1.7 - Memory offsets caching

Starting with this version, memory offsets of things to patch are cached, so the driver won't search for them at each boot.

Author: NevermindExpress

src/Driver.c

@@ -1,11 +1,40 @@
 #include "TimeDefuser.h"
 
+#ifndef TD_LEGACY
+BOOLEAN PatchExGetExpirationDate(void* pExGetExpirationDate){
+	PMDL mdl = NULL;
+	void* map = NULL;
+	// Create a MDL paging to get over write protection.
+	mdl = IoAllocateMdl(pExGetExpirationDate, 8, FALSE, FALSE, NULL);
+	if (!mdl) {
+		TDPrint("[X] TimeDefuser: IoAllocateMdl failed.\n");
+		return FALSE;
+	}
+
+	MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
+	map = MmMapLockedPagesSpecifyCache(mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
+	if (!map) {
+		TDPrint("[X] TimeDefuser: MmMapLockedPagesSpecifyCache failed.\n");
+		return FALSE;
+	}
+	MmProtectMdlSystemAddress(mdl, PAGE_READWRITE);
+	// Write to newly created MDL mapping.
+	*(int*)map = 0xC3C03148; // xor eax,eax \ ret | This is apparently same for both x86 and x64
+	// Unmap the MDL
+	MmUnmapLockedPages(map, mdl);
+	MmUnlockPages(mdl);
+	IoFreeMdl(mdl);
+	return TRUE;
+}
+#endif
+
 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
 	LARGE_INTEGER* li = KUSERSystemExpirationDate; // Address of SystemExpirationDate field at KUSER_SHARED_DATA
 	unsigned long long TimebombStamp = 0;	// Expiration date stamp
 	RTL_PROCESS_MODULES ModuleInfo = { 0 };	// Structure used for getting kernel base address
 	unsigned long long* KernelBase = NULL;	// Kernel Base address
 	ULONG KernelSize = 0;					// Kernel image size
+	HANDLE hKey = OpenRegistryKey(RegistryPath);
 #ifndef TD_LEGACY
 	unsigned int KernelSize2 = 0;			// Var used in loops as a max value
 	PAGESections ps[5] = { 0 };				// PE sections that name starts with "PAGE"
@@ -14,7 +43,6 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 
 	// Unrefence unused variables.
 	UNREFERENCED_PARAMETER(DriverObject);
-	UNREFERENCED_PARAMETER(RegistryPath);
 
 	// Print version info.
 	TDPrint("[*] TimeDefuser: version " td_version td_variant" loaded "
@@ -39,6 +67,52 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 	KernelSize = ModuleInfo.Modules[0].ImageSize; 
 	TDPrint("[+] TimeDefuser: Kernel Base address is 0x%p and size is %lu\n", KernelBase, KernelSize);
 
