1.8.4

- Fixed offline patcher architecture conflicts
	- Now all builds of offline patcher can patch all kernel images
	- Previously it was same patcher/kernel due to preprocessor definitions and a bug in code.
- Fixed build errors caused by freestanding memset.

Author: NevermindExpress

.vs/.gitignore

@@ -0,0 +1 @@
+.vs

.vs/Offline-VS2026.vcxproj

@@ -112,6 +112,8 @@
       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <LanguageStandard>Default</LanguageStandard>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <DebugInformationFormat>None</DebugInformationFormat>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -140,6 +142,8 @@
       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <LanguageStandard>Default</LanguageStandard>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <DebugInformationFormat>None</DebugInformationFormat>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>

.vs/TimeDefuser-VS2013.vcxproj

@@ -167,6 +167,7 @@
       <ExceptionHandling>false</ExceptionHandling>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <CreateHotpatchableImage>false</CreateHotpatchableImage>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -179,6 +180,7 @@
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
       <BaseAddress>0x10000</BaseAddress>
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -195,6 +197,7 @@
       <ExceptionHandling>false</ExceptionHandling>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <CreateHotpatchableImage>false</CreateHotpatchableImage>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -207,6 +210,7 @@
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
       <BaseAddress>0x10000</BaseAddress>
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

.vs/TimeDefuser-VS2022.vcxproj

@@ -138,6 +138,7 @@
       <ExceptionHandling>false</ExceptionHandling>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -148,6 +149,7 @@
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
       <BaseAddress>0x10000</BaseAddress>
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@@ -188,6 +190,7 @@
       <ExceptionHandling>false</ExceptionHandling>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -198,6 +201,7 @@
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
       <BaseAddress>0x10000</BaseAddress>
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

.vs/TimeDefuser-VS2026.vcxproj

@@ -148,6 +148,8 @@
       <ExceptionHandling>false</ExceptionHandling>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -160,6 +162,7 @@
       <RandomizedBaseAddress>true</RandomizedBaseAddress>
       <DataExecutionPrevention>true</DataExecutionPrevention>
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@@ -205,6 +208,8 @@
       <ExceptionHandling>false</ExceptionHandling>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
     </ClCompile>
     <Link>
       <SubSystem>Native</SubSystem>
@@ -217,6 +222,7 @@
       <RandomizedBaseAddress>true</RandomizedBaseAddress>
       <DataExecutionPrevention>true</DataExecutionPrevention>
       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

README.md

@@ -32,9 +32,14 @@ Getting over it will weaponize this already versatile patch, so disabling PatchG
 	- Patch the kernel image itself with offline patcher, instead of runtime patching with driver.
 - This patch can technically be ported to ARM, ARM64 and Itanium hosts but due to lack of an environment to run and debug Windows on these platforms, this is not possible at the moment.
 
+## Notes for Offline Patcher
+- Do not use kernel driver with offline patched systems, as the driver is nonfunctional with patched kernels (as there is nothing to remove).
+- Windows XP and earlier builds are not supported, usage of kernel driver is required for those builds.
+
 ## Notes Per Version
 
 ### Windows 2000/XP 
+- As written above, these builds does not support offline patching.
 - **I KNOW there are "easier" methods, so don't come to say me "muh set GracePeriod to 0" or "muh use TweakNT"**. This tweak for NT 5.x exists more as proof of concept, and both this patch or other tweaks will do the work. 
 ### Post-reset Windows Vista & Early 7
 - They suck. Avoid using these versions at all. After build expires, buggy WPA breaks the timebomb which makes this patch not get applied anyway, and shows the "Activate Windows" dialog which logs you off if you say no; considering that those builds can successfully finish the windeploy and boot to OOBE/desktop at all in the first place (https://github.com/NevermindExpress/TimeDefuser/issues/3). See https://github.com/NevermindExpress/TimeDefuser/issues/2 and https://github.com/NevermindExpress/TimeDefuser/issues/2#issuecomment-2970226626 for more info.

offline/Main.c

@@ -48,6 +48,10 @@ int main(int argc, char* argv[]) {
 	DWORD sz = 0; // File size
 	wchar_t* dupFilePath = tdGetDupFilePath(); // Name for duplicated file.
 	wchar_t* openFilePath; // Path of kernel image to open.
+	PVOID unusedOldVal = NULL;
+
+	// Disable filesystem redirection if running under WoW64
+	Wow64DisableWow64FsRedirection(&unusedOldVal);
 
 	// Enable proper Unicode output
 	SetConsoleOutputCP(CP_UTF8);
@@ -122,31 +126,49 @@ int main(int argc, char* argv[]) {
 
 	// Check version.
 	if (nt->OptionalHeader.MajorSubsystemVersion < 6) {
-		puts("[-] Windows XP builds are not supported. For those, you have to use the Legacy kernel driver.");
+		puts("[-] Windows XP builds are not supported. For those, you have to use the kernel driver.");
 		failed = 1; goto _Return;
 	}
 
