DSE bypass not working on 20H2 after KB5003173 update

[mihaly044]

The latest Windows update for 20H2 that is KB5003173, breaks the functionality of the DSE bypass.

Steps to reproduce:

• Upgrade your OS to the newest version available
• Run KDU as follows: kdu.exe -dse 0
• Observe the unchanged code integrity options value

KDU will report success in despite of the code integrity options value hasn't been altered. Hence, NtLoadDriver will report STATUS_INVALID_IMAGE_HASH.
I have also checked it using NtQuerySystemInformation(SystemCodeIntegrityInformation... and here's the output of that:

CODEINTEGRITY_OPTION_TESTSIGN=FALSE
CODEINTEGRITY_OPTION_UMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED=FALSE
CODEINTEGRITY_OPTION_TEST_BUILD=FALSE
CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD=FALSE
CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_FLIGHT_BUILD=FALSE
CODEINTEGRITY_OPTION_FLIGHTING_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED=TRUE

CodeIntegrityOptions=0x2001

I suspect the memory location of the target variable has changed.

[hfiref0x]

Yes, CI.DLL now uses Microsoft WIL extensively. It numerous calls at CiInitialize ruins previous algorithm of CipInitialize lookup.

[mihaly044]

Thanks, @hfiref0x !
I think I have got it working thanks to your accurate information.
I'll make a PR later today after I'm done testing.

[hfiref0x]

Thanks, but no need. I'm planning to rewrite this part completely.

[hfiref0x]

The code for DSE manipulations are from DSEFix in mostly unmodified state. It turns out it also has some very ancient bug which one I likely added when I was moving this repository to the github from kernelmode.info. This also will be fixed.

[Narumiii]

I can confirm after the commit it still dones't work

[Narumiii]

[hfiref0x]

There has been no commits in master branch. Try exe from dev111 instead (https://github.com/hfiref0x/KDU/blob/v111/Bin/kdu.exe). If it still fails to work then upload your Windows\system32\CI.DLL somewhere (not on github) and post here a link to it.

[Narumiii]

Sorry my fault you are right these version works, anyways if needed here is my CI.dll, by the way many thanks to you for your effort and work on kernel research https://anonfiles.com/R5R9r2w3u6/ci_dll

[hfiref0x]

Thanks, I've checked your file. KDU from dev111 should work fine with it.