+	// Check whether addresses are cached
+	if (hKey) {
+		if (CompareKernelVersion(hKey)) {
+			// Get cached address offsets for timestamps.
+			int Stamp1 = RegReadValue(hKey, L"Stamp1", NULL, 0),
+				Stamp2 = RegReadValue(hKey, L"Stamp2", NULL, 0);
+
+			// Zero first timestamp
+			if (!Stamp1) {
+				// No cached address, assume nothing is cached.
+				goto patchBeginning;
+			}
+			TDPrint("[*] TimeDefuser: Cached addresses are found on registry.\n");
+			TDPrint("[+] TimeDefuser: Cached ExpNtExpirationDate address 0x%p is used.\n", (unsigned long long*)((char*)KernelBase + Stamp1));
+			*(unsigned long long*)((char*)KernelBase+Stamp1) = 0;
+			#ifdef TD_LEGACY
+				// On legacy, for some reason, actual timebomb stamp 
+				// is the next qword (on XP 2526). We will zero that too.
+				*(unsigned long long*)((char*)KernelBase+Stamp1+8) = 0;
+			#endif
+			
+			// Zero second timestamp if available.
+			if (Stamp2) {
+				TDPrint("[+] TimeDefuser: Cached ExpNtExpirationData address 0x%p is used.\n", (char*)KernelBase + Stamp2);
+				#ifdef TD_LEGACY
+					RtlZeroMemory((char*)KernelBase + Stamp2, 16);
+				#else
+					*(unsigned long long*)((char*)KernelBase + Stamp2) = 0;
+				#endif
+			}
+
+#ifndef TD_LEGACY
+			int Function = RegReadValue(hKey, L"Function", NULL, 0);
+			TDPrint("[+] TimeDefuser: Cached ExGetExpirationDate function address 0x%p is used.\n", (char*)KernelBase + Function);
+			if (!PatchExGetExpirationDate((char*)KernelBase + Function))
+				goto patchFail;
+#endif
+			goto patchOK;
+		}
+		else {
+			// Kernel version mismatch.
+		}
+	}
+patchBeginning:
+	TDPrint("[*] TimeDefuser: No or mismatching cached addresses are found on registry.\n");
+	SaveKernelVersion(hKey);
 #ifdef TD_LEGACY
 	// Search for timebomb stamp in memory
 	KernelSize /= sizeof(unsigned __int64);
@@ -49,6 +123,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 			// For some reason actual timebomb was the next qword on XP 2526, I'll save this and search for it again.
 			TimebombStamp = KernelBase[i + 1]; // Save the lower part of stamp.
 			KernelBase[i + 1] = 0; // And null where I found it too.
+			RegWriteDword(hKey, L"Stamp1", (ULONG)((unsigned char*)&KernelBase[i] - (unsigned char*)KernelBase));
 			break;
 		}
 	}
@@ -58,6 +133,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 		if ((int)KernelBase[i] == (int)TimebombStamp) {
 			TDPrint("[+] TimeDefuser: ExpNtExpirationData found at 0x%p\n", &KernelBase[i]);
 			RtlZeroMemory(&KernelBase[i], 16);
+			RegWriteDword(hKey, L"Stamp2", (ULONG)((unsigned char*)&KernelBase[i] - (unsigned char*)KernelBase));
 			goto patchOK;
 		}
 	}
@@ -98,18 +174,22 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 	KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] TimeDefuser: searching for stamp at 0x%p in %d bytes\n", PotentialTimestamp, KernelSize2));
 
 	KernelSize2;
-	for (size_t i = 0; i < KernelSize2; i++) {
+	for (ULONG i = 0; i < KernelSize2; i++) {
 		if (*(unsigned long long*) & PotentialTimestamp[i] == TimebombStamp) {
 			KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] TimeDefuser: Timebomb stamp found at 0x%p\n", &PotentialTimestamp[i]));
 			*(unsigned long long*)(&PotentialTimestamp[i]) = 0;
 			pExpNtExpirationDate = &PotentialTimestamp[i];
 
 			if (occurance) {
 				pExpNtExpirationDate = &PotentialTimestamp[i];
+				RegWriteDword(hKey, L"Stamp2", (ULONG)(&PotentialTimestamp[i] - (unsigned char*)KernelBase));
 				occurance = 2;
 				break;
 			}
-			else occurance = 1;
+			else { 
+				occurance = 1; 
+				RegWriteDword(hKey, L"Stamp1", (ULONG)((unsigned char*)&PotentialTimestamp[i] - (unsigned char*)KernelBase));
+			}
 		}
 	}
 