 	// All check and stuff are done, now actual patching work begins. First we'll need to find where to patch.
-	IMAGE_SECTION_HEADER* PAGELK = tdFindSection("PAGELK\0", (IMAGE_SECTION_HEADER*)(nt + 1));
+	IMAGE_SECTION_HEADER* PAGELK;
+	if (mach->is64)
+		PAGELK = tdFindSection("PAGELK\0", (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS64*)nt + 1));
+	else
+		PAGELK = tdFindSection("PAGELK\0", (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS32*)nt + 1));
+
 	if (!PAGELK) {
 		puts("[-] PAGELK section not found.");
 		failed = 1; goto _Return;
 	} // Search onwards it until end of the file.
 	printf("[+] Searching at 0x%x within 0x%x bytes...\n", PAGELK->PointerToRawData, (int)sz - PAGELK->PointerToRawData);
 	data += PAGELK->PointerToRawData;
 	for (size_t i = 0; i < sz - PAGELK->PointerToRawData; i++) {
-		if ((mach->w64 && *(__int64*)&data[i] == mach->SharedData)
-			|| (!mach->w64 && *(int*)&data[i] == mach->SharedData)) {
+		if ((mach->is64 && *(__int64*)&data[i] == mach->SharedData)
+			|| (!mach->is64 && *(int*)&data[i] == (int)mach->SharedData)) {
 			// We found the time refresh work, search backwards for a CALL instruction
+#ifdef _WIN64
 			printf("[+] ExGetExpirationDate found at 0x%llx\n", &data[i]-data0);
+#else
+			printf("[+] ExGetExpirationDate found at 0x%lx\n", &data[i] - data0);
+#endif
 			for (unsigned char k = 0; k < 100; k++) {
 				if ((unsigned char)data[i - k] == mach->callOp) { // CALL instruction found.
+#ifdef _WIN64
 					printf("[+] CALL instruction found at file: 0x%llx ", &data[i - k] - data0);
+#else
+					printf("[+] CALL instruction found at file: 0x%lx ", &data[i - k] - data0);
+#endif
 					int pCall = &data[i - k] - data0;
 					unsigned int Offset = *(unsigned int*)&data[i - k + 1] + 5; // Next 4 bytes are relative address to our current location.
 
 					// Convert file offset to RVA
-					IMAGE_SECTION_HEADER* currentSect = tdFindSectionByAddress((unsigned int)pCall, (IMAGE_SECTION_HEADER*)(nt + 1));
+					IMAGE_SECTION_HEADER* currentSect = NULL;
+					if(mach->is64)
+						currentSect = tdFindSectionByAddress((unsigned int)pCall, (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS64*)nt + 1));
+					else
+						currentSect = tdFindSectionByAddress((unsigned int)pCall, (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS32*)nt + 1));
+
 					if (!currentSect) {
 						puts("\n[*] Invalid address, skipping this one...");
 						continue;
@@ -160,6 +182,11 @@ int main(int argc, char* argv[]) {
 
 					// Convert this new RVA back to file offset.
 					currentSect = tdFindSectionByRVA(pCallRVA, (IMAGE_SECTION_HEADER*)(nt + 1));
+					if (mach->is64)
+						currentSect = tdFindSectionByRVA(pCallRVA, (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS64*)nt + 1));
+					else
+						currentSect = tdFindSectionByRVA(pCallRVA, (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS32*)nt + 1));
+
 					if (!currentSect) {
 						puts("\n[*] Invalid address, skipping this one...");
 						continue;

offline/SanityChecks.c

@@ -50,7 +50,13 @@ bool tdSanityCheck(char* data, IMAGE_NT_HEADERS** nt) {
 	}
 	// Has resources. Now we gotta find where they are in image. 
 	// Find the .rsrc section
-	IMAGE_SECTION_HEADER* sect = tdFindSection(".rsrc\0\0", (IMAGE_SECTION_HEADER*)(*nt + 1));
+	IMAGE_SECTION_HEADER* sect = NULL;
+
+	if ((*nt)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
+		sect = tdFindSection(".rsrc\0\0", (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS64*)*nt + 1));
+	else
+		sect = tdFindSection(".rsrc\0\0", (IMAGE_SECTION_HEADER*)((IMAGE_NT_HEADERS32*)*nt + 1));
+
 	if (!sect) {
 		printf("[-] Not a kernel image (no resources).\n");
 		return 0;

offline/TimeDefuserOffline.h

@@ -4,7 +4,7 @@
 	#error You are not supposed to use this header in the kernel driver.
 #endif // !TD_OFFLINE
 
-#define td_version "1.8"
+#define td_version "1.8.4"
 
 // Includes
 #include <stdio.h>
@@ -20,7 +20,7 @@ typedef struct TD_MACHINE {
 	const char* FriendlyName;
 	unsigned int ShellCode; // Shell code for "return 0" that will be patched to the function.
 	__int64 SharedData; // Where "ExpirationDate" on KUSER_SHARED_DATA is
-	bool w64; unsigned char callOp;
+	bool is64; unsigned char callOp;
 } TDMachine;
 
 typedef struct {

src/Driver.c

@@ -1,14 +1,13 @@
 #include "TimeDefuser.h"
 
-#ifdef _M_IX86
+#pragma function(memset)
 void* __cdecl memset(void* dest, int c, size_t count) {
 	unsigned char* p = (unsigned char*)dest;
 	while (count--) {
 		*p++ = (unsigned char)c;
 	}
 	return dest;
 }
-#endif // _M_IX86
 
 BOOLEAN PatchExGetExpirationDate(void* pExGetExpirationDate) {
 	PMDL mdl = NULL;