1.8.3 Fix Registry and Deprecate INF

Registry was broken due to use of __cdecl *printf family functions, those are no more needed with this commit.

INF is also removed, now we do sc create with a script instead.

Author: NevermindExpress

.vs/TimeDefuser-VS2026.vcxproj

@@ -119,6 +119,8 @@
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
       <OmitDefaultLibName>true</OmitDefaultLibName>
       <CallingConvention>StdCall</CallingConvention>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -175,6 +177,7 @@
       <ControlFlowGuard>false</ControlFlowGuard>
       <FunctionLevelLinking>false</FunctionLevelLinking>
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -216,9 +219,6 @@
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
     </Link>
   </ItemDefinitionGroup>
-  <ItemGroup>
-    <None Include="..\src\TimeDefuser.inf" />
-  </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="..\src\TimeDefuser.rc" />
   </ItemGroup>
@@ -230,6 +230,10 @@
     <ClInclude Include="..\src\resource.h" />
     <ClInclude Include="..\src\TimeDefuser.h" />
   </ItemGroup>
+  <ItemGroup>
+    <None Include="..\README.md" />
+    <None Include="..\TimeDefuser-Research.md" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

.vs/TimeDefuser-VS2026.vcxproj.filters

@@ -13,9 +13,9 @@
       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
     </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <None Include="..\src\TimeDefuser.inf" />
+    <Filter Include="Documentation">
+      <UniqueIdentifier>{042252ca-9640-435a-957f-683ba38dd0d3}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="..\src\TimeDefuser.rc">
@@ -38,4 +38,12 @@
       <Filter>Header Files</Filter>
     </ClInclude>
   </ItemGroup>
+  <ItemGroup>
+    <None Include="..\README.md">
+      <Filter>Documentation</Filter>
+    </None>
+    <None Include="..\TimeDefuser-Research.md">
+      <Filter>Documentation</Filter>
+    </None>
+  </ItemGroup>
 </Project>

Installer.bat

@@ -0,0 +1,15 @@
+rem ====================================================
+rem	TimeDefuser Service Installer Script
+rem
+rem	https://github.com/NevermindExpress/TimeDefuser
+rem ====================================================
+
+net session >nul 2>&1
+if %errorlevel% equ 0 (
+	copy TimeDefuser-%processor_architecture%.sys %windir%\System32\Drivers\TimeDefuser.sys
+	sc create TimeDefuser type= kernel start= auto binPath= %windir%\System32\Drivers\TimeDefuser.sys
+	sc start TimeDefuser
+) else (
+	echo Administrator rights are required.
+)
+pause

README.md

@@ -1,10 +1,15 @@
 # TimeDefuser
-TimeDefuser is a kernel-mode Windows driver that patches the kernel to neutralize the expiration date (a.k.a. timebomb),
-which is seen on most prerelease builds that has been ever compiled.
 
-This patch patches the timebomb code itself in the kernel so it is the most effective and versatile way to neutralize it, instead of activation patching (i.e. policy files or registry editing) which is not available in many builds.
+TimeDefuser is a Windows kernel security research project on enforcement of expiration dates (a.k.a. a "*timebomb*") on prerelease Windows builds, how to patch them for gaining arbitrary code execution, 
+and a proof-of-concept (shared for education and research purposes) that removes expiration date enforcement from the kernel.
+The PoC driver in this repository patches the timebomb code itself in the kernel, which differs from widespread "activation-based" patches (policy files, registry edits, etc.).
+Thus, it is the most effective and versatile way to neutralize it, unlike activation-based patching methods which are not available in many builds.
 
-All builds are theoretically supported but not all builds are tested, see the notes for more info, or the end of this readme for screenshots.
+All builds are *theoretically* supported, but not all builds are tested. See the notes below and screenshots at the end of this document.
+
+Full whitepaper and technical analysis is located [here](/TimeDefuser-Research.md). The rest of this document is about the PoC driver that removes expiration date enforcement from the system.
+
+# TimeDefuser PoC Driver
 
 > [!WARNING]
 > This driver is intended to remove the **Windows builds'** expiration date only
@@ -13,41 +18,43 @@ It will not remove the expiration date of
 - Your abusive relationship
 - 100-minute Minecraft demo
 - The Pepsi can from 1956 that is inside your fridge for whatever reason
-- Aceyware "Tracey" Operating System version 0.1.3 (or whatever its name ends up being)
+- Aceyware "Tracey" Operating System version 0.1.3 (or whatever it ends up being called)
 - ???
-- Evaluation retail Windows builds. While it theoretically should work, such configuration is not supported and any bug reports regarding to them will be closed without any further action.
+- Evaluation retail Windows builds. While it *may* work, this configuration is unsupported and any related bug reports will be closed.
 