@@ -168,31 +248,13 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 				for (unsigned char j = 0; j < 100; j++) {
 					if (*(unsigned char*)&PotentialTimeRef[i - j] == 0xe8) { // CALL instruction found.
 						unsigned char* pExGetExpirationDate = &PotentialTimeRef[i - j + 5];
-						PMDL mdl = NULL;
-						void* map = NULL;
 						pExGetExpirationDate += *(unsigned int*)&PotentialTimeRef[i - j + 1]; // Next 4 bytes are relative address to our current location.
+						RegWriteDword(hKey, L"Function", (ULONG)(pExGetExpirationDate - (unsigned char*)KernelBase));
 						TDPrint("[+] TimeDefuser: ExGetExpirationDate found at 0x%p\n", pExGetExpirationDate);
-						// Create a MDL paging to get over write protection.
-						mdl = IoAllocateMdl(pExGetExpirationDate, 8, FALSE, FALSE, NULL);
-						if (!mdl) {
-							TDPrint("[X] TimeDefuser: IoAllocateMdl failed.\n");
-							goto patchFail;
-						}
-
-						MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
-						map = MmMapLockedPagesSpecifyCache(mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
-						if (!map) {
-							TDPrint("[X] TimeDefuser: MmMapLockedPagesSpecifyCache failed.\n");
+						if (!PatchExGetExpirationDate(pExGetExpirationDate))
 							goto patchFail;
-						}
-						MmProtectMdlSystemAddress(mdl, PAGE_READWRITE);
-						// Write to newly created MDL mapping.
-						*(int*)map = 0xC3C03148; // xor eax,eax \ ret | This is apparently same for both x86 and x64
-						// Unmap the MDL
-						MmUnmapLockedPages(map, mdl);
-						MmUnlockPages(mdl);
-						IoFreeMdl(mdl);
-						goto patchOK;
+						else 
+							goto patchOK;
 					}
 				}
 				break;
@@ -212,7 +274,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 	// Clear the ExpirationdDate field in SharedData. 
 	// Since 1.4, this is the last step so it will stay there in case of failure 
 	// and won't cause any false positives anymore.
-	li->QuadPart = 0;
+	li->QuadPart = 0; ZwClose(hKey);
 	TDPrint("[*] TimeDefuser: Patch completed successfully.\n");
 	return STATUS_SUCCESS;
 }

