeroMemory.
Exception occures here, in NtAllocateVirtualMemory function:

0000000140377CD1 | mov r12,qword ptr gs:[188]
0000000140377CDA | mov r11,qword ptr ds:[r12+70] ; here
0000000140377CDF | mov qword ptr ss:[rsp+78],r11

I know, gs:[188] is a some kind of privileges variable.
Another strange fact: DSEFix calls ZwAllocateVirtualMemory instead NtAllocateVirtualMemory. I cant call ZwAllocateVirtualMemory, cause I got another error-can't execute privileged instruction in user code.
OS is Win 7 x64 on VBOX.

Hi, i want to use your project so i need to install vb ?