 > [!IMPORTANT]
 > This driver will **not** patch Windows Product Activation or any other similar mechanism. These other mechanisms can be preferred as well in supported builds but here is not their place.
 
-# Notes Per Version
+# Notes
+- A good amount of x64 builds can detect this via PatchGuard (basically a mechanism in Windows kernel that detects unauthorized modifications to kernel code, does not exist in x86).
+Getting over it will weaponize this already versatile patch, so disabling PatchGuard will never be implemented. But as an user, you still have workarounds:
+	- Force enable kernel debugger at boot, which will disable PatchGuard
+	- Patch the kernel image itself with offline patcher, instead of runtime patching with driver.
+- This patch can technically be ported to ARM, ARM64 and Itanium hosts but due to lack of an environment to run and debug Windows on these platforms, this is not possible at the moment.
+
+## Notes Per Version
+
 ### Windows 2000/XP 
-- Use legacy version with those.
-- Also note that alternative methods such as registry edits are available for those.
-- **I KNOW that they do, so don't come to say me "muh set GracePeriod to 0" or "muh use TweakNT"**. This tweak for NT 5.x exists more as proof of concept, and both this patch or other tweaks will do the work. 
+- **I KNOW there are "easier" methods, so don't come to say me "muh set GracePeriod to 0" or "muh use TweakNT"**. This tweak for NT 5.x exists more as proof of concept, and both this patch or other tweaks will do the work. 
 ### Post-reset Windows Vista & Early 7
-- They suck. Avoid using these versions at all. After build expires, buggy WPA breaks the timebomb which makes this patch not get applied anyway, and shows the "Activate Windows" dialog which logs you off if you say no; considering that those builds can skip the windeploy and boot to OOBE/desktop at all in the first place (https://github.com/NevermindExpress/TimeDefuser/issues/3). See https://github.com/NevermindExpress/TimeDefuser/issues/2 and https://github.com/NevermindExpress/TimeDefuser/issues/2#issuecomment-2970226626 for more info.
+- They suck. Avoid using these versions at all. After build expires, buggy WPA breaks the timebomb which makes this patch not get applied anyway, and shows the "Activate Windows" dialog which logs you off if you say no; considering that those builds can successfully finish the windeploy and boot to OOBE/desktop at all in the first place (https://github.com/NevermindExpress/TimeDefuser/issues/3). See https://github.com/NevermindExpress/TimeDefuser/issues/2 and https://github.com/NevermindExpress/TimeDefuser/issues/2#issuecomment-2970226626 for more info.
 - These builds are *wontfix* because there is nothing to fix/can be fixed in the first place. Blame Microsoft.
-- Alternative patch methods should be used for those. See https://github.com/NevermindExpress/TimeDefuser/issues/2#issuecomment-2904890597
 ### Later Windows 7 (at least 67xx and later)
-- Since TimeDefuser 1.7.1 they are now working working without hitting into page fault (see #3), though they are still subject to PatchGuard detections, an active investigation is going for them at #8. 
+- Since TimeDefuser 1.7.1 they are now working working without hitting into page fault (see #3), though they are still subject to PatchGuard detections. 
 ### Windows 8
-- Some builds such as 7880 has a partially broken timebomb that effectively gets disabled if you install at current date instead of rolling it back to pre-expiration before install. See https://github.com/NevermindExpress/TimeDefuser/issues/5
-- Certain builds such as aforementioned are also subject to crashes by PatchGuard, while others such as the ones with the screenshots below are not. See https://github.com/NevermindExpress/TimeDefuser/issues/5#issuecomment-3369399950
-- Few builds can be patched with policy/spp files replacement. **Again, I KNOW 'THEY' CAN BE PATCHED**. "MUH FBL builds can be patched by doing X/can be used at current date without doing anything" well, my thing can patch **ALL** versions (except ones that have superior PatchGuard) while your method can only fix a few builds.
+- Some builds such as 7880 has a partially broken timebomb that effectively gets disabled if you install at current date instead of setting it to pre-expiration before install. See https://github.com/NevermindExpress/TimeDefuser/issues/5
+- **Again, I KNOW 'THEY' CAN BE PATCHED WITH POLICY/SPP FILES REPLACEMENT**. "MUH FBL builds can be patched by doing X/can be used at current date without doing anything" well, my thing can patch **ALL** versions (except ones that have superior PatchGuard) while your method can only fix a few builds.
 ### Windows 10/11
 > [!IMPORTANT]
 > Windows 10 builds are also subject to flight signing, which are code signatures that gets invalid after expiration date, thus preventing system from booting or to be used properly. 
 > Getting over this requires additional work (resigning all binaries and disabling integrity checks, or patching bootloader & ci.dll) which is not covered by this project.
 - Works on pre-RTM, post-RTM ("insider") builds are untested but they likely are same as pre-RTM unless KASLR is enabled, which is not supported by this driver.
 