src/Registry.c

@@ -0,0 +1,124 @@
+#include "TimeDefuser.h"
+
+HANDLE OpenRegistryKey(PUNICODE_STRING KeyPath){
+	HANDLE ret = 0;
+	OBJECT_ATTRIBUTES oa;
+	InitializeObjectAttributes(
+		&oa,
+		KeyPath,
+		OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL
+	);
+
+	ZwCreateKey(
+		&ret,
+		KEY_READ | KEY_WRITE,
+		&oa,
+		0,
+		NULL,
+		REG_OPTION_NON_VOLATILE,
+		NULL
+	);
+
+	return ret;
+}
+
+// Writes a DWORD value
+NTSTATUS RegWriteDword(HANDLE hKey, PCWSTR ValueName, ULONG Data) {
+	UNICODE_STRING valName;
+	RtlInitUnicodeString(&valName, ValueName);
+
+	return ZwSetValueKey(
+		hKey,
+		&valName,
+		0,
+		REG_DWORD,
+		&Data,
+		sizeof(Data)
+		);
+}
+
+// Reads a value from registry
+// If DWORD, return value is the value.
+// Else, value is saved at ValueOutput.
+ULONG RegReadValue(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _Out_ PVOID ValueOutput, _In_ ULONG ValueOutputSz) {
+	NTSTATUS status;
+	PKEY_VALUE_PARTIAL_INFORMATION kvpi;
+	ULONG size = sizeof(KEY_VALUE_PARTIAL_INFORMATION)+128;
+	ULONG retLen = 0, ret = 0;
+	UNICODE_STRING valName;
+
+	// Allocate memory for kvpi
+	kvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTag(PagedPool, size, 'rgeR');
+	if (!kvpi) return 0;
+
+	RtlInitUnicodeString(&valName, ValueName);
+
+	status = ZwQueryValueKey(
+		KeyHandle,
+		&valName,
+		KeyValuePartialInformation,
+		kvpi,
+		size,
+		&retLen
+		);
+
+	if (NT_SUCCESS(status)) {
+		if (kvpi->Type == REG_DWORD && kvpi->DataLength == sizeof(ULONG)) {
+			ret = *(ULONG*)kvpi->Data;
+		}
+		else {
+			if (kvpi->DataLength < ValueOutputSz) {
+				ret = kvpi->DataLength;
+				RtlCopyMemory(ValueOutput, kvpi->Data, ret);
+			}
+			else status = STATUS_INVALID_PARAMETER;
+		}
+	}
+
+	ExFreePoolWithTag(kvpi, 'rgeR');
+	return ret;
+}
+
+// Saves kernel build version to a value key named "KernelVersion"
+NTSTATUS SaveKernelVersion(_In_ HANDLE hKey) {
+	UNICODE_STRING valName;
+	NTSTATUS status;
+
+	RtlInitUnicodeString(&valName, L"KernelVersion");
+
+	ULONG major, minor, build;
+	PsGetVersion(&major, &minor, &build, NULL);
+
+	WCHAR kernelVersionString[64] = L"";
+	RtlStringCchPrintfW(kernelVersionString, 64, L"%u.%u.%u", major, minor, build);
+
+	SIZE_T len = (wcslen(kernelVersionString) + 1) * sizeof(WCHAR);
+
+	status = ZwSetValueKey(
+		hKey,
+		&valName,
+		0,
+		REG_SZ,
+		(PVOID)kernelVersionString,
+		(ULONG)len
+		);
+
+	return status;
+}
+
+BOOLEAN CompareKernelVersion(_In_ HANDLE hKey) {
+	// Firstly we will read the version of current kernel and make it a string.
+	ULONG major, minor, build;
+	PsGetVersion(&major, &minor, &build, NULL);
+	WCHAR kernelVersionCurrent[64] = L"";
+	RtlStringCchPrintfW(kernelVersionCurrent, 64, L"%u.%u.%u", major, minor, build);
+
+	// Then we will get the value from registry.
+	WCHAR kernelVersionReg[64] = L"";
+	if (!RegReadValue(hKey, L"KernelVersion", kernelVersionReg, 64)) return FALSE;
+
+	// Lastly we will compare and return.
+	return wcscmp(kernelVersionCurrent, kernelVersionReg) == 0;
+}

src/TimeDefuser.h

@@ -1,10 +1,11 @@
 /// General definitions for TimeDefuser
 
-/// Includes (only one)
+/// Includes
 #include <ntddk.h>
+#include <ntstrsafe.h>
 
 /// Definitions
-#define td_version "1.6.1"
+#define td_version "1.7"
 #ifdef TD_LEGACY
 	#define td_variant " (Legacy)"
 #else
@@ -60,5 +61,12 @@ extern __kernel_entry NTSTATUS NTAPI ZwQuerySystemInformation(
 	PULONG ReturnLength OPTIONAL
 );
 
+/// TimeDefuser Registry Functions
+HANDLE OpenRegistryKey(PUNICODE_STRING KeyPath);
+NTSTATUS RegWriteDword(HANDLE hKey, PCWSTR ValueName, ULONG Data);
+ULONG RegReadValue(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _Out_ PVOID ValueOutput, _In_ ULONG ValueOutputSz);
+NTSTATUS SaveKernelVersion(_In_ HANDLE hKey);
+BOOLEAN CompareKernelVersion(_In_ HANDLE hKey);
+
 /// TimeDefuser macros
 #define TDPrint(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ##__VA_ARGS__);

src/TimeDefuser.inf

@@ -11,7 +11,7 @@ Class         = System
 ClassGuid     = {4d36e97d-e325-11ce-bfc1-08002be10318}
 Provider      = %ManufacturerName%
 CatalogFile   = TimeDefuser.cat
-DriverVer     = 12/03/2025,1.6.1
+DriverVer     = 12/04/2025,1.7
 PnpLockdown   = 1
 
 [DestinationDirs]