proof-of-concept demonstrating a technique to partially disable or desynchronize windows patchguard by modifying internal kernel timer values through physical memory access.
tested on recent versions of windows 11 at the time of writing.
patchguard periodically validates several critical kernel structures, including:
- system service descriptor table (ssdt)
- interrupt descriptor table (idt)
- kernel code integrity regions
these checks are scheduled using internal timing variables inside ntoskrnl.
timerflip locates these timer values and overwrites them with 0xffffffffffffffff, causing the associated patchguard validation routines to effectively never execute.
this does not completely disable patchguard, but it prevents some timed validation paths from triggering.
the poc performs the following steps:
- loads the
WinIOdriver to obtain physical memory access - scans physical memory to locate the base of
ntoskrnl - pattern scans for patchguard timer instructions
- resolves the referenced timer variables
- overwrites them with the maximum
u64value
patched timers include:
- sdt validation timer
- idt validation timer
after patching, the winio driver is unloaded.
this method does not fully disable patchguard.
other patchguard contexts may still execute and trigger bugchecks depending on system state and kernel modifications.
future windows builds may change internal layouts or instruction patterns.
this project is provided strictly for educational and research purposes.
it demonstrates weaknesses in kernel self-protection mechanisms and should not be used on production systems.
im not responsible for any misuse or damage caused by this software.