 # Usage
-1. Enable test-signing (disabling driver signature enforcement might also be necessary.)
-2. Download the latest release and obtain "devcon" utility (available in WDK and also in some .cab files).
-3. Execute `devcon install C:\Path\to\TimeDefuser.inf Root\TimeDefuser`
-4. Allow the installition and wait for "Driver Installition Complete" message
-5. If your system didn't crash so far, check expiration date from "winver", if it's not there that means that it worked.
-6. If you want to/need to uninstall, execute `devcon remove Root\TimeDefuser` and reboot (or just delete the .sys file).
+Since TimeDefuser 1.8.3, INF file is deprecated and the driver is instead installed as a service with `sc.exe`. A script for installing named `Installer.bat` will be bundled with subsequent releases.
+- If your system didn't crash after installition, check expiration date from "winver". Absence of the expiration date means that driver has worked.
+- **(x64 systems only)** Wait for several minutes, the system might crash after a few minutes of installition with a `0x109 CRITICAL_STRUCTURE_CORRUPTION` bugcheck. See notes about more info.
+- If you need to remove driver, simply execute `sc delete TimeDefuser` and reboot.
 
 # Testing and Bug Reporting
 The driver can either work correctly, crash the system, fail or work but not enough to fully patch the currently working system.

src/Driver.c

@@ -1,5 +1,15 @@
 #include "TimeDefuser.h"
 
+#ifdef _M_IX86
+void* __cdecl memset(void* dest, int c, size_t count) {
+	unsigned char* p = (unsigned char*)dest;
+	while (count--) {
+		*p++ = (unsigned char)c;
+	}
+	return dest;
+}
+#endif // _M_IX86
+
 BOOLEAN PatchExGetExpirationDate(void* pExGetExpirationDate) {
 	PMDL mdl = NULL;
 	unsigned char* map = NULL;
@@ -41,12 +51,13 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 	RTL_PROCESS_MODULES ModuleInfo = { 0 };	// Structure used for getting kernel base address
 	unsigned long long* KernelBase = NULL;	// Kernel Base address
 	ULONG KernelSize = 0;					// Kernel image size
-	//HANDLE hKey = OpenRegistryKey(RegistryPath);
-	HANDLE hKey = 0;
+	HANDLE hKey = OpenRegistryKey(RegistryPath);
+	//HANDLE hKey = 0;
 	unsigned int KernelSize2 = 0;			// Var used in loops as a max value
 	PAGESections ps[5] = { 0 };				// PE sections that name starts with "PAGE"
 	unsigned char* PotentialTimestamp = NULL;// Potential address of ExNtExpirationDate/a
 	BOOLEAN Legacy = FALSE;
+	int verMajor = 0;
 
 	// Unrefence unused variables.
 	UNREFERENCED_PARAMETER(DriverObject);
@@ -56,6 +67,8 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 			"| Compiled on " __DATE__ " " __TIME__ " "
 			"| https://github.com/NevermindExpress/TimeDefuser\n");
 
+	//TDPrint("[*] TimeDefuser: RegistryPath: %ws\n",RegistryPath->Buffer);
+
 	// Get SystemExpirationDate
 	TimebombStamp = li->QuadPart;
 	if (!TimebombStamp) {
@@ -66,7 +79,6 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 
 	// Determine if we are running in a legacy system
 	{
-		int verMajor = 0;
 		PsGetVersion(&verMajor, 0, 0, 0);
 		if (verMajor == 5) {
 			TDPrint("[*] TimeDefuser: Legacy system detected.\n");
@@ -113,6 +125,7 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 					*(unsigned long long*)((char*)KernelBase + Stamp2 + 8) = 0;
 			}
 
+			// ExGetExpirationDate Function if not legacy.
 			if (!Legacy) {
 				int Function = RegReadValue(hKey, L"Function", NULL, 0);
 				TDPrint("[+] TimeDefuser: Cached ExGetExpirationDate function address 0x%p is used.\n", (char*)KernelBase + Function);
@@ -197,13 +210,13 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 
 			if (occurance) {
 				pExpNtExpirationDate = &PotentialTimestamp[i];
-				//RegWriteDword(hKey, L"Stamp2", (ULONG)(&PotentialTimestamp[i] - (unsigned char*)KernelBase));
+				RegWriteDword(hKey, L"Stamp2", (ULONG)(&PotentialTimestamp[i] - (unsigned char*)KernelBase));
 				occurance = 2;
 				break;
 			}
 			else { 
 				occurance = 1; 
-				//RegWriteDword(hKey, L"Stamp1", (ULONG)((unsigned char*)&PotentialTimestamp[i] - (unsigned char*)KernelBase));
+				RegWriteDword(hKey, L"Stamp1", (ULONG)((unsigned char*)&PotentialTimestamp[i] - (unsigned char*)KernelBase));
 			}
 		}
 	}
@@ -225,7 +238,7 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 	// Search for PAGE section at PE sections. This section or one of the next three sections is where the 
 	// "ExpTimeRefreshWork" function is located at, which later calls a function named "ExGetExpirationDate".
 	// Due to it's variable being, we will search the PAGE section and next three sections.
-
+	
 	for (size_t i = 0; i < 768; i++) {
 		if (KernelBase[i] == sectNamePAGELK) { // Check if we found the PAGELK\0\0 section name.
 			int* temp = (int*)&KernelBase[i + 1];
@@ -266,7 +279,7 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 						TDPrint("[+] TimeDefuser: CALL instruction found at 0x%p\n", &PotentialTimeRef[i - j]);
 						unsigned char* pExGetExpirationDate = &PotentialTimeRef[i - j + 5];
 						pExGetExpirationDate += *(unsigned int*)&PotentialTimeRef[i - j + 1]; // Next 4 bytes are relative address to our current location.
-						//RegWriteDword(hKey, L"Function", (ULONG)(pExGetExpirationDate - (unsigned char*)KernelBase));
+						
 						// Check if we are running at one of shit builds, refer to ExGetExpirationDateShim.
 						if (!MmIsAddressValid(pExGetExpirationDate)) {
 							TDPrint("[*] TimeDefuser: Invalid address, skipping this one...\n", pExGetExpirationDate);
@@ -276,14 +289,17 @@ NTSTATUS DriverEntry(PDRIVER_OBEJCT DriverObject, PUNICODE_STRING RegistryPath)
 						TDPrint("[+] TimeDefuser: ExGetExpirationDate found at 0x%p\n", pExGetExpirationDate);
 #ifdef _M_IX86
 						// Caller is patched on x86
-						if (!PatchExGetExpirationDate(&PotentialTimeRef[i - j]))
+						if (PatchExGetExpirationDate(&PotentialTimeRef[i - j])) {
+							RegWriteDword(hKey, L"Function", (ULONG)(&PotentialTimeRef[i - j] - (unsigned char*)KernelBase));
 #else
-						if (!PatchExGetExpirationDate(pExGetExpirationDate))
+						if (PatchExGetExpirationDate(pExGetExpirationDate)) {
+							RegWriteDword(hKey, L"Function", (ULONG)(pExGetExpirationDate - (unsigned char*)KernelBase));
 #endif
-							goto patchFail;
-						else {
 							goto patchOK;
 						}
+						else {
+							goto patchFail;
+						}
 
 
 					}

src/Registry.c

@@ -1,5 +1,11 @@
 #include "TimeDefuser.h"
 
+typedef struct {
+	ULONG Major;
+	ULONG Minor;
+	ULONG Build;
+} tdkernelVersion;
+
 HANDLE OpenRegistryKey(PUNICODE_STRING KeyPath){
 	HANDLE ret = 0;
 	OBJECT_ATTRIBUTES oa;
@@ -71,7 +77,17 @@ ULONG RegReadValue(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _Out_ PVOID Val
 		else {
 			if (kvpi->DataLength < ValueOutputSz) {
 				ret = kvpi->DataLength;
-				RtlCopyMemory(ValueOutput, kvpi->Data, ret);
+				//RtlCopyMemory(ValueOutput, kvpi->Data, ret);
+				// ^^^ this shit fucks up sooo here is a poor man's memcpy
+				char* Data = kvpi->Data;
+				while (kvpi->DataLength >= 8) {
+					*(__int64*)ValueOutput = *(__int64*)Data; Data += 8;
+					(char*)ValueOutput += 8; kvpi->DataLength -= 8;
+				}
+				while (kvpi->DataLength) {
+					*(char*)ValueOutput = Data[0]; Data++;
+					(char*)ValueOutput += 1; kvpi->DataLength--;
+				}
 			}
 			else status = STATUS_INVALID_PARAMETER;
 		}
@@ -85,25 +101,24 @@ ULONG RegReadValue(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _Out_ PVOID Val
 NTSTATUS SaveKernelVersion(_In_ HANDLE hKey) {
 	UNICODE_STRING valName;
 	NTSTATUS status;
+	ULONG major, minor, build;
+	tdkernelVersion ver;
 
 	RtlInitUnicodeString(&valName, L"KernelVersion");
 
-	ULONG major, minor, build;
 	PsGetVersion(&major, &minor, &build, NULL);
 
-	WCHAR kernelVersionString[64] = L"";
-	swprintf(kernelVersionString, 64, L"%u.%u.%u", major, minor, build);
-	
-
-	SIZE_T len = (wcslen(kernelVersionString) + 1) * sizeof(WCHAR);
+	ver.Major = major;
+	ver.Minor = minor;
+	ver.Build = build;
 
 	status = ZwSetValueKey(
 		hKey,
 		&valName,
 		0,
-		REG_SZ,
-		(PVOID)kernelVersionString,
-		(ULONG)len
+		REG_BINARY,
+		&ver,
+		sizeof(ver)
 		);
 
 	return status;
@@ -112,14 +127,18 @@ NTSTATUS SaveKernelVersion(_In_ HANDLE hKey) {
 BOOLEAN CompareKernelVersion(_In_ HANDLE hKey) {
 	// Firstly we will read the version of current kernel and make it a string.
 	ULONG major, minor, build;
+	tdkernelVersion currentVer = { 0 }, regVer = { 0 };
 	PsGetVersion(&major, &minor, &build, NULL);
-	WCHAR kernelVersionCurrent[64] = L"";
-	swprintf(kernelVersionCurrent, 64, L"%u.%u.%u", major, minor, build);
+
+	currentVer.Major = major;
+	currentVer.Minor = minor;
+	currentVer.Build = build;
 
 	// Then we will get the value from registry.
-	WCHAR kernelVersionReg[64] = L"";
-	if (!RegReadValue(hKey, L"KernelVersion", kernelVersionReg, 64)) return FALSE;
+	if (!RegReadValue(hKey, L"KernelVersion", &regVer, sizeof(regVer))) return FALSE;
 
 	// Lastly we will compare and return.
-	return wcscmp(kernelVersionCurrent, kernelVersionReg) == 0;
+	return currentVer.Major == regVer.Major &&
+		currentVer.Minor == regVer.Minor &&
+		currentVer.Build == regVer.Build;
 }

src/TimeDefuser.h

@@ -4,7 +4,7 @@
 #include "tdwdm/wdm.h"
 
 /// Definitions
-#define td_version "1.8.2"
+#define td_version "1.8.3"
 
 #define SystemModuleInformation 11
 #define PEheader 0x5a4d // MZ